From Collaborative RCE Tool Library

Jump to: navigation, search

Technical PoC Tools


Tool name: AMD_dbg
Rating: 0.0 (0 votes)
Author: j00ru                        
Website: http://j00ru.vexillium.org/dump/amd_dbg.zip
Current version: 0.0.1
Last updated: November 28, 2010
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AMD_dbg is a small application for detection of the extended debugging capabilities of some AMD processors (see references below for more info), and is also capable of monitoring and modifying the secret MSRs' values for further testing/exploration of these.

The application targets Microsoft Windows XP - 7, consisting of two major parts: a user-mode client (displaying a simple TUI for user interaction), and a kernel-mode /server/, actually performing the RDMSR and WRMSR operations. Currently, only 32-bit architecture is supported, and there are no plans of porting this one to x86-64. However, as the program is released together with its source code, you're free to introduce your own improvements / ports, as long as it is compliant to the license (check the LICENSE file for details).
Also listed in: System Information Extraction Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ARTeam Anti-Emulation open source functions
Rating: 0.0 (0 votes)
Author: Gunther                        
Website: http://evilcry.netsons.org
Current version:
Last updated: March 21, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Thanks to Gunther for ARTeam here we have some new Anti-Emulation open source functions:

Here's a quick list of the functions:

Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized.
Anti-NOD32 -> sse1 instruction which nod32 cannot emulate.
IsEmulator -> Timings Attack to Emulator Environement.
IsCWSandBox -> Check if CreateProcess is hooked.
IsAnubis -> Check whether it is running within Anubis.
IsAnubis2 -> Check whether it is running within Anubis.
IsNormanSandBox -> NormanSandBox Awareness.
IsSunbeltSandBox -> Sunbelt Awareness.
IsVirtualPC -> VirtualPC Awareness.
IsVMware -> VMware Awareness.
DetectVM -> Check whether it is running in VMWare, VirtualBox using registry.
IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anti Anti-BPM FrameWork
Rating: 0.0 (0 votes)
Author: Robert Yates                        
Website: http://www.reverse-engineering.info
Current version:
Last updated: September 19, 2003
Direct D/L link: http://www.reverse-engineering.info/SystemCoding/gd_drx.rar
License type: GNU
Description: This is a fully working example of using Intels GD(General Detection) bit,
to invoke debug exceptions upon any access to a debug register.

Currently, the provided source will lock down any drx access to only
NTICE, a hardcoded base for my NTICE is in the src, you may need to
modify this for you own, search the source for the keyword ACCESS_RIGHTS.

Any attempt of a MOV REG, DRX will be 'faked' by placing a default value
into the reg to fool the calling app into thinking no BPMs are set.
Any attempt of a MOV DRX, REG will be totally ignored, or emulated if
NTICE is the caller.

All output is given via debug msgs which have been formatted to be read
by sysinternals debugview(included) with force linefeed on.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anti Anti-BPM via SEH, KiUserExceptionFilter Mod
Rating: 0.0 (0 votes)
Author: Robert Yates                        
Website: http://www.reverse-engineering.info
Current version:
Last updated: August, 2003
Direct D/L link: http://www.reverse-engineering.info/SystemCoding/bpm.rar
License type:
Description: This is an idea I had and tried to put into practice. Some protections create faults so they can clear bpms, Asprotect for example, so the idea behind this sys is to modify KiUserExceptionDispatcher to create a snapshot of the drx regs before the users exception occurs then restore them afterwards. It works but the src is rough, currently you have to disassemble ur own ntdll and find some un-used space, (6 dwords) at the end off the .data then subtract the ntdll imagebase and update the NTDT EQU in the .sys. The idea could be improved by only restoring drx values that have become null or the standard dr7 value re-entered.

Have a go, bpm w the code section of an asprotect exe after the sys is loaded.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: cpuid break via hardware virtualization
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open source
Description: cpuid break via hardware virtualization


Not much to say, cpuid causes VM-Exit, so whenever cpuid occurs in our
target, inject int 3 event into Guest.

i3here on - must be set in SoftICE

No MP support due to problem with NMI handling when SoftICE is active.
Disable MP in BIOS if you want to use this tool with SoftICE, as this
tool is designed to work with SoftICE and i3here on...


Requires Intel Hardware Virtualisation technology, and I have no idea
how this will work on AMD!!!!

Did you wonder about finding SecuROM cpuid stuff? Well here it is...

(c) 2008 deroko of ARTeam


ps. there is some code which is designed aswell for MP systems, but
due to not yet solved issue with NMI that code is not used.
Example of such code is ExitEip[ccpu] where ccpu is only
shortcut for MyKeGetCurrentProcessorNumber() procedure, listed
in kegetcurrentprocessornumber.c

TaskSwitch code implemented in HandleTaskSwitch is never used
on single core systems, as windows doesn't perfrom TaskSwitch
at all (only when NMI or KiTrap08 is executed).

NOTE: DRIVER IS NEVER UNLOADED, as at the time of releasing this
code I didn't write that stuff yet. You may find some
leftovers in unloadme() in vm.c, but it's not done yet...
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dr7.GD single/multi CPU version
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open source
Description: Dr7.GD single/multi CPU version


Basically whole this project has been started for own needs to stop some
silly protections from messing up with drX registers. Only ones allowed
to access drX registers are cpthook and NTIce, others are NOT allowed to
modify those registers.

This code is designed to work with Sice in paticilar, as there is no real
use when it is used without SoftICE.

Saving dr6 is first issue important when writing such code. IA32 manual,
newer one, says that certain exceptions may clear B0/B3, that's why those
have to be saved whenever int 1 is generated. As each CPU has it's own
set of drX registers, that means that for each CPU it's required to keep
track of dr6 register. More can be found at woodmann.com and my blog.

Problems with int 01 and int 0d on intel cpu. Well Intel simply treats
(at least that's how it looks like at intel cpu on which I've tested
this code) GD bit as higher priority then Int 0xD. Seems that intel
CPU when detects mov to/from drX first checks for GD bit being set
in dr7, and then it checks CPL. This problem is solved by simply
redirecting all ring3 drX accesses to int 0d handler. On AMD I didn't
see this problem.

MP issue when softice is active. Well SoftICE has to control whole
system, so when bpm is set (drX) it will use IPI to set drXes on
each CPU. Now comes fun part. By default NMI is setup as TaskGate,
when softice is running on single cpu machine it will be setup as
IdtGate, on mp machines softice will keep NMI as TaskGate. So, here
NT flag will be set in eflags + iretd from handler must no be used,
as iretd will "unblock" NMI, also if NT flag is set, iretd will
return to interupted task using TSS.BackLink, also bad thing. When
drX access occurs from NMI it is required to simply return from
interupt using retn.

Well that's it :)

(c) 2008 deroko of ARTeam
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dream of every reverser
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: public
Last updated: May 6, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Engine used to perfrom stealth memory trace of a target.
Public version only supports tracing of the eip in certain
range. To compile source you will need DDK.

It supports MP and win2k/winxp. Systems running KAV are
not supported as KAV installs hook in SwapContext which
is essential for this tracer.

Technical aspects:
1. Hooks int 0e and int 01
2. Hooks SwapContext
3. Installs ProcessNotifyRoutine

Due to the nature of paged memory in r3, there are 2
ways of tracing: using U/S flag, and using P bit in
PTE. Both cases are handled and supports PAE and nonPAE
addressing modes. Role of SwapContext is to set breaks on
given range when traced process is about to execute.
Role of notify routine is to stop tracer if traced
program exits by any chance during tracing.

When good range is hit, tracer will automaticaly stop
and you will see in DebugView or DbgMon when EIP is in
good range.
Also listed in: Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Superkill
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: 1.0
Last updated: July 13, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level.
After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There is one subcategory to this category.





Views
Category Navigation Tree
   Needs New Category  (3)