(Syscall IDP Engine).
Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).
o X86, KM, MI, KDR.
o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.
Vid http://rghost.ru/47763708
Org http://vx.security-portal.cz/
[ATTACH]2787[/ATTACH]
Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
SIDE.
filter(anti anti debug).
[ATTACH]2821[/ATTACH]
[ATTACH]2821[/ATTACH]
- Attachments
-
- Filter.zip
- (70.99 KiB) Downloaded 258 times
Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).
[ATTACH]2827[/ATTACH]
Code: Select all
Int 0x2e(rEcx & rEdx)
NtQueryInformationProcess(ProcessDebugObjectHandle)
NtQueryInformationProcess(ProcessDebugPort)
NtQueryInformationProcess(ProcessDebugFlags)
NtQueryInformationProcess(InheritedFromUniqueProcessId)
NtTerminateProcess
NtClose(#IH)
NtOpenProcess(Name)
NtOpenProcess(Debug privilege)
NtSetInformationThread(ThreadHideFromDebugger)
NtSetInformationThread(ThreadBreakOnTermination)
NtQueryInformationThread(ThreadBreakOnTermination)
NtCreateFile("\??\SYSER" etc)
NtSetDebugFilterState
NtContinue
NtQueryPerformanceCounter
NtQuerySystemInformation(SystemKernelDebuggerInformation)
NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)
NtQueryObject(ObjectAllTypesInformation, "DebugObject")
NtRemoveProcessDebug
NtQuerySystemTime
NtSetSystemInformation(SystemVerifierInformation)
NtSetSystemInformation(SystemFlagsInformation)
NtSystemDebugControl
NtQueryObject
- NtQueryInformationProcess(ProcessBreakOnTermination)
- NtSetInformationProcess(ProcessBreakOnTermination)
FindWindow("OLLYDBG" etc)
RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)
BlockInput()
Time log:
SetTimer()
NtSetTimer
NtDelayExecution
NtWaitForKeyedEvent
NtReleaseKeyedEvent
NtSignalAndWaitForSingleObject
NtWaitForSingleObject
NtWaitForMultipleObjects
NtQuerySystemInformation(SystemTimeOfDayInformation)- Attachments
-
- Flt.zip
- (49.08 KiB) Downloaded 181 times
Upd.
[ATTACH]2830[/ATTACH]
Code: Select all
Fix waiters, IsProtectedDevice()
Add NtQuerySystemInformation(SystemObjectInformation)
Add NtOpenProcess(debug process)
Add NtQuerySystemInformation(SystemHandleInformation, DebugObject)
Fix trap in Filter(), OPT_ENABLE_TRACE
Add NtQueryInformationProcess(ProcessBreakOnTermination)
Add safe dispatch NtClose, OPT_SAFE_HANDLES
Del dispatch RtlQueryProcessDebug[Heap]Information
Fix NtClose(STATUS_HANDLE_NOT_CLOSABLE)- Attachments
-
- Pub.zip
- (57.92 KiB) Downloaded 153 times
Code: Select all
Fix Filter: stack align, trap(OPT_ENABLE_RF) etc.
Add SystemSessionProcessInformation
Add SystemExtendedProcessInformation
Fix NtClose, performance.
Add ProcessHandleTracing
Add SystemExtendedHandleInformation
Fix SYSTEM_HANDLE_TABLE_ENTRY_INFO.UniqueProcessId
Add local breakpoints.
Fix time convertion.
Add NtQueryWindow
Add NtUserBuildHwndList
Del FindWindow(), add NtUserFindWindowEx
Del BlockInput(), add NtUserBlockInput
Add break on attach(!PEB.BeingDebugged), break on startup.- Attachments
-
- Dll.zip
- (27.56 KiB) Downloaded 140 times
what's the meaning?нтиспам
Пожалуйста ответьте на вопрос. Этот процесс предотвращает автоматическую регистрацию спамеров.
Разреверсите крекми по ссылке: http://vxforum.net/b/c.rar . В нем находится PNG картинка с кодом.
is it right of the following?
ntispam
Please answer the question. This process prevents automatic registration spammers.
Razreversite krekmi link: http://vxforum.net/b/c.rar. It is a PNG image with the code.
six_L
To restrict site of inappropriate content
http://yadi.sk/d/ESK5_yuvC9TsU
To restrict site of inappropriate content
Code: Select all
Add NtUserWindowFromPoint
Add NtUserGetGUIThreadInfo
Add hide debug thread.
Fix NtOpenProcess
Fix IsProtectedProcess(), IsCurrentProcessThread().
Fix GetDebugObjectTypeIndex(W7).
Add SIDE check.
Add hide process name in snapshot.
Fix shadow initialize(W7).
Ответ неверный. Повторите попытку или поменяйте вопрос.six_L
To restrict site of inappropriate content
Code: Select all
Add NtUserWindowFromPoint Add NtUserGetGUIThreadInfo Add hide debug thread. Fix NtOpenProcess Fix IsProtectedProcess(), IsCurrentProcessThread(). Fix GetDebugObjectTypeIndex(W7). Add SIDE check. Add hide process name in snapshot. Fix shadow initialize(W7).
how do i answer rightly the question while i reg on vxforum?