From Collaborative RCE Tool Library
Technical PoC Tools
| Tool name: | ARTeam Anti-Emulation open source functions |
| ||
|---|---|---|---|---|
| Author: | Gunther | |||
| Website: | http://evilcry.netsons.org | |||
| Current version: | ||||
| Last updated: | March 21, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Thanks to Gunther for ARTeam here we have some new Anti-Emulation open source functions: Here's a quick list of the functions: Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized. Anti-NOD32 -> sse1 instruction which nod32 cannot emulate. IsEmulator -> Timings Attack to Emulator Environement. IsCWSandBox -> Check if CreateProcess is hooked. IsAnubis -> Check whether it is running within Anubis. IsAnubis2 -> Check whether it is running within Anubis. IsNormanSandBox -> NormanSandBox Awareness. IsSunbeltSandBox -> Sunbelt Awareness. IsVirtualPC -> VirtualPC Awareness. IsVMware -> VMware Awareness. DetectVM -> Check whether it is running in VMWare, VirtualBox using registry. IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Anti-BPM FrameWork |
| ||
|---|---|---|---|---|
| Author: | Robert Yates | |||
| Website: | http://www.reverse-engineering.info | |||
| Current version: | ||||
| Last updated: | September 19, 2003 | |||
| Direct D/L link: | http://www.reverse-engineering.info/SystemCoding/gd_drx.rar | |||
| License type: | GNU | |||
| Description: | This is a fully working example of using Intels GD(General Detection) bit, to invoke debug exceptions upon any access to a debug register. Currently, the provided source will lock down any drx access to only NTICE, a hardcoded base for my NTICE is in the src, you may need to modify this for you own, search the source for the keyword ACCESS_RIGHTS. Any attempt of a MOV REG, DRX will be 'faked' by placing a default value into the reg to fool the calling app into thinking no BPMs are set. Any attempt of a MOV DRX, REG will be totally ignored, or emulated if NTICE is the caller. All output is given via debug msgs which have been formatted to be read by sysinternals debugview(included) with force linefeed on. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Anti-BPM via SEH, KiUserExceptionFilter Mod |
| ||
|---|---|---|---|---|
| Author: | Robert Yates | |||
| Website: | http://www.reverse-engineering.info | |||
| Current version: | ||||
| Last updated: | August, 2003 | |||
| Direct D/L link: | http://www.reverse-engineering.info/SystemCoding/bpm.rar | |||
| License type: | ||||
| Description: | This is an idea I had and tried to put into practice. Some protections create faults so they can clear bpms, Asprotect for example, so the idea behind this sys is to modify KiUserExceptionDispatcher to create a snapshot of the drx regs before the users exception occurs then restore them afterwards. It works but the src is rough, currently you have to disassemble ur own ntdll and find some un-used space, (6 dwords) at the end off the .data then subtract the ntdll imagebase and update the NTDT EQU in the .sys. The idea could be improved by only restoring drx values that have become null or the standard dr7 value re-entered. Have a go, bpm w the code section of an asprotect exe after the sys is loaded. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | cpuid break via hardware virtualization |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open source | |||
| Description: | cpuid break via hardware virtualization Not much to say, cpuid causes VM-Exit, so whenever cpuid occurs in our target, inject int 3 event into Guest. i3here on - must be set in SoftICE No MP support due to problem with NMI handling when SoftICE is active. Disable MP in BIOS if you want to use this tool with SoftICE, as this tool is designed to work with SoftICE and i3here on... Requires Intel Hardware Virtualisation technology, and I have no idea how this will work on AMD!!!! Did you wonder about finding SecuROM cpuid stuff? Well here it is... (c) 2008 deroko of ARTeam ps. there is some code which is designed aswell for MP systems, but due to not yet solved issue with NMI that code is not used. Example of such code is ExitEip[ccpu] where ccpu is only shortcut for MyKeGetCurrentProcessorNumber() procedure, listed in kegetcurrentprocessornumber.c TaskSwitch code implemented in HandleTaskSwitch is never used on single core systems, as windows doesn't perfrom TaskSwitch at all (only when NMI or KiTrap08 is executed). NOTE: DRIVER IS NEVER UNLOADED, as at the time of releasing this code I didn't write that stuff yet. You may find some leftovers in unloadme() in vm.c, but it's not done yet... | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Dr7.GD single/multi CPU version |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open source | |||
| Description: | Dr7.GD single/multi CPU version Basically whole this project has been started for own needs to stop some silly protections from messing up with drX registers. Only ones allowed to access drX registers are cpthook and NTIce, others are NOT allowed to modify those registers. This code is designed to work with Sice in paticilar, as there is no real use when it is used without SoftICE. Saving dr6 is first issue important when writing such code. IA32 manual, newer one, says that certain exceptions may clear B0/B3, that's why those have to be saved whenever int 1 is generated. As each CPU has it's own set of drX registers, that means that for each CPU it's required to keep track of dr6 register. More can be found at woodmann.com and my blog. Problems with int 01 and int 0d on intel cpu. Well Intel simply treats (at least that's how it looks like at intel cpu on which I've tested this code) GD bit as higher priority then Int 0xD. Seems that intel CPU when detects mov to/from drX first checks for GD bit being set in dr7, and then it checks CPL. This problem is solved by simply redirecting all ring3 drX accesses to int 0d handler. On AMD I didn't see this problem. MP issue when softice is active. Well SoftICE has to control whole system, so when bpm is set (drX) it will use IPI to set drXes on each CPU. Now comes fun part. By default NMI is setup as TaskGate, when softice is running on single cpu machine it will be setup as IdtGate, on mp machines softice will keep NMI as TaskGate. So, here NT flag will be set in eflags + iretd from handler must no be used, as iretd will "unblock" NMI, also if NT flag is set, iretd will return to interupted task using TSS.BackLink, also bad thing. When drX access occurs from NMI it is required to simply return from interupt using retn. Well that's it :) (c) 2008 deroko of ARTeam | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Dream of every reverser |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | public | |||
| Last updated: | May 6, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine used to perfrom stealth memory trace of a target. Public version only supports tracing of the eip in certain range. To compile source you will need DDK. It supports MP and win2k/winxp. Systems running KAV are not supported as KAV installs hook in SwapContext which is essential for this tracer. Technical aspects: 1. Hooks int 0e and int 01 2. Hooks SwapContext 3. Installs ProcessNotifyRoutine Due to the nature of paged memory in r3, there are 2 ways of tracing: using U/S flag, and using P bit in PTE. Both cases are handled and supports PAE and nonPAE addressing modes. Role of SwapContext is to set breaks on given range when traced process is about to execute. Role of notify routine is to stop tracer if traced program exits by any chance during tracing. When good range is hit, tracer will automaticaly stop and you will see in DebugView or DbgMon when EIP is in good range. | |||
| Also listed in: | Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Superkill |
| ||
|---|---|---|---|---|
| Author: | Frank Boldewin | |||
| Website: | http://www.reconstructer.org | |||
| Current version: | 1.0 | |||
| Last updated: | July 13, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level. After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
