From Collaborative RCE Tool Library
Technical PoC Tools
| Tool name: | Anti Anti-BPM FrameWork |
| ||
|---|---|---|---|---|
| Author: | Robert Yates | |||
| Website: | http://www.reverse-engineering.info | |||
| Current version: | ||||
| Last updated: | September 19, 2003 | |||
| Direct D/L link: | http://www.reverse-engineering.info/SystemCoding/gd_drx.rar | |||
| License type: | GNU | |||
| Description: | This is a fully working example of using Intels GD(General Detection) bit, to invoke debug exceptions upon any access to a debug register. Currently, the provided source will lock down any drx access to only NTICE, a hardcoded base for my NTICE is in the src, you may need to modify this for you own, search the source for the keyword ACCESS_RIGHTS. Any attempt of a MOV REG, DRX will be 'faked' by placing a default value into the reg to fool the calling app into thinking no BPMs are set. Any attempt of a MOV DRX, REG will be totally ignored, or emulated if NTICE is the caller. All output is given via debug msgs which have been formatted to be read by sysinternals debugview(included) with force linefeed on. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Anti-BPM via SEH, KiUserExceptionFilter Mod |
| ||
|---|---|---|---|---|
| Author: | Robert Yates | |||
| Website: | http://www.reverse-engineering.info | |||
| Current version: | ||||
| Last updated: | August, 2003 | |||
| Direct D/L link: | http://www.reverse-engineering.info/SystemCoding/bpm.rar | |||
| License type: | ||||
| Description: | This is an idea I had and tried to put into practice. Some protections create faults so they can clear bpms, Asprotect for example, so the idea behind this sys is to modify KiUserExceptionDispatcher to create a snapshot of the drx regs before the users exception occurs then restore them afterwards. It works but the src is rough, currently you have to disassemble ur own ntdll and find some un-used space, (6 dwords) at the end off the .data then subtract the ntdll imagebase and update the NTDT EQU in the .sys. The idea could be improved by only restoring drx values that have become null or the standard dr7 value re-entered. Have a go, bpm w the code section of an asprotect exe after the sys is loaded. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Dream of every reverser |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | public | |||
| Last updated: | May 6, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine used to perfrom stealth memory trace of a target. Public version only supports tracing of the eip in certain range. To compile source you will need DDK. It supports MP and win2k/winxp. Systems running KAV are not supported as KAV installs hook in SwapContext which is essential for this tracer. Technical aspects: 1. Hooks int 0e and int 01 2. Hooks SwapContext 3. Installs ProcessNotifyRoutine Due to the nature of paged memory in r3, there are 2 ways of tracing: using U/S flag, and using P bit in PTE. Both cases are handled and supports PAE and nonPAE addressing modes. Role of SwapContext is to set breaks on given range when traced process is about to execute. Role of notify routine is to stop tracer if traced program exits by any chance during tracing. When good range is hit, tracer will automaticaly stop and you will see in DebugView or DbgMon when EIP is in good range. | |||
| Also listed in: | Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
