SIDE.

**Indy** · August 5th, 2013, 17:21

(Syscall IDP Engine).

Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).

o X86, KM, MI, KDR.
o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.

Vid http://rghost.ru/47763708

Org http://vx.security-portal.cz/

SIDE.zip

**Indy** · August 18th, 2013, 06:16

log added.

Api.zip

**Indy** · October 19th, 2013, 00:46

filter(anti anti debug).

Filter.zip

**Indy** · October 23rd, 2013, 11:09

Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).

Code:

Int 0x2e(rEcx & rEdx)

NtQueryInformationProcess(ProcessDebugObjectHandle)
NtQueryInformationProcess(ProcessDebugPort)
NtQueryInformationProcess(ProcessDebugFlags)
NtQueryInformationProcess(InheritedFromUniqueProcessId)
NtTerminateProcess
NtClose(#IH)
NtOpenProcess(Name)
NtOpenProcess(Debug privilege)
NtSetInformationThread(ThreadHideFromDebugger)
NtSetInformationThread(ThreadBreakOnTermination)
NtQueryInformationThread(ThreadBreakOnTermination)
NtCreateFile("\??\SYSER" etc)
NtSetDebugFilterState
NtContinue
NtQueryPerformanceCounter
NtQuerySystemInformation(SystemKernelDebuggerInformation)
NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)
NtQueryObject(ObjectAllTypesInformation, "DebugObject")
NtRemoveProcessDebug
NtQuerySystemTime
NtSetSystemInformation(SystemVerifierInformation)
NtSetSystemInformation(SystemFlagsInformation)
NtSystemDebugControl
NtQueryObject

- NtQueryInformationProcess(ProcessBreakOnTermination)
- NtSetInformationProcess(ProcessBreakOnTermination)

FindWindow("OLLYDBG" etc)
RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)
BlockInput()

Time log:
SetTimer()
NtSetTimer
NtDelayExecution
NtWaitForKeyedEvent
NtReleaseKeyedEvent
NtSignalAndWaitForSingleObject
NtWaitForSingleObject
NtWaitForMultipleObjects
NtQuerySystemInformation(SystemTimeOfDayInformation)

Flt.zip

**disavowed** · October 23rd, 2013, 20:54

Seems to fail against Obsidium's debugger detection.

**Indy** · October 24th, 2013, 02:43

Not all methods are implemented.

Collaborative RCE Tool Library (CRCETL)	Collaborative RCE Knowledge Library (CRCEKL)
CrackZ	Fravia's Searchlores	Yates
ARTeam	Reverse Engineering Reddit	Reverse Engineering Team
KernelMode.info	OpenRCE	Tuts 4 You
NTCore	My Infected Computer	Evilcry's Dark Cave
j00ru//vx tech blog	cr4zyserb - deroko of ARTeam	UIC R.E. Academy
		The TiGa Video Tutorial Site
Fravia's Original Reversing Site	The Original RCE-CD	Krobars Collection of tutorials
OllyDbg Extensions: Version 1.x Version 2.x

Thread: SIDE.

Thread Tools

Search Thread

Display

Hybrid View

SIDE.

Bookmarks

Bookmarks

Posting Permissions