Results 1 to 2 of 2

Thread: ARTeam: TheMida Loader (PEB dll hooker templates for MSVC) by deroko

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    ARTeam: TheMida Loader (PEB dll hooker templates for MSVC) by deroko

    Hi all,
    a new tool from deroko, full sources included so you can understand how's done the magic!

    Don't know if anyone remembers themidaspy tool, which was designed to defeat
    Anti-Break and Anti-ApiSpy techinques used in themida. I won't go in details
    how those are implemented in themida, as anyone, whom has played with themida
    already know how those are implemented. TheMidaSpy tools was blacklisted, eg.
    not working anymore with themida, so I decided to update whole project and
    release new tool with sources © + templates for creating fake_kernel32.dll
    and fake_advapi32.dll because you may find it useful to use it in some of
    your projects.

    fake_kernel/advapi32 projects consist of all exports from both dlls. Currently,
    I have listed all exports from kernel32.dll and advapi32.dll which are located
    in those dlls on Windows XP SP3. Tnx to some of testers, I've received notification
    that there are some exports and imports in fake_kernel32.dll/advapi32.dll
    which are not present on XP SP2, on Vista on other hand, some imports are
    not present, so you might wanna remove them if you plan to use this tool on
    Vista.

    I choose to use themida again, as it is good example when PEB hooking might
    be handy, but you may use it for any other protection/project etc.

    In themidaloader project you may find example how to inject these dlls into
    targeted process.

    You may find sample, on how to handle hooks in fake_kernel32 project, if
    you lookup for f_GetModuleHandleA, f_LoadLibraryA, f_LoadLibraryExA, and
    f_CreateThread, now it's all up to you to decide how, and what you will
    filter!!!
    http://arteam.accessroot.com/releases.html

    BR,
    Shub
    (¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    Thanks Shub for again sharing with out readers and thanks to Deroko for his interesting projects. Someone needs to make a CRCETL entry for this tool.

    Regards,
    JMI

Similar Threads

  1. ARTeam: dealing with funny checksum tutorial by deroko
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 12th, 2013, 17:17
  2. ARTeam: xTracer 1.0 by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: June 16th, 2009, 19:10
  3. ARTeam: Hooking Services .exe to hide softice by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 8th, 2008, 12:10
  4. ARTeam: Special Issue for SecuRom 7.30.0014 Take2 VM Analysis, deroko, 2kAD
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: January 7th, 2008, 22:23
  5. [ARTeam] TheMida r0 exploit
    By deroko in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 15th, 2006, 08:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •