Copy Link

Add to Bookmark

Report

6x04 TheMida and SoftIce Detection

Published in

· 14 Jan 2024

                        TheMida: kako detekujem SoftICE 

                                        S verom u Boga, deroko/ARTeam  
           

        themida kao protektor je bila poznata zbog svojih hookova SSDTa, 
IDTa i nekih exporta ntoskrnl.exe kao tezak zalogaj za mnoge unpackere. 
Nova TheMida verzije (sve preko 1.1.0.0) vise ne koriste vise ove hookove 
tako da se program zasticen sa themida moze slobdno debuggovati iz ring3, 
ali bogme ne i iz SoftICEa. Ako je SoftICE aktivan themida nam nece 
ubiti sistem restartovanjem kao u ranijim verzijama, vec ce nas obavestiti 
da je debugger prisutan i da ga moram iskljuciti. Ako pokrenemo aplikaciju 
dok SoftICE nije aktivan sve lepo radi, dakle detekcija nastupa onda kad 
je SoftICE ucitan (heh vidjao sam gluposti kao sto ima Armadillo, da se 
detektuje prisustvo SoftICEa koji nije ucitan u memoriju, vec se samo 
nalazi na disku). 

        Postoji nekoliko nacina da se detektuje SoftICE kad je ucitan 
u memoriji: 

-	UnhandledExceptionFilter 
-	Int 1h    
-	Int 41h  
-	Int 3h    
-	CreateFile 
-	NtQuerySystemInformation 

U TheMidi sam video da koristi int 1h, ali samo kako bi se zeznulo 
tracovanje, a takodje koristi i NtQuerySystemInformation ali ne da 
detektuje SoftICE vec da nadje bazne adrese od ntoskrnl.exe, hal.dll 
i win32k.sys. Kako bi izbegao detekciju preko int1/int41h iz ring0 ja 
sam ih vratio nazad na DPL = 0 buduci da im je DPL bez SoftICEa 0, a 
kad je SoftICE ucitan onda je 3. Takdoje sam hookovao NtCreateFile 
da bi izbegao detekciju preko CreateFileA (to je vec default trik). 

Posle ovoga bilo je logicno da themida i dalje koristi svoj oreans32.sys 
da detekuje SoftICE ali je problem naci gde. Dobro, zabava pocinje. 

Buduci da themida koristi samo IRP_MJ_DEVICE_CONTROL mozemo da hookujemo 
ntoskrnl.exe!NtDeviceIoControlFile i da detektujemo koji je IOCTL 
poslednji poslat themida drajveru. U normalnim uslovima mi bi hookovali 
DeviceIoControl ali ako ste procitali moj text o themida shvaticete 
da mi ne mozemo postavljati BreakPoint na DeviceIoControl u kernel32.dll. 

Ok, zabava pocinje, hvatamo, IOCTL 1800 i 1A00 i onda nam stize lepa 
poruka, debuger detected. Sada cemo da se zaustavimo u SoftICEu kad 
themida primi IOCTL kod 1A00, pa ako softice detekcija nije u ring0 
onda smo sigruno veoma blizu anti-debuga. Ja se zakucavam ovde 
prosto radeci vako (kad sam u contextu themida procesa): 

:bpx.p IopXxxControlFile <--- pozvano interno iz NtDeviceIoControlFile 

PAGE:80578BD0 _NtDeviceIoControlFile@40 proc near    
PAGE:80578BD0                 mov     edi, edi 
PAGE:80578BD2                 push    ebp 
PAGE:80578BD3                 mov     ebp, esp 
PAGE:80578BD5                 push    1 
PAGE:80578BD7                 push    [ebp+arg_28] 
PAGE:80578BDA                 push    [ebp+OutputBufferLength] 
PAGE:80578BDD                 push    [ebp+OutputBuffer] 
PAGE:80578BE0                 push    [ebp+InputBufferLength] 
PAGE:80578BE3                 push    [ebp+InputBuffer] 
PAGE:80578BE6                 push    [ebp+IoControlCode] 
PAGE:80578BE9                 push    [ebp+IoStatusBlock] 
PAGE:80578BEC                 push    [ebp+ApcContext] 
PAGE:80578BEF                 push    [ebp+ApcRoutine] 
PAGE:80578BF2                 push    [ebp+Event] 
PAGE:80578BF5                 call    _IopXxxControlFile@44 
PAGE:80578BFA                 pop     ebp 
PAGE:80578BFB                 retn    28h 
PAGE:80578BFB _NtDeviceIoControlFile@40 endp 

Oki cekamo drugi break, jer prvi je 1800 IOCTL kod, zakucavamo 
se ovde: 

0008:80578BF5  CALL      _IopXxxControlFile 
0008:80578BFA  POP       EBP 

i stack: 

0010:F2C15D08 000000EC  00000000  00000000  00000000   
0010:F2C15D18 0013FF2C  00001A00  00AA5172  00000010     

SAd vidite IOCTL = 0x1A00 i ulecemo polako ali sigurno u drajver 
posle manjeg tracovanja kroz IopXxxControlFile: 

0008:F86F72A0  PUSH      EBP 
0008:F86F72A1  MOV       EBP,ESP 
0008:F86F72A3  ADD       ESP,-04 
0008:F86F72A6  PUSH      ESI 
0008:F86F72A7  PUSH      EDI 
0008:F86F72A8  PUSH      EBX 
0008:F86F72A9  MOV       EDI,[EBP+0C] <--- PIRP 
0008:F86F72AC  XOR       EAX,EAX 

Nastavljamo potragu dok ne nadjemo gde je IOCTL 0x1A00h: 

0008:F86F74C0  CMP       DWORD PTR [ESI+0C],00001800 
0008:F86F74C7  JZ       _F86F74D3 
0008:F86F74C9  CMP       DWORD PTR [ESI+0C],00 
0008:F86F74CD  JNZ      _F86FAB4E 

Nije na kod, idemo dalje... 

0008:F86FAB4E  CMP       DWORD PTR [ESI+0C],00001801 
0008:F86FAB55  JNZ      _F86FAE80 

dalje... 

0008:F86FAE80  CMP       DWORD PTR [ESI+0C],00001802 
0008:F86FAE87  JNZ      _F86FAED1 

dalje... 

0008:F86FAED1  CMP       DWORD PTR [ESI+0C],00001D00 
0008:F86FAED8  JNZ      _F86FB938 

oh, evo ga: 

0008:F86FB938  CMP       DWORD PTR [ESI+0C],00001A00 
0008:F86FB93F  JNZ      _F86FC07A 
0008:F86FB945  MOV       ESI,[EDI+0C]  <--- IRP.SystemBuffer 

Kao sto se vidi esi pokazuje na irp.irp_systembuffer i onda ko grom 
iz vedra neba: 

0008:F86FBE66  CALL      [ESI] 

Kao sto se vidi themida ioctl kod 0x1a00 redirektuje izvrsavanje na 
kod koji smo prosedili drajveru u irp.irp_systembuffer i kod nas 
vodi ka kodu koji se nalazi u ring3, ovaj kod je siguran 100%, buduci 
da drjaver u ovom ternutku trci na IRQL = PASSIVE sto znaci da moze 
pristupati pagable memoriji bez problema i opasnosti za BSOD nema, no malo  
pratimo ovaj kod: 

0008:00AD12E1  PUSH      EBP 
0008:00AD12E2  CALL     _00AD12E7 
0008:00AD12E7  POP       EBP 
0008:00AD12E8  SUB       EBP,06823EE8 
0008:00AD12EE  JMP      _00AD1304 
0008:00AD12F3  MOV       EDI,37CE5484 
0008:00AD12F8  JGE      _00AD1309 
0008:00AD12FA  INC       EBX 

Kao sto vidimo 0x1A00 je gateway da se kod koji se nalazi u themidi 
izvrsi sa najvecim privilegijam na DPL = 0. 

Na nasu srecu ovaj kod je u themidi koriscen samo na 2 mesta, dok u 
WinLicence se koristi kako bi se pristupalo direkno registriju preko 
exporta ntoskrnl.exe, no pratimo dalje ovaj kod i nalazimo na nesto 
veoma interesantno: 

0008:00AD150E  CMP       BYTE PTR [ECX],68 
0008:00AD1511  JNZ      _00AD162D 

 
ECX pokazuje na adresu int 41h koji je hookova on strane SoftICEa i 
taj hook izgleda ovako: 

0008:F3645662  PUSH      _HalpDispatchInterrupt 
0008:F3645667  JMP      _F358BACB 
0008:F364566C  SUB       EAX,8003F400 
0008:F3645671  PUSH      F4868B5C 
0008:F3645676  JMP      _F35FE601 

A HalpDispatchInterupt izgleda ovako 

hal!HalpDispatchInterrupt: 
806e79cc 54               push    esp 
806e79cd 55               push    ebp 
806e79ce 53               push    ebx 
806e79cf 56               push    esi 
806e79d0 57               push    edi 
806e79d1 83ec54           sub     esp,0x54 
806e79d4 8bec             mov     ebp,esp 
806e79d6 89442444         mov     [esp+0x44],eax 

Inace int 41h bez softice pokazuje na HalpDispatchInterrupt, no ovaj 
anti-debug mozemo lako srediti i izmeniti malo hook tako da na njegovom 
pocetku nema vise push (68): 

:idt 41 
0041  IntG32   0008:81C1E040  DPL=0  P 

:u 81c1e040 
0008:81C1E040  NOP 
0008:81C1E041  PUSH      F3645662 
0008:81C1E046  RET 
0008:81C1E047  ADD       [EAX],AL 

:u f3645662 
0008:F3645662  PUSH      _HalpDispatchInterrupt 
0008:F3645667  JMP      _F358BACB 

Pokrenemo neku themida aplikaciju, ali samo one koje imaju oreasn32.sys 
i vidimo da nas themida vise ne detektuje. 

Ako zelite mozete sami da napisete ovaj drajver i da hookujete int 41h, 
ali ako vas to mrzi uz ovaj tekst dobijate loader za hookovanje, mada 
oni koji koriste softice uveliko znaju da pisu drajvere. 

 
                                        S verom u Boga, deroko/ARTeam

6x04 TheMida and SoftIce Detection

Share this article

Let's discover also

SoftICE

Guida all uso del softice 3.2

CRaCKiNG with SoftIce

Large Active Area Organic Photodiodes for Short-Pulse X-ray Detection

Intrusion Detection Systems: Introduction

Intrusion Detection Systems: Part II

PBX Fraud Detection

Playstation protection modchip detection

Clash detection Categories

Value of π and precession of equinoxes in the pyramids of Teotihuacán and Giza

Recent Articles

𝟮𝟭 𝗳𝗮𝗰𝘁𝘀 𝗮𝗯𝗼𝘂𝘁 𝗜𝘁𝗮𝗹𝘆 𝘁𝗵𝗮𝘁 𝘆𝗼𝘂 𝗱𝗶𝗱𝗻'𝘁 𝗸𝗻𝗼𝘄:

The Eye Idols of Mesopotamia

According to a Babylonian tablet from 4,000 years ago, Noah's ark was round

Visoko's pyramids push beginning of civilization back 20,000 years

Ancient pyramids on the hawaiian islands

Nanook of the North

The DNA of a 400 thousand year old hominid that confuses scientists

Is there really a giant pyramid at the bottom of the Bermuda triangle?

Misplaced objects: computers, batteries, lamps and airplanes in ancient times!

Skeleton of a giant dog: could it be the remains of the legendary black shuck?

Recent Comments

6x04 TheMida and SoftIce Detection

Share this article

Let's discover also

SoftICE

Guida all uso del softice 3.2

CRaCKiNG with SoftIce

Large Active Area Organic Photodiodes for Short-Pulse X-ray Detection

Intrusion Detection Systems: Introduction

Intrusion Detection Systems: Part II

PBX Fraud Detection

Playstation protection modchip detection

Clash detection Categories

Value ​of π and precession of equinoxes in the pyramids of Teotihuacán and Giza

Recent Articles

𝟮𝟭 𝗳𝗮𝗰𝘁𝘀 𝗮𝗯𝗼𝘂𝘁 𝗜𝘁𝗮𝗹𝘆 𝘁𝗵𝗮𝘁 𝘆𝗼𝘂 𝗱𝗶𝗱𝗻'𝘁 𝗸𝗻𝗼𝘄:

The Eye Idols of Mesopotamia

According to a Babylonian tablet from 4,000 years ago, Noah's ark was round

Visoko's pyramids push beginning of civilization back 20,000 years

Ancient pyramids on the hawaiian islands

Nanook of the North

The DNA of a 400 thousand year old hominid that confuses scientists

Is there really a giant pyramid at the bottom of the Bermuda triangle?

Misplaced objects: computers, batteries, lamps and airplanes in ancient times!

Skeleton of a giant dog: could it be the remains of the legendary black shuck?

Recent Comments

Value of π and precession of equinoxes in the pyramids of Teotihuacán and Giza