RCE Messageboard's Regroupment   Woodmann.com Swag Woodmann.com Swag Woodmann.com Swag

Go Back   RCE Messageboard's Regroupment > Blogs
Reload this Page Blog Entries
Register Blogs FAQ Calendar Search Today's Posts Mark Forums Read


To keep track of the posts in all our local blogs, subscribe to this RSS feed
To keep track of new threads (in all forums) of the RCE Messageboard, subscribe to this RSS feed
To keep track of all updates to the Collaborative RCE Tool Library, subscribe to this RSS feed
To get your own (reversing related) blog here, simply login and then click "Post to my Blog" below!

Old

KiTrap06(#UD)

Posted 11-09-2009 at 10:11 AM by Indy
Under certain conditions, the processor generates a # UD using the prefix Lock. ISR KiTrap06 handles the exception and, depending on the availability prefix Lock returns STATUS_ILLEGAL_INSTRUCTION or STATUS_INVALID_LOCK_SEQUENCE. In XP, the ISR mistake, simple search in the first 4 bytes of instruction and prefix Lock, if it is found returns STATUS_INVALID_LOCK_SEQUENCE. Ie for instructions ud2/Lock/.. will be thrown with the code STATUS_INVALID_LOCK_SEQUENCE. The kernel looks for the prefix after the instructions
In W7 mechanism changed. Searches for a prefix Lock in the first 5 bytes of instruction, and search through sequential extraction byte instructions and scan the table prefixes. Ie an exception with code STATUS_INVALID_LOCK_SEQUENCE generated only if among the first 5 prefix is a prefix Lock, otherwise an exception is thrown with the code STATUS_ILLEGAL_INSTRUCTION. This happens on XP with ISR #GP(KiTrap0D) - checked 15 bytes for the presence of a prefix and if it is not returned STATUS_ILLEGAL_INSTRUCTION, otherwise the code is returned STATUS_PRIVILEGED_INSTRUCTION. In fact it does nothing, only unnecessary problems in the processing of exceptions (the most terrible is the trace exception manager). We antiviral emulators with this problem
AVG simulates the generation of exceptions STATUS_INVALID_LOCK_SEQUENCE, if you have at least one prefix Lock.
Example: http://paste.org.ru/?lwfzkv
vx
Posted in Uncategorized
Views 58 Comments 0 Indy is offline
Old

Filter Monitor 1.0.1

Posted 10-17-2009 at 10:46 AM by Daniel Pistelli
This week, after months of development of bigger projects, I found some time to windbg "ntoskrnl.exe" and write a utility. It is called Filter Monitor and shows some key filters installed by kernel mode components.

http://www.youtube.com/watch?v=5iIeISGoHxM

“As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that’s why I wrote this little utility which monitors some key filters.

Since I haven’t signed the driver of my utility, you have to press F8 at boot time and then select the “Disable Driver Signature Enforcement” option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

A disclaimer: the boot process can be a bit annoying, but the utility should be used on virtualized systems anyway, as I haven’t fully tested it yet. I doubt that it will crash your system, I guess the worst scenario is that it won’t list some filters. It should work on any Windows system starting from Vista RTM and I have provided an x86 version and an x64 version. But the truth is that I have tested only the x64 version on Windows 7 RTM. Last but not least, I can’t guarantee that this utility will work on future versions of Windows, it relies heavily on system internals.

Now, let’s run it. The supported filters/notifications at the time are these: Registry, Create Process, Create Thread and Load Image. “Registry” stands for CmRegisterCallback filters. “Create Process” for PsSetCreateProcessNotifyRoutine callbacks. “Create Thread” for PsSetCreateThreadNotifyRoutine callbacks. And “Load Image” for PsSetLoadImageNotifyRoutine callbacks.

The “Additional Info” in the list view provides internal information like the address of the callback function.

There are some default filters registered by system components, but, as you can notice, there are also Kaspersky components. That’s because some filters (like the registry filter) are not used by system components and I needed a tool which would make use of these filters for my little demonstration.

The version of Kaspersky I have installed is the latest one available on the internet which is: 9.0.0.463.

I created for this demonstration a little executable called “k-test” (what you see on the desktop are three copies of the same executable) which copies itself in a directory called “borda” in the “Roaming” directory of the operating system. It then creates a value in the Run key of the registry to execute itself at each start-up. Finally, it launches itself from the “Roaming” directory and ends.

This is a typical malware behavior. Beware that the signature of the application itself is not contained in the databases of Kaspersky as I have written it on the fly, but it detects the suspicious behavior, stops execution and deletes the file. And it does this every time I launch the test application.

Now let’s get to the part where I show an additional functionality of the Filter Monitor which is the ability to remove registered filters and see what happens if I remove the filters installed by klif.sys, which is the “Kaspersky Lab Interceptor and Filter” driver. As the name suggests, this driver intercepts and filters: it installs all four of typologies of filters listed by the Filter Monitor. On x86 instead of calling CmRegisterCallback it additionally hooks about 60 functions of the Service Descriptor Table (which is a lot), but that’s no longer possible on x64.

So, let’s remove the filters and re-launch k-test. It works now.

Final disclaimer: It is not my intent to comment on security features of anti-viruses, I just wanted to present my new tool and show its functionalities. I was already familiar with the internals of Kaspersky before writing this utility.

I hope you enjoyed the presentation.”

P.S. A huge thanks goes to Alessandro Gario for providing me with all the different versions of ntoskrnl.exe.
Registered User
Posted in Uncategorized
Views 614 Comments 4 Daniel Pistelli is offline
Old

Device Drivers Vulnerability Research, Avast a real case

Posted 09-27-2009 at 01:36 AM by evilcry
In the past days I worked intensively on Antivirus’s Device Drivers bugs, at the actual state of art the major part of well known AVs suffer of basical and more hidden bugs. The totality of AVs that I’ve checked presents defects that could be maliciously used to takeover an Antivirus Infrastructure and in some case the entire Operating System with attacks like DoS and/or Remote/Local Privilege Escalation.

I want to make a precisation here, exists an important difference between Bug and Vulnerability, simply bugs does not affects the integrity of a system and does not constitute a true danger. Vulnerabilities constitutes an effective risk for systems integrity, included informations contained inside it. When we are dealing with applications specifically devoted to security, every bug could be considered a vulnerability, because an attacker could block/kill overcome checks performed by the application itself and propagate in system and produce damages. Just think to a basical crash that could affect an Antivirus could be implemented into a malicious application that checks the presence of AVs and induces the bug.

In this little post we are going to see some defects of last device drivers used by Avast, I’m precisely talking of

Build Number: 4.8.1351.0

Avast loads the following drivers:

  • Aasvmker4.sys
  • aswMon2.sys
  • aswRdr.sys
  • aswSP.sys


Avast loads the following Drivers could be tested by fuzzing IOCTLs, for this task could be used IOCTL Fuzzer and Kartoffel. Let’s disassemble the first driver, Aavmker4.sys that from DeviceIoControl hook appears to be heavy used. This is the DriverEntry()drivers

Code:
00010748 mov eax, [ebp+DriverObject]
0001074B push offset NotifyRoutine ; NotifyRoutine
00010750 mov dword ptr [eax+70h], offset sub_1098C ; DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_1098C;
00010757 call PsSetCreateProcessNotifyRoutine
sub_1098C contains the switch statement to handle various IOCTL notifications, essentially IOCTL check is structured in form of nested If and Switches.

Code:
001098C ; int __stdcall sub_1098C(int, PIRP Irp)
000109C4 mov ecx, 0B2D6002Ch
000109C9 cmp eax, ecx
000109CB ja loc_10D12
000109D1 jz loc_10CE9
Checks if IOCTL is less or equal to 0×0B2D6002C, if condition is true checks if IOCTL is exactly 0×0B2D6002C a certain task is performed by the device driver and finally ends with a classical
epilogue:

Code:
IofCompleteRequest(X, 0);
return value;
By monitoring Aavmker4.sys activity, with a DeviceIoControl hook emerges that the most used IOCTLs are:
  • 0xB2D60030
  • 0xB2D60034


Now we have two possibilities the first is to fuzz these IOCTLs and check crash dump if happens and after check code for more details, the second possibility is to invert the check order.

This the xml configuration to test Aavmker4.sys

Code:
<allow>
<drivers>
<entry>Aavmker4.sys</entry>
</drivers>
<devices>
<entry>\Device\AavmKer4</entry>
</devices>

<ioctls>
<entry>0xb2d60030</entry>
<entry>0xb2d60034</entry>
</ioctls>
<processes>
<entry>ashServ.exe</entry>
</processes>
</allow>
launch fuzzer and Avast Scan, as you can see Driver resists to Fuzzing attempts, its time to see code referred to 0xB2D60030 and 0xB2D60034.

0xB2D60030

Code:
00010D25 cmp eax, 0B2D60030h
00010D2A jz short loc_10DA8
00010D2C cmp eax, 0B2D60034h
00010D31 jz short loc_10D5B
00010DC5 mov edi, [ebx+0Ch]
00010DC8 cmp esi, 878h
00010DCE jz short loc_10DDA ;Check buffer size
00010DD0 push offset aIoctl_aavm_sta ; “******* IOCTL_AAVM_START_REQUEST_AND_SE”…
00010DD5 jmp loc_10ABA ;Jump to Io Completion
If buffer size differs from 878h Dbg Prints an error message, else supplied buffer is correctly sanitized via MmUserProbeAddress, MmIsAddressValid. We can say that this IOCTL is correctly handled.

0xB2D60034:

Code:
00010D5B cmp esi, 8
00010D5E jnz loc_10AC0 ;If differs from 8 return STATUS_INVALID_PARAMETER
00010D64 call PsGetCurrentProcessId
Now let’s test aswSP.sys. In Device Driver vulnerabilty research it’s fundamental to have a complete log of all activities of a driver, this can be obtained by correctly planning a battery of test unit. Each test should correspond to a primitive logic operation performed by an application that makes use of driver. I usually build several mini logs for each activity and finally a complete log. Here a little list of monitoring primitives:

  • On Load
  • On apparent Idle
  • On Working
  • On Shutdown
  • Various, like On Surprise Stop


This will give us a complete report of all activities and involved IOCTL. In the specific case of aswMon2.sys we can isolate the following:

  • * 0xb2c80018
  • * 0xb2c80014
  • * 0xb2c80020
  • * 0xB2c800C0
  • * 0xB2c800C4
  • * 0xB2c800C8


From IOCTL Logger we can see that 0xB2c800C0 is heavly used, time to locate Ioctl Dispatcher:

Code:
0001178B and dword ptr [ebx+34h], 0
0001178F mov dword ptr [ebx+6Ch], offset sub_11FB6
00011796 mov dword ptr [ebx+28h], offset off_18988
C like:
Code:
v2->DriverUnload = 0;
v2->MajorFunction[13] = (PDRIVER_DISPATCH)sub_11FB6;
v2->FastIoDispatch = (PFAST_IO_DISPATCH)&unk_18988;
with a bit of research we land to sub_10B82 that contains the switch for Ioctls.

Code:
00010BBD mov eax, 0B2C80018h
00010BC2 cmp ecx, eax
00010BC4 push edi
00010BC5 ja loc_11066
00010BCB jz loc_10F70
00010BD1 cmp ecx, 0B2C80008h
00010BD7 jz short loc_10C3C
00010BD9 cmp ecx, 0B2C8000Ch
00010BDF jz short loc_10C16
00010BE1 cmp ecx, 0B2C80010h
00010BE7 jz short loc_10BFF
00010BE9 cmp ecx, 0B2C80014h
00010BEF jnz loc_111AC
00010BF5 call sub_108BC
From logs emerged that the most frequently used is 0B2C8000C so it’s obvious that we will study this for first:

0xB2C8000C:

Code:
00010C16 cmp [ebp+arg_C], 1448h
00010C1D jnz loc_111AC ;check len
00010C23 mov esi, [ebp+SourceString]
00010C26 mov ecx, 512h
00010C2B mov edi, offset dword_18A58
00010C30 rep movsd
00010C32 call sub_108F0
00010C37 jmp loc_112C1 ;go out
In this case user supplied input is correctly sanitized, so 0xB2C8000C can be excluded from fuzz testing. From the log On Shutdown emerged the massive presence of 0xB2c80018, so let’s fuzz it. Here the configuration for IOCTL Fuzzer:

Code:
<?xml version=”1.0″ encoding=”windows-1251″?>
<cfg>
<log_file>C:\ioctls.txt</log_file>
<hex_dump>true</hex_dump>
<log_requests>true</log_requests>
<debug_log_requests>true</debug_log_requests>
<fuze_requests>true</fuze_requests>
<fuze_size>true</fuze_size>
<allow>
<drivers>
<entry>aswMon2.SYS</entry>
</drivers>
<devices>
<entry>\Device\aswMon</entry>
</devices>
<ioctls>
<entry>0xb2c80018</entry>
</ioctls>
<processes>
<entry>ashServ.exe</entry>
</processes>
</allow>
<deny>
<drivers>

<entry>aswSP.SYS</entry>
<entry>Aavmker4.SYS</entry>
<entry>aswTDI.SYS</entry>
</drivers>
<ioctls>

<entry>0xb2c8000c</entry>
<entry>0xb2c80014</entry>
<entry>0xb2c80020</entry>
</ioctls>
</deny>
</cfg>
The config script allows only 0xB2c80018 sent from aswMon, other drivers are locked. Obviously fuzzing need to follow the log unit that evidenced out IOCTL, so run fuzzer and stop all Avast services.

Bang..a BSOD, discovered an Avast vulnerability into aswMon2.sys

From crashdump:

kd> !analyze -v

Quote:
UNEXPECTED_KERNEL_MODE_TRAP_M
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000_KERNEL_MODE_TRAP_M (1000007f)
Quote:
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0×600fa
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0×66251
f76f3328 8052c793 41414141 00000000 f76f377c nt+0×55712
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0×55793
f76f3760 8053d251 f76f377c 00000000 f76f37d0 nt+0×25700
f76f37d0 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0×66251
f76f3854 8052c793 41414141 00000000 f76f3ca8 nt+0×55712
f76f38d0 804fc700 f76f3ca8 f76f39a4 05050505 nt+0×55793
f76f3c8c 8053d251 f76f3ca8 00000000 f76f3cfc nt+0×25700
f76f3cfc 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0×66251
f76f3d80 8052c793 41414141 00000000 f76f41d4 nt+0×55712
f76f3dfc 804fc700 f76f41d4 f76f3ed0 05050505 nt+0×55793
f76f41b8 8053d251 f76f41d4 00000000 f76f4228 nt+0×25700
f76f4228 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0×66251
f76f42ac 8052c793
...
Continue reading...
Registered User
Views 363 Comments 0 evilcry is offline
Old

Code Release page

Posted 09-07-2009 at 10:09 PM by BanMe (BanMe.From.Native_Development)
here is the current server code..minus the addition of the currently not working emulation of CSR_API_MESSAGE.

this is also another release of the client..both downloads below..
Attached Files
File Type: rar SIN32.rar (113.9 KB, 119 views)
File Type: rar affectionate.rar (446.6 KB, 115 views)
BanMe's Avatar
r3p0l3v3d n3v1rd
Views 358 Comments 6 BanMe is offline
Old

Binary-Auditing Solutions.

Posted 09-04-2009 at 12:39 AM by BanMe (BanMe.From.Native_Development)
I am Currently working on the C++ Fundementals,and will be presenting my solutions here. As the Downloads have just been released.. I currently dont have any solutions ready,but I'm working on the PH of Coffee and that solution should be ready tommorow..this will be updated soon with further posts and solutions soon, hopefully I will be able to complete 'most' solutions in code that only uses ntdll,but I know that not 'all solutions' will be allow me to take this route.

If you are also working on this line of learning,
Contact me and maybe we can do it together..

BanMe
BanMe's Avatar
r3p0l3v3d n3v1rd
Posted in Uncategorized
Views 379 Comments 9 BanMe is offline
Old

"Client" Unit Tests(some fun ones..)Indirect RtlCreateUserThread hooking..

Posted 08-29-2009 at 01:41 AM by BanMe (BanMe.From.Native_Development)
Updated 08-29-2009 at 01:51 AM by BanMe
code called before RtlCreateUserThread ..
Code:
if(InitUserHooks(ClientView))
{
	Status = RtlCreateUserThread(NtCurrentProcess(),0,0,0,0,0,(PUSER_THREAD_START_ROUTINE)wtf,0,&PortHandle,&Cid);
}
InitUserHooks..
Code:
BOOL InitUserHooks(PORT_VIEW CodeView)
{
	ULONG Addr_BaseThreadStart = 0;
	ULONG Addr_BaseThreadStartThunk = 0;
	ULONG Addr_LdrInitializeThread = 0;
	ULONG Addr_LdrCallInitRoutine = 0;
	BYTE SigBaseThread[7] = { 0x33,0xED,0x53,0x50,0x6A,0x00,0xE9 };
	BYTE SigLdrInitializeThread[9] = { 0x6A, 0x02, 0xFF, 0x76, 0x10, 0xFF, 0x75, 0xE0, 0xE8 };
	BYTE CodBaseThread[2] = { 0x00,0x00};
	BYTE CodLdrCallInit[5] = { 0x00,0x00};
	NTSTATUS Status = 0;
	ULONG NumOfBytes = 2;
	PVOID pfnOrigin = 0;
	int i;
	GetProcessModules();
	for(i = 0;i<20;i++)
	{
		if(wcscmp((PWSTR)Array_ModName[i], L"ntdll.dll") == 0)
			break;
	}
	Addr_LdrInitializeThread = SigSeek_FindCode((DWORD)Array_ModHandle[i],((DWORD)Array_ModHandle[i]+Array_ModSize[i]),sizeof(SigLdrInitializeThread),(DWORD*)&SigLdrInitializeThread);
	if(Addr_LdrInitializeThread)
	{
		__asm
		{
			mov ebx,[eax+0x9]
			add ebx,eax
			add ebx,0xd
			mov Addr_LdrCallInitRoutine,ebx
		}
	}
	else
	{
		return FALSE;
	}
	for(i = 0;i<20;i++)
	{
		if(wcscmp((PWSTR)Array_ModName[i], L"kernel32.dll") == 0)
			break;
	}
	Addr_BaseThreadStartThunk = SigSeek_FindCode((DWORD)Array_ModHandle[i],((DWORD)Array_ModHandle[i]+Array_ModSize[i]),sizeof(SigBaseThread),(DWORD*)&SigBaseThread);
	if(Addr_BaseThreadStartThunk)
	{
		// extract the address of kernel32.BaseThreadStart() from jmp instruction
		// destination = code location + jump offset + 5
		__asm
		{
			mov ebx, [eax+7]
			add ebx, eax // code location
			add ebx, 6 // 
			add ebx, 5
			mov Addr_BaseThreadStart, ebx
		}
	}
	else
	{
		return FALSE;
	}
	ULONG Hook_LdrCallInitRoutine = ((ULONG)CodeView.ViewBase);
	if(Native_HotPatchAddrEx(Addr_LdrCallInitRoutine,Hook_LdrCallInitRoutine,0x1DEB,1,&pfnOrigin))
	{
		return TRUE;
	}
	return FALSE;
}
Native_HotPatchAddrEx
Code:
bool Native_HotPatchAddrEx(ULONG oldProc, ULONG newProc,WORD Code,ULONG NumOfNop, void**ppOrigFn)
{
	bool bRet = false;
    ULONG oldProtect = NULL;
	ULONG pLongJump = 0;
	ULONG pLongJumpAdr = 0;
	ULONG ProtectSize = 2;
	ULONG ProtectAddr = oldProc;
	BYTE Nop = 0x90;
	if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr, &ProtectSize, PAGE_EXECUTE_READWRITE, &oldProtect)))
	{
		return bRet;
	}
	WORD *pJumpBack = (WORD*)oldProc;
	__asm
	{
		lea ecx,Code
		inc ecx
		mov al,byte ptr[ecx];
		movzx ecx,al
		cmp ecx,0
		je Failed 
		push ecx
		add oldProc,ecx
		push oldProc
		pop ProtectAddr
		mov ProtectSize,5
	}
	if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr,&ProtectSize,PAGE_EXECUTE_READWRITE,&oldProtect)))
	{
		return bRet;
	}
	__asm
	{
		pop ecx
		push oldProc
		pop pLongJump
		inc oldProc
		push oldProc		
		pop pLongJumpAdr
		dec oldProc
		sub oldProc,ecx
	 	
	}
	if(*pJumpBack != 0xFF8B)
	{
		__asm
		{
			add oldProc,2
			mov edi,oldProc
			lea esi,Nop
			mov ecx,NumOfNop
			rep movsb
			sub oldProc,2
		}
	}
    *(BYTE*)pLongJump = 0xE9;    // long jmp
    *(ULONG*)pLongJumpAdr = (newProc - oldProc)-0x22;    // 
    *pJumpBack = 0x1beb;        // short jump back -7 (back 5, plus two for this jump)
    if (ppOrigFn)
	{
		*ppOrigFn = ((BYTE*)oldProc);
		bRet = true;
	}
  	//if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&pLongJump, &ProtectSize, oldProtect, &oldProtect)))
	//{
	//	return bRet;
	//}
Failed:
	return bRet;
}
LdrpCallInitRoutine after hooking..
Code:
_LdrpCallInitRoutine@16:
  jmp         _LdrpCallInitRoutine@16+1Dh (7C901193h) 
  nop              
  push        esi  
  push        edi  
  push        ebx  
  mov         esi,esp 
  push        dword ptr [ebp+14h] 
  push        dword ptr [ebp+10h] 
  push        dword ptr [ebp+0Ch] 
  call        dword ptr [ebp+8] 
  mov         esp,esi 
  pop         ebx  
  pop         edi  
  pop         esi  
  pop         ebp  
  ret         10h  
  jmp         01570000
Code in "Shared" Mapped View (originates in server)..
Code:
		XOR ECX,ECX
QSFRA:
		MOV EAX,[ESP+(ECX*0x4)]
		CMP EAX,0x7c900000
		JL IncStack
		CMP EAX,0x7cA00000
		JG IncStack
RDUNOP:
		CMP WORD PTR [EAX],0x406a
		JE FAS
	    SUB EAX,1
		JMP RDUNOP
FAS:
		PUSH EBP
		MOV EBP,ESP
		MOV EAX,0x7c901179
		JMP EAX
IncStack:
		INC ECX
		JMP QSFRA
		ret
code executed after call of RtlCreateUserThread by LdrpCallInitRoutine..

Code:
__DllMainCRTStartupForGS@12:
  mov         edi,edi 
  push        ebp  
  mov         ebp,esp 
  cmp         dword ptr [ebp+0Ch],1 
  je          __DllMainCRTStartupForGS@12+0Bh (7C9222FAh) 
  xor         eax,eax 
  inc         eax  
  pop         ebp  
  ret         0Ch
hmm
Code:
_BaseDllInitialize@12:
  mov         edi,edi 
  push        ebp  
  mov         ebp,esp 
  cmp         dword ptr [ebp+0Ch],1 
  je          _BaseDllInitialize@12+0Bh (7C818A92h) 
  pop         ebp  
  nop              
  nop              
  nop              
  nop              
  nop              
__BaseDllInitialize@12:
  mov         edi,edi 
  push        ebp  
  mov         ebp,esp 
  sub         esp,424h 
  mov         eax,dword ptr [___security_cookie (7C8856CCh)] 
  mov         ecx,dword ptr [ebp+8] 
  push        ebx  
  push        esi  
  push        edi  
  xor         edi,edi 
  mov         dword ptr [ebp-4],eax 
  mov         dword ptr [ebp-424h],ecx 
  mov         dword ptr [ebp-414h],edi 
  mov         eax,dword ptr fs:[00000018h] 
  mov         eax,dword ptr [eax+30h] 
  mov         eax,dword ptr [eax+1D4h] 
  mov         dword ptr [_SessionId (7C8856E4h)],eax 
  mov         dword ptr [_BaseDllHandle (7C885054h)],ecx 
  mov         eax,dword ptr fs:[00000018h] 
  mov         ebx,dword ptr [eax+30h] 
  mov         eax,dword ptr [ebp+0Ch] 
  sub         eax,edi 
  mov         dword ptr [ebp-420h],ebx 
  je          7C81CAF4 
  dec         eax  
  je          __BaseDllInitialize@12+89h (7C8185EDh) 
  dec         eax  
  jne         __BaseDllInitialize@12+61h (7C80C177h) 
  push        edi  
  push        2    
  call        _ConDllInitialize@8 (7C80B777h) 
  test        al,al 
  je          __BaseDllInitialize@12+82h (7C82B7ECh) 
  mov         al,1 
  mov         ecx,dword ptr [ebp-4] 
  pop         edi  
  pop         esi  
  pop         ebx  
  call        @__security_check_cookie@4 (7C8097AAh) 
  leave            
  ret         0Ch
then goes on to deactivate Activation Context, it also leaves Ldr Critical Section..and then finally ZwTestAlert.. which calls the routine of RtlCreateUserThread..hope some of this was 'fun' .. ;p

regards BanMe
BanMe's Avatar
r3p0l3v3d n3v1rd
Posted in Uncategorized
Views 409 Comments 11 BanMe is offline
Old

Several Common Ways That Viruses Spread

Posted 08-24-2009 at 07:03 AM by Lula8r
In addition to the common methods of spreading through email attachments, boot infections and program infectors, there are other ways by which viruses spread to your computer. These include:

Infection by Disk(Floppy, Zip, CD's, Tapes, etc.)

Floppy disks, though not as commonly used as in the past, are still a very common way viruses being spread from machine to machine. Anyone with an infected machine, using a floppy disk to copy and save files, can also copy and transfer the virus. Any use of that same removable disk, by any user, at any time in the future, will most likely contaminate, or re-contaminate the any computer it is used with. The only way to properly clean an infected floppy disk is to perform a low-level format. The normal Windows(tm) "format disk" is often not enough.

With CD's, all the above holds true with the exception that an infected CD can never be cleaned. To get rid of an infected CD, you need to put it in the trash and never use it again.

Infection from Networks

Peer-to-Peer network, Local Area Networks (LAN), a Wide Area Network (WAN), Wireless Networks, and the Internet, are all computer networks. They all have the same basic purpose; to share software, and information resources between two or more computers. As with anything else that is shared between computers, networks let users share files, and wherever files are shared, viruses can be shared and spread.

Most network virus/worm/Trojan activity is like what we described earlier, although more and more examples of automatic mass mailing attacks, system resource attacks are being found.

Recently many attacks are designed to specifically target major corporate interests (Microsoft, eBay, Amazon, major Banks etc.) in an attempt to disrupt their online services. Very generally these are called DOS (denial of service) attacks. The way they most commonly work is by secretly infecting thousands of local user computers (like the one you are using right now), and then at a specific time, launching a combined attack from all the infected machines against the primary target.

As you can see, your computer can be hijacked without your knowledge and then used in a major attack against an unsuspecting company. However with up-to-date virus/firewall protection, your computer will be immune to such hijacking.

Other ways by which virus spreads

Other sources of viruses have been found to be the result of software downloads available over the Internet. Software patches, drivers, demonstration software, from reputable companies, generally carries little risk. However, the Internet is also filled with "unofficial" software, pirated programs, and low-budget software from questionable sources that may be intentionally or unintentionally infected with viruses. Files downloaded directly from the Internet (either through file-sharing programs or direct download from websites), are among the fastest growing sources of computer virus infections.

Email, with its nearly universal availability and ease of use; chat rooms and messenger systems, not only make communication simple and quick, also make the transmission and re-transmission of infection simple and alarmingly fast. Creators of newer viruses, and internet worms specifically target these systems because they are widely used, and are often built right into the operating system and used with default settings making them much easier to attack and exploit.

As a point of reference, Internet Explorer, and Outlook/Outlook express email clients are two of the applications most targeted by Internet viruses and worms. Why? Because they are installed on more computers around the world than any other software, and they are installed 99% of the time with default settings (which means virus programmers have an easy blueprint to follow).

If you use an email system or instant message system that is installed automatically with your computer's operating system you need to install and use current antivirus software. You also need to learn how to turn off certain default settings that can leave your system open to very easy attack.
Registered User
Posted in Uncategorized
Views 798 Comments 2 Lula8r is offline
Old

VMware ring3 detection (RF handling)

Posted 08-09-2009 at 11:28 AM by deroko
Hello,

Here is one trick to detect vmware discovered by accidance

I was writing one unpacker, and for me RF was must have to make my unpacker simpler. Unpacker worked great on live system, and then I tried it in vmware, and I got many breaks at same part of the code which should be continued with RF.

RF from intel manual volume 3, chapter 18:

Code:
Because the debug exception for an instruction breakpoint is generated before the
instruction is executed, if the instruction breakpoint is not removed by the exception
handler; the processor will detect the instruction breakpoint again when the instruction
is restarted and generate another debug exception. To prevent looping on an
instruction breakpoint, the Intel 64 and IA-32 architectures provide the RF flag
(resume flag) in the EFLAGS register (see Section 2.3, “System Flags and Fields in
the EFLAGS Register,” in the Intel® 64 and IA-32 Architectures Software Developer’s
Manual, Volume 3A). When the RF flag is set, the processor ignores instruction
breakpoints.
Basically waht debugger would do with break point is:
- breakpoint reached -> clear breakpoint
- single step that instruction
- set breakpoint after singlestep
- continue execution
- too much not needed work...

For DebugRegister breaks on execution, you can simplfy this by setting RF in Eflags, and you don't have to remove your breakpoint on execution.

So here is how to detect VMWare presence using debug registers due to wrong RF handling:

Code allocates memory and stores there 0xC3, after that program generates exception to set debug registers. In exception handler code checks if exception occured 1st time (1st debug break) and sets RF (eg. continue execution), after that if exception occurs 2nd time, means that RF wasn't handled and that we have vmware (didn't try with other virtual machines).

main.c
Code:
#include        "defs.h"

PVOID   buffer;
DWORD   dwExceptionCount;

ULONG   filter(PEXCEPTION_INFO pei){
        PCONTEXT pctx;
        
        pctx = pei->pContext;
        if (dwExceptionCount == 0){
                dwExceptionCount++;
                pctx->Dr7 = BPM_LOCAL_EXACT | BPM0_LOCAL_ENABLED;
                pctx->Dr0 = (DWORD)buffer;
                pctx->Eip += 2;
                NtContinue(pctx, FALSE);
        }else if (dwExceptionCount == 1){
                dwExceptionCount++;
                pctx->EFlags |= 0x10000;
                NtContinue(pctx, FALSE);
        }else if (dwExceptionCount == 2){
                printf("[X] vmware detected\n");
                ExitProcess(0);
        }
        
        return EXCEPTION_EXECUTE_HANDLER;        
}

void __declspec(naked) hook_filter(void){
        __asm push      esp
        __asm call      filter
}

int __cdecl wmain(int argc, wchar_t **argv){
        VOID    (*func)();
        DWORD   dwOldProt;
        PUCHAR  kiuser;
        printf("[*] ring3 VMWARE detection - (c) 2009 deroko of ARTeam\n");
        kiuser = (PUCHAR)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "KiUserExceptionDispatcher");
        
        VirtualProtect(kiuser, 7, PAGE_EXECUTE_READWRITE, &dwOldProt);
        kiuser[0] = 0x68;
        *(DWORD *)&kiuser[1] = (DWORD)hook_filter;
        kiuser[5] = 0xc3;
                    
        buffer = func = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        *(DWORD *)func = 0xC3909090;
        
        __asm xor eax, eax
        __asm mov eax, [eax]
        func();
        
        printf("[*] vmware not detected\n");
        ExitProcess(0);
}

defs.h
Code:
 
#include        <windows.h>
#include        <stdio.h>

// Dr6
#define BPM0_DETECTED                    0x00000001
#define BPM1_DETECTED                    0x00000002
#define BPM2_DETECTED                    0x00000004
#define BPM3_DETECTED                    0x00000008

// Dr7
#define BPM0_LOCAL_ENABLED               0x00000001
#define BPM0_W                           0x00010000
#define BPM0_RW                          0x00030000

#define BPM1_LOCAL_ENABLED               0x00000004
#define BPM1_W                           0x00100000
#define BPM1_RW                          0x00300000

#define BPM2_LOCAL_ENABLED               0x00000010
#define BPM2_W                           0x01000000
#define BPM2_RW                          0x03000000

#define BPM3_LOCAL_ENABLED               0x00000040
#define BPM3_W                           0x10000000
#define BPM3_RW                          0x30000000

#define BPM_LOCAL_EXACT                  0x00000100

typedef LONG NTSTATUS;

NTSTATUS
NTAPI
NtContinue(__in PCONTEXT ctx, BOOL Alertalbe);

typedef struct{
	PULONG ExceptionCodeAddress;
	PCONTEXT   pContext;
	ULONG  ExceptionCode;
	ULONG  ExceptionFlags;
	PULONG ExceptionRecord;
	ULONG  ExceptionAddress;
	ULONG  NumberOfParameters;
	ULONG  ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
}EXCEPTION_INFO, *PEXCEPTION_INFO;

output of the program running in vmware:
Code:
[*] ring3 VMWARE detection - (c) 2009 deroko of ARTeam
[X] vmware detected
output of the program running on live system:

Code:
[*] ring3 VMWARE detection - (c) 2009 deroko of ARTeam
[*] vmware not detected

Hope you find it usefull
cr4zyserb
Posted in Uncategorized
Views 499 Comments 8 deroko is offline
Old

placing a "hotpatch" where it doesnt belong..

Posted 07-22-2009 at 11:26 PM by BanMe (BanMe.From.Native_Development)
Updated 07-27-2009 at 11:47 PM by BanMe (Updated..to suite my purpose..)
had to work this one out myself..

its nothing to special except that its just more versatile the saks654's function..allowing hotpatchs on non mov edi,edi functions also it provides a method for nopping those pesky leftovers..

I hope you enjoy it

Code:
bool Native_HotPatchAddrEx(ULONG oldProc, ULONG newProc,WORD Code,ULONG NumOfNop, void**ppOrigFn)
{
	bool bRet = false;
    ULONG oldProtect = NULL;
	ULONG pLongJump = 0;
	ULONG pLongJumpAdr = 0;
	ULONG ProtectSize = 2;
	ULONG ProtectAddr = oldProc;
	BYTE Nop = 0x90;
	if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr, &ProtectSize, PAGE_EXECUTE_READWRITE, &oldProtect)))
	{
		return bRet;
	}
	WORD *pJumpBack = (WORD*)oldProc;
	__asm
	{
		lea ecx,Code
		inc ecx
		mov al,byte ptr[ecx];
		movzx ecx,al
		cmp ecx,0
		je Failed 
		push ecx
		add oldProc,ecx
		push oldProc
		pop ProtectAddr
		mov ProtectSize,5
	}
	if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr,&ProtectSize,PAGE_EXECUTE_READWRITE,&oldProtect)))
	{
		return bRet;
	}
	__asm
	{
		pop ecx
		push oldProc
		pop pLongJump
		inc oldProc
		push oldProc		
		pop pLongJumpAdr
		dec oldProc
		sub oldProc,ecx
	}
	if(*pJumpBack != 0xFF8B)
	{
		__asm
		{
			add oldProc,2
			mov edi,oldProc
			lea esi,Nop
			mov ecx,NumOfNop
			rep movsb
			sub oldProc,2
		}
	}
    *(BYTE*)pLongJump = 0xE9;    // long jmp
    *(ULONG*)pLongJumpAdr = ((ULONG)newProc)-((DWORD)oldProc);    // 
    *pJumpBack = Code;        // short jump back -7 (back 5, plus two for this jump)
    if (ppOrigFn)
	{
		*ppOrigFn = ((BYTE*)oldProc);
		bRet = true;
	}
  	//if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&pLongJump, &ProtectSize, oldProtect, &oldProtect)))
	//{
	//	return bRet;
	//}
Failed:
	return bRet;
}
This code is highly specialize to deal with the intricies of hot patching function with nop padding only located below the function..not like the last one that patched the nop padding above a function..please take this into account when using it if you can..;P

regards BanMe
BanMe's Avatar
r3p0l3v3d n3v1rd
Posted in Uncategorized
Views 425 Comments 0 BanMe is offline
Old

why Opcode0x90's "dll Injection shield" fails against RtlCreateUserThead

Posted 07-22-2009 at 08:23 PM by BanMe (BanMe.From.Native_Development)
Updated 07-22-2009 at 08:36 PM by BanMe
I've still got alot of bugs to work out in the server..and I need to implement a way to do multiple hooks from the shared section and also develop a way to request new 'plugable code' without deleting the previous plugin loaded into the mapped section..and figure out why after 3 client connections to a "reusable" thread the it mysteriously blows up..

but enough about problems on with this post..

put Simply RtlCreateUserThread does not call Into BaseThreadStartThunk. to remedy this and improve upon opcode0x90's 'Dll Shield' I am placing my hook on LdrpCallInitRoutine which then in turn call's BaseThreadStartThunk (if CreateThread or CreateRemoteThread.)
In the Call to RtlCreateUserThread LdrpCallInitRoutine calls the passed in function directly. so placing a hook here covers CreateThread CreateRemoteThread RtlCreateUserThread NtCreateThread..you get it..

doing this during runtime can prevent all 'injected' threads from executing..placing a hook\breakpoint here 'pre' runtime will capture the 'Main' thread during initialization after tls has executed but w/e..also jmping over the call to ZwTestAlert Will prevent a Thread from being directed to the BaseThreadStartThunk routine.

hehe more fun and research for me

regards BanMe
BanMe's Avatar
r3p0l3v3d n3v1rd
Posted in Uncategorized
Views 440 Comments 8 BanMe is offline
Old

VMprotect VM_logic (in v1.8 demo)

Posted 07-06-2009 at 03:57 PM by evaluator
Code:
*******
VM-protect hides CPU instruction by dividing single instruction into many VM_opcodes.
But correct VM must fully reproduce CPU instructions and care about
correct result in EFlags, so any kind simulation is not acceptable!
lets look at VM_handlers

VM_handlers ( ~71 )
(SA = StackAdd , SS = StackSub)

AddByteByte_SS2
AddWordWord_SS2
AddDwordDword
Div168_SS2
Div3216_SS2
DIV6432
ExitVM

IDIV168_SS2
IDIV3216_SS2
IDIV6432

IMUL88_SS2
IMUL1616_SS4
IMUL3232_SS4

MUL88_SS2
MUL1616_SS4
MUL3232_SS4

NotNotAndByte_SS2
NotNotAndWord_SS2
NotNotAndDword

PopBP
PopEBP
PopfD_SA4  (mostly used on VM_STD, VM_CLD)
LoadVmIP_SA4

PopMemByte_SA6
PopMemByteSS_SA6
PopMemByteES_SA6
PopMemWord_SA6
PopMemWordSS_SA6
PopMemWordES_SA6
PopMemDword_SA8
PopMemDwordSS_SA8
PopMemDwordES_SA8
(also can be for CS,FS,GS case)

PopByteToVMRegsImmID_SA2
PopWordToVMRegsImmID_SA2
PopDwordToVMRegsOpcID_SA4
^^^^
PushByteFromVMRegsImmID_SS2
PushWordFromVMRegsImmID_SS2
PushDwordFromVMRegsOpcID_SS4
^^^^for byte/word/dword parts access in VM-Registers ( EAX,  AX, AL)

PushBP_SS2  (push VM_SP)
PushEBP_SS4  (push VM_ESP)

PushwImmUByte_SS2
PushdImmSByte_SS4
PushwImmWord_SS2
PushdImmSWord_SS4
PushImmDword_SS4

PushMemByte_SA2
PushMemByteSS_SA2
PushMemByteES_SA2
PushMemWord_SA2
PushMemWordSS_SA2
PushMemWordES_SA2
PushMemDword
PushMemDwordSS
PushMemDwordES
(also can be for CS,FS,GS case)

RclByte_SS2
RclWord_SS2
RclDword_SS2
RcrByte_SS2
RcrWord_SS2
RcrDword_SS2

SHLD_SA2
SHRD_SA2
ShlByte_SS2
ShlDword_SS2
ShlWord_SS2
ShrByte_SS2
ShrDword_SS2
ShrWord_SS2

tool-handlers
PushRDTSC_SS8
PushCPUID_SS12 (value)
CRCsum_SA4 (pmem, size)

**
all Logical & Arithmetic Handlers, which must care on EFlags, has code to store Eflags:

pushfd
pop    d, [ebp+0]

then after such handler VM will always call PopDwordToVMRegsOpcID_SA4
for store EFlags into VM-Registers (intermediate or main).
so we can state, they are VM-opcode-pairs


***
in VM_handlers we not see exact handlers for And/Or/Not/Xor/Sub/Rol... instructions;
How are they emulated!?

For Logical-instructions author builds main VM-handler "NotNotAnd";
it's assembly  code looks so:

Mov eax [ebp+0]
Mov edx [ebp+4]
Not  eax
Not  edx
And eax edx
Mov [ebp+4] eax
Pushfd
Pop  d,[ebp+0]

NotNotAnd (var1, var2) = And (Not var1) (Not var2)

and seems it is NOR LOGIC GATE!
(below i will leave name  "NotNotAnd"; I wrote this before did search,
 but you can search in internet for "NOR LOGIC" and see all in images!)

Other main logical instuctions will done via this NOR LOGIC GATE.
This sequence produces valid result in EFlags for emulated logical instructions,
so no further works need on EFlags.

VM_NOT (A) = NotNotAnd (A, A)

PushEBP_SS4 + PushMemDwordSS  =  push dword[esp]
usually uses in VM_NOT, to prevent dubble calculation

VM_AND (A, B) = NotNotAnd {VM_NOT (A), VM_NOT (B)}
              = NotNotAnd {NotNotAnd (A, A) , NotNotAnd (B, B)}

VM_TEST  = VM_AND ; result value stored in intermediate VM-regs, discarded

VM_OR (A, B) = VM_NOT [NotNotAnd (A, B)]
             = NotNotAnd {NotNotAnd (A, B) ,  <SamePushed }

VM_XOR (A, B) = NotNotAnd {NotNotAnd (A, B)} {VM_AND (A, B)}
              = NotNotAnd {NotNotAnd (A, B)} {NotNotAnd [NotNotAnd (A, A) , NotNotAnd (B, B)]}

VM_AND has also truncated variant, if one parameter is Immediate value.
VMprotect compiles Immediate value already inverted, so part VM_NOT(Immediate) skipped
in VM_AND construction. (see "AND ecx 7 " example; also in EFlags management)


Rol,Ror,Sar are emulated via SHLD & SHRD  handlers;


VM_RCL and VM_RCR will handled by RclDword_SS2 & RclDword_SS2 handlers,
for which Carry-Flag should extracted from VM_regs_Eflags;
then instuction in handler-code "SHR CH, 1" will load extracted CFlag & do RCL/RCR



VM_ADD is normal Addition
for other Arithmetic-instructions VM uses VM_ADD + logic constructions for EFlags management
(but for decompiling they are useless junk!)

VM_ADC (A, B) = VM_ADD(A, (B+Carry_flag))

VM_SUB (A, B) = VM_NOT [VM_ADD {B, (VM_NOT A)}] 
            EFlags = [And(0815, VM_ADD>>EFlags)] + [And( {Not(0815) }, final-VM_NOT>>EFlags)]
(virtualized into 36 VM-bytes)

VM_SBB (A, B) = VM_SUB(A, (B+Carry_flag))

VM_CMP = VM_SUB ; result value stored in intermediate VM-regs, discarded

VM_NEG (A) = VM_SUB (0, A)  ;   (constant 0 is already  inverted)

Inc & Dec instructions in CPU not affects Carry-flag, so Carry-flag should leaved in previous state.
VM_INC (A) = VM_ADD(1, A)
	Carry-flag restore in EFlags
VM_DEC (A) = VM_ADD(-1, A)
	Carry-flag restore in EFlags | Align-Flag managing

......
VMprotect virtualizes also CPU's complex-instructions,
if such can be represented by simple instructions.

VM_SETLE (virtualized into 80 VM-bytes!)
there will huge EFlags testing and produced result_byte will copied into destination.

VM_CMOVLE
same kind EFlags testing as SETLE, + VM_Conitional_Jump

for example VM_MOVSB
this complex-instruction is re-presented into simple instructions assembly group,
then this group virtualized.

VM_BSWAP is done in following way (27 VM-bytes)
HiWord(result) = HiWord {Shl (LoWord_LoWord) 8}
LoWord(result) = HiWord {Shl (HiWord_HiWord) 8}

VM_XADD
VM does same as CPU

VM_XCHG !?
while VMprotect author cares about LOCK prefix & not virtualizes instruction with it,
author did mistake and virtualized XCHG instruction.. oops!
to prevent XCHG virtualization, author recommends LOCK prefix

......
for FLD, FSTP instructions memory content will copied on stack, & load-store from there.

......
VM-Registers space is 16 dwords.
8 of them are for Eax,Ecx,Edx,Ebx,Ebp,Esi,Edi,EFlags ;
Esp is directly assigned to VM_stack(Ebp) ;
2 used for Relocation-Difference & passed_Mem_pointer ;
other  6  are used for temporal storage. mostly for intermediate EFlags,
also for intermediate or temporal results (VM_TEST, VM_CMP), also for cleanup VM-stack;
look at VM_SUB, where 2-intermediate Eflags will used in calculation.

 Place of real registers in this space is different not only for every other VM,
but also can change inside one VM!
Register read from one place, after CAN placed on intermediate place and
old place become intermediate. so VM-Registers tracking need!


......
VM-entry works so:

we are at current stack; lets call it TOP-ESP
at original Opcode place VMprotect puts call to VM:

push offset-VM_IP
call VM-StartCode
,,,,
VM-StartCode:

push Registers, EFlags ; << Order of push CAN be other then order of pop on ExitVM!
push [passed_pointer_for_security  + "crypt-constant" ] 
; <<new from 1.8, passed from StartupVM, which  allocates this memory,
; resolves imports, does file CRC-check,
push 0 ; Relocation-Difference
mov  esi, [esp+030] ; offset-VM_IP
mov  ebp, esp ; ebp will VM-stack
sub  esp, 0C0 ; 040 bytes reserved for 16 VM-Registers, other free 080 byte space will used
              ; for user-pushed-variables. if too low become VM-stack, then VM-Registers will
              ; moved down
mov  edi, esp ; edi holds VM-Registers pointer

add  esi, [ebp+0] ; add Relocation-Difference to offset-VM_IP
			; also here jumps LoadVmIP handler

and now code is on VM_main_loop:
{VM_main_loop has 2 variations, down-read VM-bytes as below, or inverse - up-read}

mov    al,[esi]
movzx  eax,al
inc    esi
jmp    [JumpTable + eax*4]

here starts  VM_BLOCK execution,
which will move all pushed by VM-StartCode Registers/EFlags/others to VM-Registers space,
until VM-Stack(ebp) will reach TOP-ESP.

now starts virtualized user-code execution;

 ......
VM-exit works so:

VM-stack(Ebp) is at TOP-ESP; (can be above start value, if Ret_nn emulated or Esp changed)
now VM executes VM_BLOCK-Epilog-bytes, which will pop all required values (+ return_IP).
from VM-Registers_space to stack and Ebp is ready for ExitVM-handler;
then last VM-byte will call ExitVM-handler,
which pops all from stack to Registers/EFlags and does Ret to return_IP.


......
 because of it's original way of Jump management,
VMprotect
...
Continue reading...
Attached Files
File Type: txt inside_VMProtect_Logic.txt (142.3 KB, 240 views)
evaluator's Avatar
Musician member
Posted in Uncategorized
Views 465 Comments 0 evaluator is offline
Old

Native Blocks Pre-Alpha

Posted 06-30-2009 at 11:18 AM by Daniel Pistelli
Updated 07-03-2009 at 05:36 PM by Daniel Pistelli
Hello, I wanted to show you my new tool. I called it Native Blocks. It's a re-assembler basically. Since a written presentation would take me too much time I prepared a video presentation.

http://www.youtube.com/watch?v=pDlwStN3KZY
http://www.youtube.com/watch?v=ene6hvE5qVQ

Again, this is a pre-alpha. This tool will soon support other technologies such as java, actionscript and maybe even x86. Right now it only supports .NET (and even .NET support will be hugely improved, like for instance supporting the direct modification of assemblies without having to use Rebel.NET).

The development of this tool depends mainly on the interest of people.

As I can be considered a student from now on, I would like to earn some extra money by writing tools such as this one. I have still my job as consultant, but it's a very limited partime, because I just became a student.

This tool is in my opinion pretty good, it is not only good for deobfuscation purposes but also patching and assembling on the fly.

If this tool can be sold, then the support of technologies will depend on requests. I think I'll add Java immediately and after that maybe x86/x64. Again it depends.

Suggestions and comments are welcome.
Registered User
Posted in Uncategorized
Views 564 Comments 10 Daniel Pistelli is offline
Old

Ideas and concepts: behind the Sin32 Subsystem

Posted 06-27-2009 at 08:31 PM by BanMe (BanMe.From.Native_Development)
Updated 06-27-2009 at 11:38 PM by BanMe
Main Goals of the subsystem is to:

A.utilize resources wisely, reuse threads,make permanent synchronization events work,research by reading and coding and testing and recoding and then retesting..repeat. also making a easily adjustable environment and dynamic environment capable of acting suitable to the user's need without much work by him/her.

B:
Act as either a intercept between Win32 and csrss or as csrss. there are various ways to do this Ill discuss them very lil cause there very well documented everywhere..(books,web,ect..)
but the ways i can think of is

1. replace CsrApiPort with our port handle.
In my opinion this is lame...and incomplete.. but combined with 2..

2. replacing all string ascii and unicode that contain CsrApiPortName in with my PortName.doing it this way has various benefits that should be obvious to some.. if I replace all the Name References then I can become the sole holder of a csrss API port Handle..essentialy like becoming a bottle neck...

This can be done in ntdll by hotpatching or binary modification/wfp bypassing or dynamic conditional runtime hooking..

3. the 3rd way is to become csrss..ie Load Before csrss and the win32 subsystem, similar to the effects of "BootExecue" option but a bit more proactive and we have the chance to do preinitialization of data and apply the Patching Engine's instructions located in the Registry
I would love to hear any of your ideas..other then the ZwRequestWaitReplyPort hook one, that I didnt mention above

C:
Provide a subsystem that uses a Plugable shared section between the client(win32 Process) and the "server" subsystem..
Plugin's include but are not in any way limited to
1. Software BreakPoint Manager

2. Patching Engine capable of generating hookhops to bypass malicious hooks,Function Tree Mapping also to avoid hooks,Dynamic Hotpatching of ntdll functions that allow it, also uses multiple hooking implementations to obtain the same effect but be usable under various circumstances. Hooks can be placed in alot of locations, and the effects can be emulated or directly implemented, emulated by using NtRead/WriteProcessMemory (old school..) or directly implemented by Queueing a APC to a Client Thread currently "listening" and then connect to that thread..this should instantly execute the APC and viola effect achieved. more on this in the up and coming documentation release... sometime in the near to late future..

3. Pre-Runtime Branch Disasmbly. Alot of credits to darawk on that one(no real help from him but his code was all the help I really needed, as im using his IsEndPoint function used in GetFunctionLength,albiet somewhat differently, but still the base is his..

4. Runtime Stack Snapping and Context Capturing... (some code on this in next release of the server) 1.02a

many more plugin are going to be implement..
(currently try to make WinSock work in Native Mode..)

B.2:
Implement a Custom RPC mechanism that is controlable from either a gui or a console application to communicate with both client and server.this can be done by stripping out the HEADER of PORT_MESSAGE and rewrapping it in a Custom structure.. and then create functions the work with the structures..

the plugin framework will have to be implemented for dynamic subsystem behaviors but that feature is secondary now..

C:
lastly is to Provide a stable approach for NT/2k/XP and maybe even 32/64 bit vista,but that requires alot more time, and quadruples the amount of research.., So I am just focusing solely on XP(sp2 ~ sp3)..
BanMe's Avatar
r3p0l3v3d n3v1rd
Posted in Uncategorized
Views 624 Comments 0 BanMe is offline
Old

EventPair Reversing, EventPairHandle as Anti-Dbg Trick

Posted 05-07-2009 at 01:36 AM by evilcry
Hello,

Here my little paper on EventPairs, and EventPairHandle as Anti-Dbg Trick

http://evilcry.netsons.org/tuts/EventPairsHandle.pdf

Have a nice read,
Giuseppe 'Evilcry' Bonfa'
Registered User
Views 782 Comments 4 evilcry is offline
Old

RtlQueryProcessHeapInformation as Anti-Dbg Trick

Posted 04-14-2009 at 11:49 AM by evilcry
Hi,

Directly derived from the previous Anti-Dbg Trick

http://evilcodecave.wordpress.com/2009/04/14/rtlqueryprocessheapinformation-as-anti-dbg-trick/

Have a nice read,
Giuseppe 'Evilcry' Bonfa'
Registered User
Posted in Uncategorized
Views 849 Comments 0 evilcry is offline
Page 1 of 10 1 2345678 Last »
Just in case...Please update your bookmarks to http://woodmann.cjb.net
Direct link : http://71.6.196.237/forum/
Some Useful Places
Fravia's Searchlores
Fravia's Original Reversing Site
Krobars Collection of tutorials
OllyStuph OllyDbg Resources
A complete searchable archive of the forum in .CHM format is available (updated Jan 3, 2009)
here (25.8 Mb zip)
Please do not ask for cracks, instead read this.

Started 10 May 1999

All times are GMT -5. The time now is 09:41 AM.

Contact Us - RCE Messageboard's Regroupment - Archive - Top

Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.