Results 1 to 15 of 18

Thread: SIDE.

Hybrid View

  1. #1

    SIDE.

    (Syscall IDP Engine).

    Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).

    o X86, KM, MI, KDR.
    o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.

    Vid http://rghost.ru/47763708

    Org http://vx.security-portal.cz/

    SIDE.zip

  2. #2
    log added.



    Api.zip

  3. #3
    filter(anti anti debug).

    Filter.zip

  4. #4
    Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).

    Code:
    Int 0x2e(rEcx & rEdx)
    
    NtQueryInformationProcess(ProcessDebugObjectHandle)
    NtQueryInformationProcess(ProcessDebugPort)
    NtQueryInformationProcess(ProcessDebugFlags)
    NtQueryInformationProcess(InheritedFromUniqueProcessId)
    NtTerminateProcess
    NtClose(#IH)
    NtOpenProcess(Name)
    NtOpenProcess(Debug privilege)
    NtSetInformationThread(ThreadHideFromDebugger)
    NtSetInformationThread(ThreadBreakOnTermination)
    NtQueryInformationThread(ThreadBreakOnTermination)
    NtCreateFile("\??\SYSER" etc)
    NtSetDebugFilterState
    NtContinue
    NtQueryPerformanceCounter
    NtQuerySystemInformation(SystemKernelDebuggerInformation)
    NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)
    NtQueryObject(ObjectAllTypesInformation, "DebugObject")
    NtRemoveProcessDebug
    NtQuerySystemTime
    NtSetSystemInformation(SystemVerifierInformation)
    NtSetSystemInformation(SystemFlagsInformation)
    NtSystemDebugControl
    NtQueryObject
    
    - NtQueryInformationProcess(ProcessBreakOnTermination)
    - NtSetInformationProcess(ProcessBreakOnTermination)
    
    FindWindow("OLLYDBG" etc)
    RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)
    BlockInput()
    
    Time log:
    SetTimer()
    NtSetTimer
    NtDelayExecution
    NtWaitForKeyedEvent
    NtReleaseKeyedEvent
    NtSignalAndWaitForSingleObject
    NtWaitForSingleObject
    NtWaitForMultipleObjects
    NtQuerySystemInformation(SystemTimeOfDayInformation)
    Flt.zip

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Seems to fail against Obsidium's debugger detection.

  6. #6
    Not all methods are implemented.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •