Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 64

Thread: Ring 0 anti-debugger code in Daemon Tools?

  1. #16
    Quote Originally Posted by Kayaker
    I did a bit of searching but found nothing, has no one done a detailed static reversing at least of SPTD.sys?
    This was my first thought, just open it in IDA and take a look.

    I haven't the file either, so I can't make any statements regarding it, but static analysis is sometimes still the best way to understand hostile code.

  2. #17
    Quote Originally Posted by DillerInc
    omega_red
    Maybe some conflict with antivirus software??
    No, it's a clean xp 32-bit.
    I've had this problem with my 64-bit system at home, but that was related to some 64-bit specifix hotfix affecting Windows kernel protection (at least that's what I found with google - KB914784). However, I've found no online sources mentioning that it's an issue on 32-bit xp too, and this specific KB is not installed on 32bit system. Interestingly, I have the same DT version (4.03) working on other 32-bit machine with xp, fully patched too..

    As for hooked syscalls, the list is as follows:
    0029: NtCreateKey
    0047: NtEnumerateKey
    0049: NtEnumerateValueKey
    0077: NtOpenKey
    00a0: NtQueryKey
    00b1: NtQueryValueKey
    00f7: NtSetValueKey
    Vulnerant omnes, ultima necat.

  3. #18
    Quote Originally Posted by LLXX
    I haven't the file either, so I can't make any statements regarding it
    I attached the latest version of sptd.sys -- 1.25.0.0
    I'm not very familiar with the kernel-mode stuff,so I can't get the point of all these ntoskrnl functions...but IDA shows some interesting strings like:

    Code:
    .data:00078808  00000053 C Debug TEST trigger in DPC: overflow by %I64d ms!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n
    Attached Files Attached Files

  4. #19
    From Alcohol Customer forum:
    - Why don't you want SPTD? Did you have any related problems?
    - Yes, it won't live with my Logitech Quickcam Pro 5000 drivers. The machine stalls on boot after the Windows logo screen.

  5. #20
    Quote Originally Posted by DillerInc
    I attached the latest version of sptd.sys -- 1.25.0.0
    I'm not very familiar with the kernel-mode stuff,so I can't get the point of all these ntoskrnl functions...but IDA shows some interesting strings like:

    Code:
    .data:00078808  00000053 C Debug TEST trigger in DPC: overflow by %I64d ms!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n
    It also looks like it's been encrypted/packed... I'm not familiar with NT kernel architecture either, so that's all I can see...

  6. #21
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    I'll post more on this later. I found that there is an easy way to get Softice to load with sptd.sys active - simply change the ServiceGroupOrder so that cpthook.sys and osidata.sys load before sptd.sys.


    SPTD sets itself up as a Boot Bus Extender driver, the same as Softice. Within that group there is a ServiceGroupOrder which specifies which driver loads first, based on the Tag value set for the driver.

    See here for more
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q115486

    SPTD sets itself up to load as the *first* Boot Bus Extender driver, so it gets the chance to grab all the resources. It is a simple matter to change this order so Softice gets its shot at what it wants to hook etc. before sptd.

    I don't have an application which uses SPTD, only the installed driver itself, so I can't tell if doing this interferes with its actual operation. Doesn't matter, this is for debugging purposes anyway.

    Now that Softice can "see" SPTD successfully installed you can issue commands such as
    DRIVER sptd - see IRPs used etc.
    MAP32 sptd - use addresses to disassemble the various sections, if indeed there are encrypted sections, they should be decrypted by now depending on the exact implementation

    If SPTD is actually running normally then you may be able to set breakpoints on the IRP functions in order to see how the application is communicating with it...
    etc.

    Kayaker

  7. #22
    simply change the ServiceGroupOrder so that cpthook.sys and osidata.sys load before sptd.sys
    ...which way SoftIce needs to be loaded in that case -- manuelly or at system boot??
    I'll post more on this later
    ...it would be very kind of you

  8. #23
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Quote Originally Posted by DillerInc
    ...which way SoftIce needs to be loaded in that case -- manuelly or at system boot??
    Normal manual start of Softice. The two drivers cpthook and osidata are both loaded at boot time anyway and are for the important hooking. The "manual" starting mode just executes ntice.sys when you decide.

    You will probably need to boot once in Safe Mode and prevent SPTD from loading. Then you can change the registry entry. Then reboot normally. Softice should be able to start after this. If you change the registry while SPTD is still active it seems to change it back on shutdown. It may be checked on every shutdown, I've haven't had time to test that yet.

    Code:
    Original: 
    The first 06 dword indicates the number of entries, the second 06 is the
     "Tag" value for SPTD, then follows Tags for other drivers including 
     the two drivers of Softice.
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
    
    "Boot Bus Extender"=hex:06,00,00,00,06,00,00,00,01,00,00,00,02,00,00,00,03,00,\
      00,00,04,00,00,00,05,00,00,00
      
    Change order to this, sptd will be loaded last:
     
    "Boot Bus Extender"=hex:06,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,\
      00,00,05,00,00,00,06,00,00,00
    Kayaker

  9. #24
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Here's a bit more on debugging the unbuggable..

    If interested, you can run spdt.sys as a regular SERVICE_DEMAND_START driver and trace into the INIT routine to check out what certainly appears to be a decryption of sorts. Ultimately I don't know if there is specific anti-debugging code or whether the incompatibility with kernel mode debuggers is a result of not being able to share resources. Trying to run SPTD under the conditions I gave above (by making sure Softice loads first) might be the best way to tell.

    As for tracing the INIT, or normal DriverEntry routine, all you need to do is set a breakpoint on the indirect call within the ntoskrnl IopLoadDriver routine which directly calls DriverEntry for all SERVICE_DEMAND_START drivers. Other driver types may use different routines, SERVICE_BOOT_START runs from ntldr I believe.

    The easiest way to find the correct address to break on is to set a breakpoint in your own DriverEntry routine and trace back to ntoskrnl code. In XPsp2 this is at 805A69D0. If you can't do this you can probably find it with the help of IDA and a byte/offset search in Softice.

    The specific call is this one, you should have the PDB symbols loaded to find IopLoadDriver:

    Code:
    PAGE:004CF9C9   loc_4CF9C9:     ; CODE XREF: IopLoadDriver(x,x,x,x)+3AD
    PAGE:004CF9C9            push    [ebp+P]
    PAGE:004CF9CF            push    edi
    PAGE:004CF9D0 FF 57 2C   call    dword ptr [edi+2Ch] breakpoint here
    For SPTD, make sure it is *completely* uninstalled first as a boot loading driver. The driver install package comes with an uninstall routine ("remove"). First however make a copy of sptd.sys and its associated driver sptd2461.sys (the numbers 2461 may be different for you (7805?). Once you've got a "clean" system again, copy the 2 sptd drivers back to /windows/system32/drivers. I used a clean VMWare image for this.

    Now you're ready to start up SPTD as a traceable SERVICE_DEMAND_START driver. I use Driver Monitor from the DriverStudio Tools directory. Open sptd.sys in Driver Monitor, a new registry entry will be made under
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sptd]

    Now set a breakpoint on the Call [edi+2Ch] above, press Go in Driver Monitor, and just step into what is a normal DriverEntry routine when it breaks. Welcome to driver tracing..


    I'm not going to pursue this further unless someone finds something interesting out of all this, it's all pretty ugly in there.

    Cheers,
    Kayaker

  10. #25
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hehe, as always, you da ring 0 man Kayaker.

    I don't have an application which uses SPTD, only the installed driver itself, so I can't tell if doing this interferes with its actual operation.
    Daemon Tools, which is one of the applications using this driver, is free, small, and works perfect inside a VMware machine, so if you want to try if your simple method works all the way it should be quite easy to just download, install and see, just so you know.

  11. #26
    Kayaker
    So,it seems a bit strange on my Win2k SP4 machine.
    When I had SoftIce installed, this GroupOrderList registry key looked that way:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
    "Boot Bus Extender"=hex:07,00,00,00,09,00,00,00,08,00,00,00,01,00,00,00,04,00,\
    00,00,05,00,00,00,54,72,75,73,00,3e,00,3e
    If I have correctly understood, there are seven entries out there.
    OsiData should have a "Tag" value -- 2
    CptHook should have a "Tag" value -- 3
    But as we can see there are no such values.Though SoftIce started perfectly.

    After that I istalled Alcohol with that latest sptd.sys, and the registry value changed to this:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
    "Boot Bus Extender"=hex:07,00,00,00,08,00,00,00,09,00,00,00,01,00,00,00,04,00,\
    00,00,05,00,00,00,54,72,75,73,00,3e,00,3e
    SoftIce began to fail at start.
    I booted into Safe Mode,cancelled by the way the load of sptd.sys and changed the value "Boot Bus Extender" to a former state.It did not help -- SoftIce continued to fail at start with "Error code 31".
    Any suggestions??

  12. #27
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Shure dELTA, take advantage of my debilitating reversing addiction and throw me another teaser why don't you?
    Those Reverser's Anonymous meetings just aren't helping...

    OK, I installed DT and set it up to mount an iso image of an old Win3.1 era game which required the CD be present. DT worked great! (though the game sure sucks)

    Then I forced SPTD to load *after* the Softice boot drivers as I outlined above:

    - boot once in Safe Mode and prevent SPTD from loading (press ESC at prompt)
    - change the GroupOrderList so that the SPTD.sys driver Tag (#6 on my system) is listed last (see above)
    - reboot normally
    - Softice can now be activated manually

    Unfortunately, this didn't work quite as hoped because when DT tried to start it detected Softice was active (even though not started manually yet) and gave a MsgBox error.

    OK, partial setback, but wait a minute, what wrong here?

    DT usermode application normally starts from
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    but can now be started manually..

    DT application can be loaded with Softice Loader32 and traced like a normal application..
    Breakpoints stick and app can be restarted over and over again with same bp's active..
    DT application can be loaded with OllyDbg..
    Interesting decryption algorithm can be traced (looks very similar to the one present in sptd.sys btw)..
    MessageBoxW which gives the error can be found..

    Oops, I guess we weren't meant to be able to do this..

    The Softice/kernel debugger detection must be in the decrypted code somewhere but would require some determined reversing..

    No guarantees that bypassing the debugger detection would allow DT to operate normally..

    This information is for malware reversing purposes only..

    Kayaker

  13. #28
    Kayaker
    Well, on my WinXP SP2 machine it went just as you discribed above.That's good!
    Now SoftIce is able to start succesfully, BUT there is no virtual drive by Alcohol anymore, because sptd.sys merely did not boot.If we now try to run Alcohol, it loads but also shows a MessageBoxA telling us, that an error occured while loading Alcohol drivers.
    It's true that we can debug the usermode application alcohol.exe(it is packed with UPX), but would it help us, if sptd.sys is not present anyway...or??

  14. #29
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Hi DillerInc

    The SPTD drivers should boot up anyway if everything went well. It's the system, not the application, which is loading the drivers, so as long as the registry settings are OK there shouldn't be anything preventing them from loading at boot time. All we've done is modify their load order.

    In my case anyway I can see that the drivers are loaded with the Softice commands:

    DRIVER sptd*
    or
    MOD sptd*

    The MOD command will also show the sptdxxxx.sys driver which is loaded as an export module for the main sptd.sys driver.


    You should also be able to confirm sptd is loaded and active (irrespective of whether or not DT/Alcohol is running) with something like OSR's IrpTracker. It will easily show what IRP's are being issued through SPTD, even while quietly humming in the background without an application using it. If DT issues a DeviceIoControl call, IrpTracker picks that up as well.


    It's quite possible that even though the (load-order modified) drivers appear to be loaded, they haven't been successfully initialized in terms of what needs to be hooked, etc. It's still an open question as to why these drivers can't coexist with Softice. However I think that the user application should still behave somewhat "normally" in general terms.

    Kayaker

  15. #30
    Kayaker
    Once again you are right -- sptd.sys does boot.
    We can investigate it also using the feature "Enable Boot Logging" during advanced windows startup.Then we can see this:
    Quote Originally Posted by Ntbtlog.txt
    Service Pack 2 9 19 2006 21:05:43.500
    Loaded driver \WINDOWS\system32\ntoskrnl.exe
    Loaded driver \WINDOWS\system32\hal.dll
    Loaded driver \WINDOWS\system32\KDCOM.DLL
    Loaded driver \WINDOWS\system32\BOOTVID.dll
    Loaded driver bootcfg.sys
    Loaded driver ACPI.sys
    Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
    Loaded driver pci.sys
    Loaded driver OsiData.sys
    Loaded driver cpthook.sys

    Loaded driver isapnp.sys
    Loaded driver sptd.sys
    Loaded driver \WINDOWS\System32\Drivers\SPTD7805.SYS
    ...
    Now, I'm planning to dump this driver using IceExt...

Similar Threads

  1. Getting around anti-debugger code
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:51
  2. Different papers about SMC, polymorph code and anti trace code...
    By OHPen in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: March 29th, 2007, 15:45
  3. Ring 0 -> Ring 3 : Upward calls and downward returns theoretically possible?
    By Clandestiny in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: December 9th, 2004, 19:50
  4. Does asprotect have anti-tracing code???
    By padawan in forum The Newbie Forum
    Replies: 2
    Last Post: February 23rd, 2004, 16:50
  5. Replies: 10
    Last Post: May 24th, 2003, 14:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •