Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: SIDE.

  1. #1

    SIDE.

    (Syscall IDP Engine).

    Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).

    o X86, KM, MI, KDR.
    o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.

    Vid http://rghost.ru/47763708

    Org http://vx.security-portal.cz/

    SIDE.zip

  2. #2
    log added.



    Api.zip

  3. #3
    filter(anti anti debug).

    Filter.zip

  4. #4
    Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).

    Code:
    Int 0x2e(rEcx & rEdx)
    
    NtQueryInformationProcess(ProcessDebugObjectHandle)
    NtQueryInformationProcess(ProcessDebugPort)
    NtQueryInformationProcess(ProcessDebugFlags)
    NtQueryInformationProcess(InheritedFromUniqueProcessId)
    NtTerminateProcess
    NtClose(#IH)
    NtOpenProcess(Name)
    NtOpenProcess(Debug privilege)
    NtSetInformationThread(ThreadHideFromDebugger)
    NtSetInformationThread(ThreadBreakOnTermination)
    NtQueryInformationThread(ThreadBreakOnTermination)
    NtCreateFile("\??\SYSER" etc)
    NtSetDebugFilterState
    NtContinue
    NtQueryPerformanceCounter
    NtQuerySystemInformation(SystemKernelDebuggerInformation)
    NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)
    NtQueryObject(ObjectAllTypesInformation, "DebugObject")
    NtRemoveProcessDebug
    NtQuerySystemTime
    NtSetSystemInformation(SystemVerifierInformation)
    NtSetSystemInformation(SystemFlagsInformation)
    NtSystemDebugControl
    NtQueryObject
    
    - NtQueryInformationProcess(ProcessBreakOnTermination)
    - NtSetInformationProcess(ProcessBreakOnTermination)
    
    FindWindow("OLLYDBG" etc)
    RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)
    BlockInput()
    
    Time log:
    SetTimer()
    NtSetTimer
    NtDelayExecution
    NtWaitForKeyedEvent
    NtReleaseKeyedEvent
    NtSignalAndWaitForSingleObject
    NtWaitForSingleObject
    NtWaitForMultipleObjects
    NtQuerySystemInformation(SystemTimeOfDayInformation)
    Flt.zip

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Seems to fail against Obsidium's debugger detection.

  6. #6
    Not all methods are implemented.

  7. #7
    Upd.

    Code:
    Fix waiters, IsProtectedDevice()
    Add NtQuerySystemInformation(SystemObjectInformation)
    Add NtOpenProcess(debug process)
    Add NtQuerySystemInformation(SystemHandleInformation, DebugObject)
    Fix trap in Filter(), OPT_ENABLE_TRACE
    Add NtQueryInformationProcess(ProcessBreakOnTermination)
    Add safe dispatch NtClose, OPT_SAFE_HANDLES
    Del dispatch RtlQueryProcessDebug[Heap]Information
    Fix NtClose(STATUS_HANDLE_NOT_CLOSABLE)
    Pub.zip

  8. #8
    Code:
    Fix Filter: stack align, trap(OPT_ENABLE_RF) etc.
    Add SystemSessionProcessInformation
    Add SystemExtendedProcessInformation
    Fix NtClose, performance.
    Add ProcessHandleTracing
    Add SystemExtendedHandleInformation
    Fix SYSTEM_HANDLE_TABLE_ENTRY_INFO.UniqueProcessId
    Add local breakpoints.
    Fix time convertion.
    Add NtQueryWindow
    Add NtUserBuildHwndList
    Del FindWindow(), add NtUserFindWindowEx
    Del BlockInput(), add NtUserBlockInput
    Add break on attach(!PEB.BeingDebugged), break on startup.
    Dll.zip

  9. #9
    disavowed

    Bypass Obsidium(v 1.5.0) dbg detect(olly 2), XP only tested.

    Pub.zip

  10. #10

    Unhappy

    нтиспам
    Пожалуйста ответьте на вопрос. Этот процесс предотвращает автоматическую регистрацию спамеров.

    Разреверсите крекми по ссылке: http://vxforum.net/b/c.rar . В нем находится PNG картинка с кодом.
    what's the meaning?
    is it right of the following?
    ntispam
    Please answer the question. This process prevents automatic registration spammers.
    Razreversite krekmi link: http://vxforum.net/b/c.rar. It is a PNG image with the code.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    six_L

    To restrict site of inappropriate content

    Code:
    Add NtUserWindowFromPoint
    Add NtUserGetGUIThreadInfo
    Add hide debug thread.
    Fix NtOpenProcess
    Fix IsProtectedProcess(), IsCurrentProcessThread().
    Fix GetDebugObjectTypeIndex(W7).
    Add SIDE check.
    Add hide process name in snapshot.
    Fix shadow initialize(W7).
    http://yadi.sk/d/ESK5_yuvC9TsU

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Quote Originally Posted by Indy View Post
    To restrict site of inappropriate content
    vxforum != inappropriate content

    That's funny

  13. #13
    Relative to what.. Nice captcha

  14. #14
    six_L

    To restrict site of inappropriate content

    Code:
    Add NtUserWindowFromPoint
    Add NtUserGetGUIThreadInfo
    Add hide debug thread.
    Fix NtOpenProcess
    Fix IsProtectedProcess(), IsCurrentProcessThread().
    Fix GetDebugObjectTypeIndex(W7).
    Add SIDE check.
    Add hide process name in snapshot.
    Fix shadow initialize(W7).
    Ответ неверный. Повторите попытку или поменяйте вопрос.

    how do i answer rightly the question while i reg on vxforum?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    ..
    Last edited by Indy; November 8th, 2013 at 15:19.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •