Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

SIDE.

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

SIDE.

Post by Indy »

(Syscall IDP Engine).

Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).

o X86, KM, MI, KDR.
o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.

Vid http://rghost.ru/47763708

Org http://vx.security-portal.cz/

[ATTACH]2787[/ATTACH]
Attachments
SIDE.zip
(47.37 KiB) Downloaded 401 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

log added.

Image

[ATTACH]2800[/ATTACH]
Attachments
Api.zip
(95.92 KiB) Downloaded 244 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

filter(anti anti debug).

[ATTACH]2821[/ATTACH]
Attachments
Filter.zip
(70.99 KiB) Downloaded 273 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).

Code: Select all

Int 0x2e(rEcx & rEdx)

NtQueryInformationProcess(ProcessDebugObjectHandle)
NtQueryInformationProcess(ProcessDebugPort)
NtQueryInformationProcess(ProcessDebugFlags)
NtQueryInformationProcess(InheritedFromUniqueProcessId)
NtTerminateProcess
NtClose(#IH)
NtOpenProcess(Name)
NtOpenProcess(Debug privilege)
NtSetInformationThread(ThreadHideFromDebugger)
NtSetInformationThread(ThreadBreakOnTermination)
NtQueryInformationThread(ThreadBreakOnTermination)
NtCreateFile("\??\SYSER" etc)
NtSetDebugFilterState
NtContinue
NtQueryPerformanceCounter
NtQuerySystemInformation(SystemKernelDebuggerInformation)
NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)
NtQueryObject(ObjectAllTypesInformation, "DebugObject")
NtRemoveProcessDebug
NtQuerySystemTime
NtSetSystemInformation(SystemVerifierInformation)
NtSetSystemInformation(SystemFlagsInformation)
NtSystemDebugControl
NtQueryObject

- NtQueryInformationProcess(ProcessBreakOnTermination)
- NtSetInformationProcess(ProcessBreakOnTermination)

FindWindow("OLLYDBG" etc)
RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)
BlockInput()

Time log:
SetTimer()
NtSetTimer
NtDelayExecution
NtWaitForKeyedEvent
NtReleaseKeyedEvent
NtSignalAndWaitForSingleObject
NtWaitForSingleObject
NtWaitForMultipleObjects
NtQuerySystemInformation(SystemTimeOfDayInformation)
[ATTACH]2827[/ATTACH]
Attachments
Flt.zip
(49.08 KiB) Downloaded 195 times
User avatar
disavowed
Posts: 1290
Joined: Mon Apr 01, 2002 3:00 pm

Post by disavowed »

Seems to fail against Obsidium's debugger detection.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Not all methods are implemented.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Upd.

Code: Select all

Fix waiters, IsProtectedDevice()
Add NtQuerySystemInformation(SystemObjectInformation)
Add NtOpenProcess(debug process)
Add NtQuerySystemInformation(SystemHandleInformation, DebugObject)
Fix trap in Filter(), OPT_ENABLE_TRACE
Add NtQueryInformationProcess(ProcessBreakOnTermination)
Add safe dispatch NtClose, OPT_SAFE_HANDLES
Del dispatch RtlQueryProcessDebug[Heap]Information
Fix NtClose(STATUS_HANDLE_NOT_CLOSABLE)
[ATTACH]2830[/ATTACH]
Attachments
Pub.zip
(57.92 KiB) Downloaded 170 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Code: Select all

Fix Filter: stack align, trap(OPT_ENABLE_RF) etc.
Add SystemSessionProcessInformation
Add SystemExtendedProcessInformation
Fix NtClose, performance.
Add ProcessHandleTracing
Add SystemExtendedHandleInformation
Fix SYSTEM_HANDLE_TABLE_ENTRY_INFO.UniqueProcessId
Add local breakpoints.
Fix time convertion.
Add NtQueryWindow
Add NtUserBuildHwndList
Del FindWindow(), add NtUserFindWindowEx
Del BlockInput(), add NtUserBlockInput
Add break on attach(!PEB.BeingDebugged), break on startup.
[ATTACH]2832[/ATTACH]
Attachments
Dll.zip
(27.56 KiB) Downloaded 156 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

disavowed

Bypass Obsidium(v 1.5.0) dbg detect(olly 2), XP only tested.

[ATTACH]2833[/ATTACH]
Attachments
Pub.zip
(273.02 KiB) Downloaded 199 times
six_L
Junior Member
Posts: 5
Joined: Mon Nov 04, 2013 6:12 pm

Post by six_L »

нтиспам
Пожалуйста ответьте на вопрос. Этот процесс предотвращает автоматическую регистрацию спамеров.

Разреверсите крекми по ссылке: http://vxforum.net/b/c.rar . В нем находится PNG картинка с кодом.
what's the meaning?
is it right of the following?
ntispam
Please answer the question. This process prevents automatic registration spammers.
Razreversite krekmi link: http://vxforum.net/b/c.rar. It is a PNG image with the code.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

six_L

To restrict site of inappropriate content :p

Code: Select all

Add NtUserWindowFromPoint
Add NtUserGetGUIThreadInfo
Add hide debug thread.
Fix NtOpenProcess
Fix IsProtectedProcess(), IsCurrentProcessThread().
Fix GetDebugObjectTypeIndex(W7).
Add SIDE check.
Add hide process name in snapshot.
Fix shadow initialize(W7).
http://yadi.sk/d/ESK5_yuvC9TsU
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Indy wrote:To restrict site of inappropriate content :p
vxforum != inappropriate content

That's funny :D
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Relative to what.. Nice captcha :devil:
six_L
Junior Member
Posts: 5
Joined: Mon Nov 04, 2013 6:12 pm

Post by six_L »

six_L

To restrict site of inappropriate content :p

Code: Select all

Add NtUserWindowFromPoint
Add NtUserGetGUIThreadInfo
Add hide debug thread.
Fix NtOpenProcess
Fix IsProtectedProcess(), IsCurrentProcessThread().
Fix GetDebugObjectTypeIndex(W7).
Add SIDE check.
Add hide process name in snapshot.
Fix shadow initialize(W7).
Ответ неверный. Повторите попытку или поменяйте вопрос.

how do i answer rightly the question while i reg on vxforum?
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

..
Locked