Results 1 to 8 of 8

Thread: antisptd

  1. #1
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1

    antisptd

    antisptd is a driver that makes it possible for softice to load when sptd.sys is present. It uses the method described by Kayaker and that is, by removing the notifyroutine sptd sets to prevent ntice.sys to load. After ntice.sys gets loaded, it restores the notifyroutine and the keyboard hooks in i8042prt.sys that have been screwed by the sptd.sys.

    Usage:
    Just put the startsi.exe in a directory with antisptd.sys and execute startsi.exe.

    Compatibility:
    The driver should work on XP SP2/SP3 with the latest softice installed. I have no idea if it'll work on XP SP1 (cause I have used hardcoded values to locate the patch locations in i8042prt.sys). If it doesnt work, feel free to modify the sources and recompile the driver yourself.

    antisptd.rar (10.4 KB)

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Nice, thanks for the contribution.

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/Antisptd
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Somehow, I just knew dELTA was going to create an entry for this tool in the CRCETL!



    Regards,
    JMI

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Nice one smoke, especially restoring the keyboard hook in i8042prt.sys from the SPTD one to the Softice one. It's about time there was a patch to the SPTD rootkit behaviour.

    Something others should be aware of, PsRemoveLoadImageNotifyRoutine is not supported in Win2K, so your driver would have to remain resident (no DriverUnload) if you want to use this method. However, for the purposes of this patch it should be possible to read/write directly to the _PspLoadImageNotifyRoutine table of callbacks if you must.

    So instead of using PsRemoveLoadImageNotifyRoutine and PsSetLoadImageNotifyRoutine, just do a direct memory transfer.

    _PspLoadImageNotifyRoutine is dword table which holds the addresses of up to 8 system callbacks that drivers can register. It's not 100% guaranteed that the first entry will be the SPTD callback, but since SPTD loads _very_ early in the boot loading process it's probably a safe bet.


    For a bit of reference concerning the Softice keyboard hook of i8042prt, if you look at the messages Softice outputs when it loads you see

    NTICE: Patching Keyboard using method 0
    NTICE: Keyboard driver found - i8042prt.sys
    NTICE: Keyboard successfully patched using RPUC hook
    NTICE: Keyboard successfully patched lookup table using RPUC hook


    Search for these strings and you can find the entire keyboard hook routine. Here's a portion which shows exactly where the hook function is, at READ_PORT_UCHAR_Hook

    Code:
    :000A867B BF 77 84 0A 00     mov     edi, offset aRead_port_uchar ; "READ_PORT_UCHAR"
    :000A8680 B9 10 00 00 00     mov     ecx, 10h
    :000A8685 E8 56 D8 FC FF     call    StringCheck
    :000A868A 74 06              jz      short loc_A8692
    :000A868C 83 C3 04           add     ebx, 4
    :000A868F 40                 inc     eax
    :000A8690 EB D2              jmp     short loc_A8664
    :000A8692                   ; ---------------------------------------------------------------------------
    :000A8692
    :000A8692    loc_A8692:                 ; CODE XREF: Hook_Keyboard+97
    :000A8692 5B                  pop     ebx
    :000A8693 8B 73 10            mov     esi, [ebx+10h]
    :000A8696 03 35 66 84 0A 00   add     esi, ds:dword_A8466
    :000A869C 8D 34 86            lea     esi, [esi+eax*4]
    :000A869F B8 EB 84 0A 00      mov     eax, offset READ_PORT_UCHAR_Hook
    :000A86A4 89 06               mov     [esi], eax
    :000A86A6 C6 05 2F DF 0E 00+  mov     Is_KB_Hooked, 1
    :000A86AD 56                  push    esi
    :000A86AE BE 66 CA 16 00      mov     esi, offset aNticeKeyboar_5 ; "NTICE: Keyboard successfully patched\n\r"
    :000A86B3 E8 6D 6A FD FF      call    pPrintMsg

    For background on the entire subject, beginning with the keyboard hook, see

    SoftICE + SPTD
    http://www.woodmann.com/forum/showthread.php?p=66143

    Regards,
    Kayaker

  5. #5
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1
    I was waiting for your reply Kayaker.

    About manually removing the Notifyroutine. I actually did try removing it manually (by just erasing the entry from the _PspLoadImageNotifyRoutine table) but when I started Rootkit Unhooker it showed that the routine was still present somehow, I have no idea why . Oh btw, I actually noticed that my system became really unstable after a while when both SPTD and Softice were running at the same time (sudden crashes for example). I have no idea if I did something wrong or if SPTD really hates Softice that much.

    Hum.. I wonder why Softice fails to patch the keyboard if sptd is running..

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    What it looks like, the first thing ntoskrnl!_PsSetLoadImageNotifyRoutine does is to create a tagged memory block in _ExAllocateCallBack with the tag 'Cbrb'. You can tell from the pattern that a doubly linked list is being set up to store the addresses of the NotifyRoutine callbacks.

    Code:
    PAGE:0056CE41                 push    'brbC'          ; Tag
    PAGE:0056CE46                 push    0Ch             ; NumberOfBytes
    PAGE:0056CE48                 push    1               ; PoolType
    PAGE:0056CE4A                 call    _ExAllocatePoolWithTag@12
    PAGE:0056CE4F                 test    eax, eax
    PAGE:0056CE51                 jz      short loc_56CE62
    PAGE:0056CE53                 mov     ecx, [ebp+NotifyRoutine]
    PAGE:0056CE56                 and     dword ptr [eax], 0
    PAGE:0056CE59                 mov     [eax+4], ecx
    PAGE:0056CE5C                 mov     ecx, [ebp+arg_4]
    PAGE:0056CE5F                 mov     [eax+8], ecx
    This is in addition to writing the callback routine to the _PspLoadImageNotifyRoutine callback table, so it seems there are actually 2 references to these callbacks present in system memory.

    You could likely find these tagged blocks when they are present with PoolTag. As a guess, RKU might be doing the same thing and that's why it shows the callback still present.


    As an aside, it's *really* time for a more advanced PoolTag, where you could explore the actual memory blocks.



    >I wonder why Softice fails to patch the keyboard if sptd is running..

    ??

    I'm not sure that patching the i8042prt IAT with the address of the Ntice READ_PORT_UCHAR Hook is needed actually. In theory Softice should do that itself when it starts (which your PsRemoveLoadImageNotifyRoutine call permits).

    It might be better to patch the IAT with the *original* i8042prt address, which SPTD has already overwritten, and then load Softice. This would let Softice have the original address (instead of the SPTD one) in case it wants to chain or fall through to that routine. This might help the stability.


    Interesting use of ZwLoadDriver to load Softice. I wonder what differences there might be in loading it from kernel mode vs loading it through the usual 'net start ntice'?

    Something I've never tested, is nt!PsCallImageNotifyRoutines even called when a driver is loaded by ZwLoadDriver?
    If not, then anti-sptd would simply be loading Softice from kernel mode!!

  7. #7
    And Kayaker proves, once again, that he is the resident guru, high potentate, Big Khuna ( Hawaiian word, defined in the Pukui & Elbert Dictionary as "Priest, sorcerer, magician, wizard, minister, expert in any profession) of all things related to Softice inner workings.

    Regards,
    JMI

  8. #8
    Quote Originally Posted by Kayaker View Post
    Interesting use of ZwLoadDriver to load Softice. I wonder what differences there might be in loading it from kernel mode vs loading it through the usual 'net start ntice'?

    I do it all the time (with NtLoadDriver from r3)
    Code:
                            .586p
                            .model flat, stdcall
                            locals
                            jumps
    
    include                 c:\tasm32\include\shitheap.inc
    include                 c:\tasm32\include\extern.inc 
    include                 ring0.inc                       
    public C start
    
                            .data
    service:                unis     <\Registry\Machine\System\CurrentControlSet\Services\ntice>
                            align   4
    service_us              unicode_string  <>
    status                  dd      ?
    
    start:                  call    RtlAdjustPrivilege, SE_LOAD_DRIVER_PRIVILEGE, 1,0, o status
                            call    RtlInitUnicodeString, o service_us, o service
                            call    NtLoadDriver, o service_us
                            call    ExitProcess, 0
                            end     start


    Something I've never tested, is nt!PsCallImageNotifyRoutines even called when a driver is loaded by ZwLoadDriver?
    If not, then anti-sptd would simply be loading Softice from kernel mode!!
    It should be if I'm not mistaken, as LoadImageNotifyRoutine can check if image is mapped in user/kernel space in IMAGE_INFO struct In bottom line both (r0 and r3) will endup in KeServiceDescriptorTable.NtLoadDriver so I guess those will act the same

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •