Page 5 of 5 FirstFirst 12345
Results 61 to 64 of 64

Thread: Ring 0 anti-debugger code in Daemon Tools?

  1. #61
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    I am not much aware of the intricacies of discardable pages but i think you shouldn't loose any thing if you dump at right moment

    Code:
    .data:FEC52FFF 
    INIT:FEC53000 ; ---------------------------------------------------------------------------
    INIT:FEC53000 ; Section 5. (virtual address 00060000)
    INIT:FEC53000 ; Virtual size                  : 0001E000 ( 122880.)
    INIT:FEC53000 ; Section size in file          : 0001E000 ( 122880.)
    INIT:FEC53000 ; Offset to raw data for section: 00060000
    INIT:FEC53000 ; Flags E2000020: Text Discardable Executable Readable Writable
    INIT:FEC53000 ; Alignment     : 16 bytes ?
    INIT:FEC53000 ; ---------------------------------------------------------------------------
    INIT:FEC53000 
    INIT:FEC53000 ; Segment type: Pure code
    INIT:FEC53000 INIT            segment para public 'CODE' use32
    INIT:FEC53000                 assume cs:INIT
    INIT:FEC53000                 ;org 0FEC53000h
    INIT:FEC53000                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
    INIT:FEC53000                 push    8A780h
    INIT:FEC53005                 jmp     loc_FEC18578
    i am not aware if this is original driver entry or not

    Code:
    start      ;  S U B R O U T I N E 
    start      
    start      ; Attributes: bp-based frame
    start      
    start                      public start
    start      start           proc near
    start      
    start      arg_0           = dword ptr  8
    start      arg_4           = dword ptr  0Ch
    start      
    start                      push    ebp
    start+1                    mov     ebp, esp
    start+3                    call    sub_FEC6B010
    start+8                    test    eax, eax
    start+A                    jnz     short loc_FEC6F0E5
    start+C                    and     [ebp+arg_0], eax
    start+F    
    start+F    loc_FEC6F0E5:                           ; CODE XREF: start+Aj
    start+F                    cmp     [ebp+arg_0], 0
    start+13                   jz      short loc_FEC6F12A
    start+15                   cmp     [ebp+arg_4], 0
    start+19                   jz      short loc_FEC6F12A
    start+1B                   push    esi
    start+1C                   call    sub_FEC6D296
    start+21                   mov     eax, dword_FEC4F320
    start+26                   cmp     eax, 100h
    start+2B                   jnz     short loc_FEC6F112
    start+2D                   push    [ebp+arg_4]
    start+30                   push    [ebp+arg_0]
    start+33                   call    sub_FEC6DEFE
    start+38                   mov     esi, eax
    start+3A                   jmp     short loc_FEC6F117
    start+3C   ; ---------------------------------------------------------------------------
    start+3C   
    start+3C   loc_FEC6F112:                           ; CODE XREF: start+2Bj
    start+3C                   mov     esi, 0C000009Ah
    start+41   
    start+41   loc_FEC6F117:                           ; CODE XREF: start+3Aj
    start+41                   test    esi, esi
    start+43                   jge     short loc_FEC6F125
    start+45                   call    sub_FEC6D0CE
    start+4A                   call    sub_FEC6D2CA
    start+4F   
    start+4F   loc_FEC6F125:                           ; CODE XREF: start+43j
    start+4F                   mov     eax, esi
    start+51                   pop     esi
    start+52                   jmp     short loc_FEC6F12F
    start+54   ; ---------------------------------------------------------------------------
    start+54   
    start+54   loc_FEC6F12A:                           ; CODE XREF: start+13j
    start+54                                           ; start+19j
    start+54                   mov     eax, 0C0000183h
    start+59   
    start+59   loc_FEC6F12F:                           ; CODE XREF: start+52j
    start+59                   pop     ebp
    start+5A                   retn    8
    start+5A   start           endp
    start+5A   
    start+5A   ; ---------------------------------------------------------------------------

  2. #62
    Ok, yeah, that's the original DriverEntry . But seeing as it looks like a standard C driver, I was interested in the 'original' DE, ie the one before it was protected with whatever it is - the one that creates any devices, access parameters in the registry, and typically does the hooking in a kernel mode rootkit.

    And if you try and dump the module during runtime, then livekd (or whatever) will error when it gets to the INIT section, as it has been discarded. I'm not sure when the IO manager gets rid of it, but probably fairly soon after the DriverEntry returns success. Certainly by the time I've booted up and started liveked. Though, I suppose it might work if you just renamed the section to something else, and fix the xsum in the PE header. I'll check later.

  3. #63
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    hi, i dont think its actually the name that triggers the discarding but section flags.

  4. #64
    Yeah, I just checked that, and that's correct as far as I can tell. Though the kernel does check specifically for sections with names starting INIT, PAGE, and EDAT. Though what it does in those cases, I don't know. I've been too busy with other kernel mode and native stuff to get a properly analyzable dump; I might have another go in the next couple of weeks, depending on how things pan out.

Similar Threads

  1. Getting around anti-debugger code
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:51
  2. Different papers about SMC, polymorph code and anti trace code...
    By OHPen in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: March 29th, 2007, 15:45
  3. Ring 0 -> Ring 3 : Upward calls and downward returns theoretically possible?
    By Clandestiny in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: December 9th, 2004, 19:50
  4. Does asprotect have anti-tracing code???
    By padawan in forum The Newbie Forum
    Replies: 2
    Last Post: February 23rd, 2004, 16:50
  5. Replies: 10
    Last Post: May 24th, 2003, 14:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •