SasukeHa - says:
:0
i like this combofix results
BanMe says:
!
me too
i Think i found a way around my problem
Imma bruteforce it
bruteforce pack the HandleEntry's to as well as brute force query
SasukeHa - says:
noo
hold
BanMe says:
ok
heres the code that is causing the error
if(RtlIsValidIndexHandle((RTL_HANDLE_TABLE*)ServerHandleTable,HandleIndex,(PRTL_HANDLE_TABLE_ENTRY*) &RtlEntry))
{
if(HandleEntry->HandleType == HandleType && HandleEntry->HandleState == DesiredState)
{
return HandleEntry->Handle;
}
else
{
HandleIndex++;
__asm jmp CheckTable;
}
}
switch(HandleType)
SasukeHa - says:
send me source + exe

The file you attempted to send has been detected as potentially unsafe and was not sent.

BanMe sends:


BanMe says:
.rar
exe in the debug folder
SasukeHa - says:
ok
send
rename
BanMe says:
i did o0
BanMe sends:


SasukeHa - says:
i don't see any file
BanMe says:
aww wtf..
SasukeHa - says:
now i do
BanMe says:
woot

Transfer of "SIN32.txt" is complete.

BanMe says:
its .rar

The file you attempted to send has been detected as potentially unsafe and was not sent.

BanMe sends:


BanMe says:
client

Transfer of "affectionate.txt" is complete.

SasukeHa - says:
i didn't get it
BanMe says:
what?
SasukeHa - says:
wheres the problem
in the client or in the server
BanMe says:
server
SasukeHa - says:
so i don't need the client
BanMe says:
yes
you do..
the problem's code isnt run until a client connects and I dispatch a thread by looking it up in my handle table
:]
SasukeHa - says:
you want my bank account i can see where it goes
BanMe says:
there is no sockets...
SasukeHa - says:
lol
i'm jokking...
take the bank
BanMe says:
LPC
lol
SasukeHa - says:
i make no money it's ok
BanMe says:
hehe we are both in that boat.. steadily sinking.. :]
this works like csrss
the win32 subsystem
literally csrss is the subsystem..
and every process/ thread/security/console operation is run through csrss so almost nothing can hide from it.. unless you got a ring0 thread schedular lying around..
SasukeHa - says:
hey
i'm remote controling my sis's comp
brb
BanMe says:
k
brb as well smoking a cig
http://research.microsoft.com/en-us/downloads/994abd5f-53d1-4dba-a9d8-8ba1dcccead7/
SasukeHa - says:
why would you want that?
BanMe says:
just looks interesting and lol98 found me a guy with a project similar to the solution provided there
this is also very interesting
http://research.microsoft.com/en-us/um/redmond/projects/invisible/default.aspx?PP=/toc-4.xml&tocPath=toc-4&URL=files.htm
sounds like a rootkit to me..
:lol
SasukeHa - says:
does combofix work on vista?
BanMe says:
I think so, though i could be wrong..
you think you got a virus?
cause if you do the its prolly conficker
and if thats the case..
junk the box..
SasukeHa - says:
well
no it's just that i liked it
and i'm considering using it on my sis's comp
well anyway
now your attantion
BanMe says:
its a excellent tool i like thway it was designed
SasukeHa - says:
problem with the code again..
BanMe says:
reall techy oriented
SasukeHa - says:
and how can i test it
BanMe says:

SasukeHa - says:
true
BanMe says:
the problem with the code is here
ContinueListening:
Status = NtListenPort(LpcPortHandle, &Message);
if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&Unicode,L"NtListenPort Status:");
__leave;
}
else
{
Message.CallbackId = (ULONG)ServerHandleTable;
if(Recycler)
{
Status = Native_DispatchThread(ServerHandleTable,(ULONG)Native_AcceptConnectionRequest,sizeof(PORT_MESSAGE),( void*)&Message);
Native_DispathThread checks my handle table for a suspended thread and then redirects it to the desired event location for processing
allow the main thread to continue to listen
DormantThread = Native_GetHandleTableHandle(ServerHandleTable,ObThread,ObTSuspended);
so in Native_DispatchThread this is called
im looking for Object of type Thread(ObThread) and state ObTSuspended (Object Thread Suspended)
CheckTable:
if(RtlIsValidIndexHandle((RTL_HANDLE_TABLE*)ServerHandleTable,HandleIndex,(PRTL_HANDLE_TABLE_ENTRY*) &RtlEntry))
{
if(HandleEntry->HandleType == HandleType && HandleEntry->HandleState == DesiredState)
{
return HandleEntry->Handle;
}
else
{
HandleIndex++;
__asm jmp CheckTable;
}

the meat of the problem is rooted here
in the call to RtlIsValidIndexHandle
specifically in RltIsValidHandle
which is supposed to be checking a RTL_HANDLE_TABLE_ENTRY but i extended it to make SIN32_HANDLE_TABLE_ENTRY while still maintaining the original struct internally..
in RtlIsvalidHandle the last check test byte ptr [eax],0x1 fails and returns 0 and not the HANDLE_ENTRY..
which is essential to me finding Handles
SasukeHa - says:
trying to catch up
BanMe says:
that CheckTable label is in Native_GetHandleTableHandle
I know that the function errors to the switch where i handle no found handles and try to return the proper thing..
SasukeHa - says:
you went deeply into threads
which is very smart of you
BanMe says:
this is just a recycler
xD
and thanks for the compliment
SasukeHa - says:
well
BanMe says:
I went even deeper into the subsystem.. which manages all that we do
SasukeHa - says:
you deserv it
and it's very handy
BanMe says:
its going to be..
The system maps code for me
upon connection
behavior based injection based on system behavior
ive tested it as well
and came up with very good results
SasukeHa - says:
nice
ok
give me line
of code
for the error
BanMe says:
line 126 in SIN32_HandleTable
its best to load server in olly
and bp RtlIsValidIndexHandle
you need the symbols for that :d
or you prolly already got em
so as the serve starts it calls NtListenPort
which is a blocking function
meaning it waits for a connection
fire up the client
SasukeHa - says:
lol
i don't use "supporters"
BanMe says:
and it single step to or patch ntlisten port
SasukeHa - says:
just basic olly with clear mind
BanMe says:
and fuck it

nop call to ntlisten port
f the client

bp at above
fone
d*
yea i just smoked a little im a little jumpy..
;]
i wish i could olly like that
but i have to know to much..

SasukeHa - says:
nah
it's never too much
00401C59 . FF15 54304000 CALL DWORD PTR DS:[<&ntdll.NtListenPort>>; ntdll.ZwListenPort


got it
wrong smile

BanMe says:
not like in terms of knowledge but in terms of what im researching..like why that does that..and so forth
SasukeHa - says:
yeah well it's not that hard considering your mind
i got to the line ... zw Listen Port
i don't even know what you mean by saying symbols
BanMe says:
not the call and patch teh check
SasukeHa - says:
you mean some plugin?
not?
BanMe says:
internal symbols produced when compiling like exports

but better
SasukeHa - says:
hold up
BanMe says:
yea for ntdll
and k32
and user32
SasukeHa - says:
you want me to patch so i'll fake "client opened " ?
BanMe says:
and so forth
yea
SasukeHa - says:
so just say that lol
BanMe says:
cant...
to simple..
;(
SasukeHa - says:
i understand simple
:]
BanMe says:
bs i say!
simple is not a insane like you ..
not as insane as you**!
SasukeHa - says:
what you mean by that?
BanMe says:
i mean you are insanely smart and simple is not what I think you do is...
SasukeHa - says:
ohhh well, it's simple
just exp..
i already found someone very smart in my area
i appriciate his work more then anyone i met
clockwork
BanMe says:
oh yes.. never seen any
SasukeHa - says:
you think i'm good because i'm the only one you know
or maybe not
BanMe says:
hehe
Ive dug in deeper.. then i thought?
SasukeHa - says:
idk, i'm just saying
BanMe says:
lol
jk
SasukeHa - says:
soo..... you want it to Jump or not?
cmp x,0
lower then 0 will not jump
BanMe says:
je yes
jne no
jne jmp to the default handler
SasukeHa - says:
so you want it to jump
BanMe says:
0 = success

SasukeHa - says:
thought so
that's how the code looks like
ok what now?
BanMe says:
no wait..
SasukeHa - says:
what are we aiming for?
BanMe says:
0 = fail..
SasukeHa - says:
if you look at the code
if it doesn't jump that check it jumps all over the code
BanMe says:
im going through it now 1 sec to catch up
SasukeHa - says:
if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&Unicode,L"NtListenPort Status:");
means if not true make a RTLinit unicodestring
so you want the else to be executed right?
right..
then you should jump
BanMe says:
addres?
SasukeHa - says:
00401C66 . /7D 19 JGE SHORT SIN32.00401C81


i'm sure..
lets continue
after the ListenPort
what should we look for
BanMe says:
oh
i know ehere youare
SasukeHa - says:
don't try compare between c++ to asm
BanMe says:
yea 0 = success!
im crazy
thought ou where somewhere else
SasukeHa - says:
what did you smoke?
BanMe says:
pot...
SasukeHa - says:
rellay?
*really?
BanMe says:
i have adhd ...
pot slows me down
so i can think
:/
eventually..
SasukeHa - says:
what do we look for?
BanMe says:
RtlIsValidIndexHandle
just goto expression
same name
it will land you there
and bp at top
SasukeHa - says:
what's wrong with it?
i have 3 calls to that function
BanMe says:
7C9133FA |. E8 F6FEFFFF CALL ntdll.RtlIsValidHandle ; \RtlIsValidHandle


SasukeHa - says:
3d reference?
BanMe says:
o0?
SasukeHa - says:
what's one line above it?
push edx ?
or is it push eax?
BanMe says:
7C9133F5 |. 0350 14 ADD EDX,DWORD PTR DS:[EAX+14]
7C9133F8 |. 52 PUSH EDX ; /Arg2
7C9133F9 |. 50 PUSH EAX ; |Arg1
7C9133FA |. E8 F6FEFFFF CALL ntdll.RtlIsValidHandle ; \RtlIsValidHandle


SasukeHa - says:
good
ok
ok now that we located it
you need it to return 1?
BanMe says:
yea go into the call there
and in that function test byte ptr [eax],0x1
fails me..
right at the end
SasukeHa - says:
into the ntdll?
BanMe says:
in the call 7C9133F5 |. 0350 14 ADD EDX,DWORD PTR DS:[EAX+14]
7C9133F8 |. 52 PUSH EDX ; /Arg2
7C9133F9 |. 50 PUSH EAX ; |Arg1
7C9133FA |. E8 F6FEFFFF CALL ntdll.RtlIsValidHandle ; \RtlIsValidHandle


there
SasukeHa - says:
it checks if the tablehandle is vaild?
BanMe says:
test byte ptr [eax] [eax=handle],0x1
iono what that does..
SasukeHa - says:
and in that function test byte ptr [eax],0x1 the Rtl function itself?
BanMe says:
but i have a reference
yes that code is in the called function
SasukeHa - says:
hey
what does it check exactly?
and base on what?
RtlIsValidIndexHandle

BanMe says:
http://source.winehq.org/source/dlls/ntdll/handletable.c
check out wine
at bottow is function
RtlIsValidIndexHandle
if(RtlIsValidHandle is where the error is
((ULONG_PTR)Handle->Next & 1))

hmm
wait i thinks i sees it..
bah this means i have to prelink the handle manuelly ...
it means i have to have a head to the list..
SasukeHa - says:
i'm not following
RtlIsValidIndexHandle
determines whether a handle is vaild or not
ofcourse
BanMe says:
struct _x
{
struct _x*Next;
void* Handle;
}_Rtl_Handle_Entry;
SasukeHa - says:
but what makes it valid or invalid
BanMe says:
i need to allocate 2 to have a valid link

in order for that check to succeed
SasukeHa - says:
allocate 2 what?
BanMe says:
Entry above

SasukeHa - says:
hm
BanMe says:
next = next object
or structure
like a listentry
or the dll hide thing

in other words
I need one valid "filled" out Structure and setup for the coming of the next structure
to have a forward link generation
a->b->c
SasukeHa - says:
guess so
BanMe says:
lol
you made something that used this concept with me
SasukeHa - says:
handle table is 30000 ?
right?
BanMe says:
should be somewhere round there
mines 330000
-0
SasukeHa - says:
The index of the handle to be tested.
i see it's 000!
BanMe says:
yes it starts at 0
first index
in memory is the base of the table+0
and it uses imul
if u follow it
SasukeHa - says:
it takes table handle
30000
add 4 bytes...
BanMe says:
so baseoftable+(index*sizeofentry)
SasukeHa - says:
then it reads the byte
BanMe says:
to fine a entry
find*
SasukeHa - says:
listen
30000+4bytes ..
byte [30004] == 10(hex)
10 * index of table to be tested
= 00
cause 10*0
BanMe says:
yes but continue passed that
SasukeHa - says:
then it adds to the result ( 0 ) the value of [3000+14]
hold up
listen
[3014] = 003a0000
BanMe says:
it grew automatically..
no im just kidding..
SasukeHa - says:
thenn.... it do some tests ... no mattar what,
then it checks the value of [003a0000] first byte
BanMe says:
is it test writing?
hmm
manual
1 sec
SasukeHa - says:
basicaly [HandleTable + 4] == x(byte)
x * index of table
result + [HandleTable+14]
if [result] == 0
then invalid
else
valid
helps ?
BanMe says:
yes
i think i have it solved in 2 ways now
1 brute forcing the structures to stay packed into a compressed ecrypted hash heap..
2 by fix my code..
lol
SasukeHa - says:
even tho i don't really understand these handles exactly
i hope i helped
BanMe says:
yes yes you are inspiration
!!
SasukeHa - says:
inspiration is you, thinking of what you say
it has nothing to do with disassembly
BanMe says:
well I hope to make the you r ultimate tool
our*
this i s years of work and research
SasukeHa - says:
me 2
BanMe says:
not just this code but the concept im establishing
SasukeHa - says:
i hope your questions will be more clear and spesific
BanMe says:
im the 2nd and only native attempt at a subsystem
SasukeHa - says:
i have to jump to the bed
too few time :\
BanMe says:
sleep well!
SasukeHa - says:
you'd do well
BanMe says:
i will have a working prototype for you to play with
soon...
i had one then i implemented the handle table
xD