Click here to download the project files.
This article is just for fun, don't take it too serious. Some time ago a friend (Littleluk) asked me if i was interested in helping him with the coding stuff related the unpacking of themida (the commercial successor of xprotector). I agreed. However, i had second thoughts about it. 'Cause, to be sincere, i don't like to waste my time over useless things and themida sure is one of them. For those who still don't know what i'm talking about: themida is a packer, moreover it's a packer who runs partly in kernel-mode. This means: if you try to debug themida with a debugger, it will crash your system. Very unprofessional, i know. And that's mainly the reason i look at themida as a toy for reversers. Lets get this straight, themida will never be used by major companies, nobody would protect a good software with a protector who patches the kernel of windows, patches the SDT, patches the IDT, in certain situations makes you reboot your computer etc etc? This means themida isn't widely used and there's no real interest in unpacking it other than the fun itself. I have no fun doing useless things, but since Littleluk is the reverser, i have just to code some stuff (and using old code snippets i've already coded). And this is what this article is all about, a tool i wrote. It's not a tool to unpack themida (that would be impossible: Littleluk hasn't reversed it yet). The tool makes work some tools you already have on you computer against themida.
A few warnings:
1 - this article is nothing hardcore, don't let you impress by the driver coding stuff, it's ridiculous stuff for a driver writer (and i say that 'cause sometime in the reversing scene it's easy to find people with no knowledge of kernel-mode programming).
2 - the things you're going to read in this article will be obsolete in a few years (as the tricks themida uses).
3 - i never touched themida, i wrote the tool out of my experience and the results i got from Littleluk.
4 - i'm not going to explain what SDT, IDT and other internals relative concepts mean. If you ignore the meaning look on the web. I have no time to explain more than necessary, in fact this is one of the reason i'm releasing this article right now. I just have available a coule of days and then i have to go back to work (real work).
5 - i'm going to explain what i know about themida, or better what you need to know to understand the tool i wrote. I'm not reversing themida, so i don't care about a lot things.
6 - i don't know if there will be another version of the AntiMida, it depends on the information which is given to me by the reverser/s and on how much free time i'll have.
7 - it doesn't work if u're using PAE extension (i was too lazy to add some code).
8 - The way the tool acts wasn't absolutely necessary, there were other ways.
The victim which was used for the tests is nothing else than the themida itself (the demo version i mean). You can download it from the official webpage (current version is 1.0.0.5).
The AntiMida is not a planned tool, everytime there was a problem i tried to code the solution for it. At the moment AntiMida lets you:
1 - use common user-mode applications to dump themida.
2 - use tools like imprec, winhex (to see the proc memory), etc.
3 - monitor file and registry access.
But one thing at a time. The first step was to dump themida. How? First we had to know what themida does to protect itself against dumping. Actually the first idea to dump themida was to use KeAttachProcess, we dumped ntoskrnl (with wark) and saw that the keattachprocess was patched with a jmp to a themida routine. So, to use keattachprocess it was necessary to pacth the ntoskrnl first (i paste later the code). Here's the routine i wrote with KeAttachProcess:
case CODE_READ_MEM:
{
MemReadInfo mri;
ULONG_PTR ptr, addr;
BYTE *Buffer;
UINT x, y;
RtlCopyMemory(&mri, pInput, sizeof (MemReadInfo));
if (PsLookupProcessByProcessId(mri.PID, &ptr) != STATUS_SUCCESS)
return STATUS_INVALID_PARAMETER;
Buffer = (BYTE *) ExAllocatePool(NonPagedPool, dwOutputSize);
if (Buffer == NULL)
return STATUS_INVALID_PARAMETER;
KeAttachProcess(ptr);
if (dwOutputSize <= 0x1000)
{
x = 1;
}
else
{
x = dwOutputSize / 0x1000;
if (dwOutputSize % 0x1000 != 0)
x++;
}
for (y = 0; y < x; y++)
{
addr = y * 0x1000 + (ULONG_PTR) mri.Address;
if (MmIsAddressValid((PVOID) addr) == FALSE)
{
ExFreePool(Buffer);
return STATUS_INVALID_PARAMETER;
}
}
RtlCopyMemory(Buffer, mri.Address, dwOutputSize);
KeDetachProcess();
RtlCopyMemory(pOutput, Buffer, dwOutputSize);
ExFreePool(Buffer);
*pdwInfo = dwOutputSize;
break;
}
I pasted it just for information, 'cause this code isn't used anymore by the AntiMida. It was obvious that themida was hooking the SDT, so after a scanning with sdtrestore a list of hooked services was given to me:
ZwAllocateVirtualMemory 11 --[hooked by unknown at F5938BC4]--
ZwCreateThread 35 --[hooked by unknown at F5938CBE]--
ZwDebugContinue 3A --[hooked by unknown at F59391A0]--
ZwQueryVirtualMemory B2 --[hooked by unknown at F5938ACA]--
ZwReadVirtualMemory BA --[hooked by unknown at F5938014]--
ZwTerminateProcess 101 --[hooked by unknown at F59389D0]--
ZwWriteVirtualMemory 115 --[hooked by unknown at F5938000]--
Ok ZwAllocateVirtualMemory, ZwQueryVirtualMemory, ZwReadVirtualMemory, ZwWriteVirtualMemory, ZwCreateThread make sense, since we could use all these functions to dump themida. ZwDebugContinue is to avoid debugging, although themida fucks with the IDT as well (so this is way not the only trick against debugging, would be too easy, of course). ZwTerminateProcess is unimportant, i guess it's only hooked to know when a protected process is killed. Of course if you try to restore one of these services themida crashes the system.
The idea i had was to build a tool which would make other already existing tools work. So i organized an interface with a list of the running processes and the possibility of selecting one of those processes and make it AntiMida, this means immune against themida. A brief look at the interface is thousand of words worth.
When the the little wizard is pressed, a dll is injected in the address space of the selected process, the functions themida is protecting itself against are hooked and redirected to the injected dll, each time a hooked function is called, the dll calls a driver which process the operation. Ok, but how does my driver process the requested operation? You'll see that later. Now lets take a look on the injection/hooking routines:
BOOL InjectModule(IN ULONG_PTR ProcessID, IN TCHAR *ModuleName,
OUT ULONG_PTR *BaseAddress OPTIONAL)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
ProcessID);
if (hProcess == NULL)
return FALSE;
HANDLE hFile = CreateFile(ModuleName, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
CloseHandle(hProcess);
return FALSE;
}
UINT PE_Size = GetFileSize(hFile, NULL);
BYTE *PE_Buffer = (BYTE *) VirtualAlloc(NULL, PE_Size,
MEM_COMMIT, PAGE_READWRITE);
if (PE_Buffer == NULL)
{
CloseHandle(hProcess);
CloseHandle(hFile);
return FALSE;
}
DWORD BR;
if (!ReadFile(hFile, PE_Buffer, PE_Size, &BR, NULL))
{
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
CloseHandle(hFile);
return FALSE;
}
CloseHandle(hFile);
BYTE *PE_Image;
IMAGE_DOS_HEADER *ImgDosHdr;
IMAGE_NT_HEADERS *ImgNtHdrs;
ULONG_PTR ImgBase, Delta, Reloc_Offset;
IMAGE_BASE_RELOCATION *ImgBaseReloc;
WORD *wData;
UINT i, nItems;
ULONG_PTR Offset;
DWORD Type;
ULONG_PTR *Block, BlockOffs;
ULONG_PTR IT_Offset;
IMAGE_IMPORT_DESCRIPTOR *ImgImpDescr;
UINT x = 0, y = 0;
CHAR *DllName;
ULONG_PTR *Thunks, *FThunks;
IMAGE_IMPORT_BY_NAME *ImgImpName;
_try
{
ImgDosHdr = (IMAGE_DOS_HEADER *) PE_Buffer;
ImgNtHdrs = (IMAGE_NT_HEADERS *) (ImgDosHdr->e_lfanew +
(ULONG_PTR) PE_Buffer);
if (ImgDosHdr->e_magic != IMAGE_DOS_SIGNATURE ||
ImgNtHdrs->Signature != IMAGE_NT_SIGNATURE)
{
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
ImgBase = (ULONG_PTR) VirtualAllocEx(hProcess,
(PVOID) 0, //ImgNtHdrs->OptionalHeader.ImageBase,
ImgNtHdrs->OptionalHeader.SizeOfImage, MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (ImgBase == NULL)
{
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
//
// is file image base == memory image base?
// if not, relocate
//
if (ImgNtHdrs->OptionalHeader.ImageBase != ImgBase)
{
Delta = ImgBase - ImgNtHdrs->OptionalHeader.ImageBase;
if (!ImgNtHdrs->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress ||
!(Reloc_Offset = RvaToOffset(ImgNtHdrs,
ImgNtHdrs->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)))
{
VirtualFreeEx(hProcess, (LPVOID) ImgBase, 0, MEM_RELEASE);
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
ImgBaseReloc = (IMAGE_BASE_RELOCATION *)
(Reloc_Offset + (ULONG_PTR) PE_Buffer);
do
{
if (!ImgBaseReloc->SizeOfBlock)
break;
nItems = (ImgBaseReloc->SizeOfBlock -
IMAGE_SIZEOF_BASE_RELOCATION) / sizeof (WORD);
wData = (WORD *)(IMAGE_SIZEOF_BASE_RELOCATION +
(ULONG_PTR) ImgBaseReloc);
for (i = 0; i < nItems; i++)
{
Offset = (*wData & 0xFFF) + ImgBaseReloc->VirtualAddress;
Type = *wData >> 12;
if (Type != IMAGE_REL_BASED_ABSOLUTE)
{
BlockOffs = RvaToOffset(ImgNtHdrs, Offset);
if (BlockOffs == NULL)
{
VirtualFreeEx(hProcess, (LPVOID) ImgBase, 0, MEM_RELEASE);
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
Block = (DWORD *)(BlockOffs + (ULONG_PTR) PE_Buffer);
*Block += Delta;
}
wData++;
}
ImgBaseReloc = (PIMAGE_BASE_RELOCATION) wData;
} while (*(DWORD *) wData);
}
//
// fill the import addres table
//
if (ImgNtHdrs->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
{
IT_Offset = RvaToOffset(ImgNtHdrs,
ImgNtHdrs->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
ImgImpDescr = (IMAGE_IMPORT_DESCRIPTOR *) (IT_Offset +
(ULONG_PTR) PE_Buffer);
// for each descriptor
while (ImgImpDescr[x].FirstThunk != 0)
{
DllName = (CHAR *) (RvaToOffset(ImgNtHdrs,
ImgImpDescr[x].Name) + (ULONG_PTR) PE_Buffer);
Thunks = (ULONG_PTR *) (RvaToOffset(ImgNtHdrs,
ImgImpDescr[x].OriginalFirstThunk != 0 ?
ImgImpDescr[x].OriginalFirstThunk :
ImgImpDescr[x].FirstThunk) + (ULONG_PTR) PE_Buffer);
FThunks = (ULONG_PTR *) (RvaToOffset(ImgNtHdrs,
ImgImpDescr[x].FirstThunk) + (ULONG_PTR) PE_Buffer);
y = 0;
//
// every imported function of the module
//
while (Thunks[y] != 0)
{
//
// imported by ordinal?
//
if (Thunks[y] & IMAGE_ORDINAL_FLAG)
{
FThunks[y] = (ULONG_PTR) GetProcAddress(
GetModuleHandle(DllName),
(LPCSTR) (Thunks[y] - IMAGE_ORDINAL_FLAG));
y++;
continue;
}
ImgImpName = (IMAGE_IMPORT_BY_NAME *) (RvaToOffset(
ImgNtHdrs, Thunks[y]) + (ULONG_PTR) PE_Buffer);
FThunks[y] = (ULONG_PTR) GetProcAddress(GetModuleHandle(DllName),
(LPCSTR) &ImgImpName->Name);
y++;
}
x++;
}
}
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
VirtualFreeEx(hProcess, (LPVOID) ImgBase, 0, MEM_RELEASE);
VirtualFree((LPVOID) PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
//
// create virtual image of the PE file
//
PE_Image = (BYTE *) VirtualAlloc(NULL,
ImgNtHdrs->OptionalHeader.SizeOfImage,
MEM_COMMIT, PAGE_READWRITE);
if (PE_Image == NULL)
{
VirtualFreeEx(hProcess, (LPVOID) ImgBase, 0, MEM_RELEASE);
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
ZeroMemory(PE_Image, ImgNtHdrs->OptionalHeader.SizeOfImage);
//
// copy headers
//
IMAGE_SECTION_HEADER *Sect;
Sect = IMAGE_FIRST_SECTION(ImgNtHdrs);
RtlCopyMemory(PE_Image, PE_Buffer, Sect[0].PointerToRawData);
//
// map sections
//
for (UINT j = 0; j < ImgNtHdrs->FileHeader.NumberOfSections; j++)
{
BYTE *Source = (BYTE *)(Sect[j].PointerToRawData +
(ULONG_PTR) PE_Buffer);
BYTE *Dest = (BYTE *)(Sect[j].VirtualAddress +
(ULONG_PTR) PE_Image);
RtlCopyMemory(Dest, Source, Sect[j].SizeOfRawData);
}
BOOL bRet = WriteProcessMemory(hProcess, (LPVOID) ImgBase,
PE_Image, ImgNtHdrs->OptionalHeader.SizeOfImage, &BR);
if (!bRet)
VirtualFreeEx(hProcess, (LPVOID) ImgBase, 0, MEM_RELEASE);
VirtualFree(PE_Image, 0, MEM_RELEASE);
VirtualFree(PE_Buffer, 0, MEM_RELEASE);
CloseHandle(hProcess);
if (bRet == TRUE && BaseAddress != NULL)
*BaseAddress = ImgBase;
return bRet;
}
To fill the import table i used no remote getprocaddress since the dll imports just not relocated system dlls, so a locale getprocaddress is enough. Here's the hooking routine:
void CAntiMidaDlg::OnBnClickedAntimida()
{
ProcList.GetItemText(ProcList.GetNextItem(-1, LVNI_SELECTED), 1,
Buffer, sizeof (Buffer) -1);
ULONG_PTR PID = _tcstoul(Buffer, 0, 16);
wsprintf(Buffer, _T("%samdll.dll"), CurDir);
ULONG_PTR BaseAddress;
//
// inject the module
//
if (InjectModule(PID, _T("amdll.dll"), &BaseAddress))
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
MessageBox(_T("Cannot make the process AntiMida"), "AntiMida");
return;
}
//
// hook ReadProcessMemory
//
ULONG_PTR Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("kernel32.dll")),
"ReadProcessMemory");
BYTE Instr = 0xB8;
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
ULONG_PTR Rva = GetExportRva(Buffer, "_FakeReadProcessMemory@20");
ULONG_PTR HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WORD Instr2 = 0xE0FF;
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// hook VirtualQueryEx
//
Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("kernel32.dll")),
"VirtualQueryEx");
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
Rva = GetExportRva(Buffer, "_FakeVirtualQueryEx@16");
HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// hook WriteProcessMemory
//
Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("kernel32.dll")),
"WriteProcessMemory");
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
Rva = GetExportRva(Buffer, "_FakeWriteProcessMemory@20");
HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// hook NtAllocateVirtualMemory
// from here i start to hook the ntdll directly
//
Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("ntdll.dll")),
"NtAllocateVirtualMemory");
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
Rva = GetExportRva(Buffer, "_FakeNtAllocateVirtualMemory@24");
HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// hook NtCreateThread
//
Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("ntdll.dll")),
"NtCreateThread");
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
Rva = GetExportRva(Buffer, "_FakeNtCreateThread@32");
HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// hook ZwDebugContinue
//
Addr = (ULONG_PTR) GetProcAddress(
GetModuleHandle(_T("ntdll.dll")),
"ZwDebugContinue");
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr,
sizeof (BYTE), NULL);
Addr++;
Rva = GetExportRva(Buffer, "_FakeZwDebugContinue@12");
HookVA = BaseAddress + Rva;
WriteProcessMemory(hProcess, (LPVOID) Addr, &HookVA,
sizeof (ULONG_PTR), NULL);
Addr += sizeof (ULONG_PTR);
WriteProcessMemory(hProcess, (LPVOID) Addr, &Instr2,
sizeof (WORD), NULL);
//
// everything's hooked
//
CloseHandle(hProcess);
MessageBox(_T("The process is now AntiMida"), "AntiMida");
}
else
{
MessageBox(_T("Cannot make the process AntiMida"), "AntiMida");
}
}
If you're asking yourself why i hooked the first functions in kernel32 and the remaining in ntdll: there's no reason. I was trying if it was working and hooked kernel32 for no reason, but then i was too lazy to rewrite the code and hook ntdll (you see i'm really lazy). In fact the best way is too hook ntdll, not only because it's the direct way but also the shortest (you'll see). GetExportRva is just a small function i wrote to get the rva of an export:
ULONG_PTR GetExportRva(IN TCHAR *FileName, IN CHAR *FunctionName)
{
HMODULE hModule = LoadLibrary(FileName);
if (hModule == NULL)
return 0;
ULONG_PTR VA = (ULONG_PTR) GetProcAddress(hModule,
FunctionName);
FreeLibrary(hModule);
return (ULONG_PTR) (VA - (ULONG_PTR) hModule);
}
Very useful isn't it? Here's the code of the dll i inject:
#include <windows.h>
#include <tchar.h>
//
// driver stuff
//
#ifndef NTSTATUS
typedef LONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
BOOL OpenDevice(IN LPCTSTR DriverName, HANDLE * lphDevice);
#define FILE_DEVICE_ANTIMIDA 0x8000
#define CODE_RESTORE_INFO CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x800, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_READ_MEM CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x801, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_QUERY_MEM CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x802, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_WRITE_MEM CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x803, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_ALLOC_MEM CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x804, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_CREATE_THREAD CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x805, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
#define CODE_DBG_CONTINUE CTL_CODE(FILE_DEVICE_ANTIMIDA, 0x806, /
METHOD_BUFFERED, FILE_ANY_ACCESS)
//
// ZwReadVirtualMemory stuff
//
typedef struct _Input_ZwReadVirtualMemory
{
HANDLE ProcessHandle;
PVOID BaseAddress;
PVOID Buffer;
ULONG BufferLength;
PULONG ReturnLength;
} Input_ZwReadVirtualMemory;
extern "C" __declspec(dllexport)
BOOL WINAPI FakeReadProcessMemory(HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer, DWORD nSize,
LPDWORD lpNumberOfBytesRead)
{
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
Input_ZwReadVirtualMemory Input;
Input.ProcessHandle = hProcess;
Input.BaseAddress = (PVOID) lpBaseAddress;
Input.Buffer = (PVOID) lpBuffer;
Input.BufferLength = (ULONG) nSize;
Input.ReturnLength = (PULONG) lpNumberOfBytesRead;
DWORD RetBytes;
if (!DeviceIoControl(hDevice, CODE_READ_MEM,
&Input, sizeof (Input_ZwReadVirtualMemory), NULL, 0, &RetBytes, NULL))
{
CloseHandle(hDevice);
return FALSE;
}
CloseHandle(hDevice);
return TRUE;
}
//
// ZwQueryVirtualMemory stuff
//
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName,
MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;
typedef struct _Input_ZwQueryVirtualMemory
{
HANDLE ProcessHandle;
PVOID BaseAddress;
MEMORY_INFORMATION_CLASS MemoryInformationClass;
ULONG MemoryInformationLength;
PVOID MemoryInformation;
PULONG ReturnLength;
} Input_ZwQueryVirtualMemory;
extern "C" __declspec(dllexport)
SIZE_T WINAPI FakeVirtualQueryEx(IN HANDLE hProcess,
IN LPCVOID lpAddress,
OUT PMEMORY_BASIC_INFORMATION lpBuffer,
IN SIZE_T dwLength)
{
Input_ZwQueryVirtualMemory Input;
ULONG ReturnLength;
Input.ProcessHandle = hProcess;
Input.BaseAddress = (PVOID) lpAddress;
Input.MemoryInformationClass = MemoryBasicInformation;
Input.MemoryInformationLength = (ULONG) dwLength;
Input.MemoryInformation = (PVOID) lpBuffer;
Input.ReturnLength = &ReturnLength;
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
DWORD RetBytes;
if (!DeviceIoControl(hDevice, CODE_QUERY_MEM,
&Input, sizeof (Input_ZwQueryVirtualMemory),
NULL, 0, &RetBytes, NULL))
{
CloseHandle(hDevice);
return 0;
}
CloseHandle(hDevice);
return (SIZE_T) ReturnLength;
}
//
// ZwReadVirtualMemory stuff
//
typedef struct _Input_ZwWriteVirtualMemory
{
HANDLE ProcessHandle;
PVOID BaseAddress;
PVOID Buffer;
ULONG BufferLength;
PULONG ReturnLength;
} Input_ZwWriteVirtualMemory;
extern "C" __declspec(dllexport)
BOOL WINAPI FakeWriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress,
LPVOID lpBuffer, DWORD nSize,
LPDWORD lpNumberOfBytesWritten)
{
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
//
// change memory protection
//
DWORD dwOldProtection;
if (!VirtualProtectEx(hProcess, lpBaseAddress, nSize,
PAGE_EXECUTE_READWRITE, &dwOldProtection))
{
CloseHandle(hDevice);
return FALSE;
}
Input_ZwWriteVirtualMemory Input;
Input.ProcessHandle = hProcess;
Input.BaseAddress = (PVOID) lpBaseAddress;
Input.Buffer = (PVOID) lpBuffer;
Input.BufferLength = (ULONG) nSize;
Input.ReturnLength = (PULONG) lpNumberOfBytesWritten;
DWORD RetBytes;
BOOL bRet;
if (!DeviceIoControl(hDevice, CODE_WRITE_MEM,
&Input, sizeof (Input_ZwWriteVirtualMemory), NULL, 0, &RetBytes, NULL))
{
bRet = FALSE;
}
CloseHandle(hDevice);
//
// restore memory protection
//
VirtualProtectEx(hProcess, lpBaseAddress, nSize,
dwOldProtection, &dwOldProtection);
return TRUE;
}
//
// ZwAllocateVirtualMemory stuff
//
typedef struct _Input_ZwAllocateVirtualMemory
{
HANDLE ProcessHandle;
PVOID *BaseAddress;
ULONG_PTR ZeroBits;
PSIZE_T RegionSize;
ULONG AllocationType;
ULONG Protect;
} Input_ZwAllocateVirtualMemory;
extern "C" __declspec(dllexport)
NTSTATUS NTAPI FakeNtAllocateVirtualMemory(IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG_PTR ZeroBits,
IN OUT PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect)
{
Input_ZwAllocateVirtualMemory Input;
Input.ProcessHandle = ProcessHandle;
Input.BaseAddress = BaseAddress;
Input.ZeroBits = ZeroBits;
Input.RegionSize = RegionSize;
Input.AllocationType = AllocationType;
Input.Protect = Protect;
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
DWORD RetBytes;
if (!DeviceIoControl(hDevice, CODE_ALLOC_MEM,
&Input, sizeof (Input_ZwAllocateVirtualMemory),
NULL, 0, &RetBytes, NULL))
{
CloseHandle(hDevice);
// who cares? (invalid parameter)
return ((NTSTATUS)0xC000000DL);
}
CloseHandle(hDevice);
return STATUS_SUCCESS;
}
//
// ZwCreateThread stuff
//
typedef struct _Input_ZwCreateThread
{
PHANDLE ThreadHandle;
ACCESS_MASK DesiredAccess;
PVOID ObjectAttributes;
HANDLE ProcessHandle;
PVOID ClientId;
PCONTEXT ThreadContext;
PVOID UserStack;
BOOLEAN CreateSuspended;
} Input_ZwCreateThread;
extern "C" __declspec(dllexport)
NTSTATUS NTAPI FakeNtCreateThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
OUT PVOID ClientId,
IN PCONTEXT ThreadContext,
IN PVOID UserStack,
IN BOOLEAN CreateSuspended)
{
Input_ZwCreateThread Input;
Input.ThreadHandle = ThreadHandle;
Input.DesiredAccess = DesiredAccess;
Input.ObjectAttributes = ObjectAttributes;
Input.ProcessHandle = ProcessHandle;
Input.ClientId = ClientId;
Input.ThreadContext = ThreadContext;
Input.UserStack = UserStack;
Input.CreateSuspended = CreateSuspended;
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
DWORD RetBytes;
if (!DeviceIoControl(hDevice, CODE_CREATE_THREAD,
&Input, sizeof (Input_ZwCreateThread),
NULL, 0, &RetBytes, NULL))
{
CloseHandle(hDevice);
// who cares? (invalid parameter)
return ((NTSTATUS)0xC000000DL);
}
CloseHandle(hDevice);
return STATUS_SUCCESS;
}
//
// ZwDebugContinue stuff
//
typedef struct _Input_ZwDebugContinue
{
PVOID *A;
PVOID *B;
PVOID *C;
} Input_ZwDebugContinue;
extern "C" __declspec(dllexport)
NTSTATUS NTAPI FakeZwDebugContinue(PVOID *A, PVOID *B, PVOID *C)
{
Input_ZwDebugContinue Input;
Input.A = A;
Input.B = B;
Input.C = C;
HANDLE hDevice;
if (OpenDevice(_T("antimida"), &hDevice) == FALSE)
return FALSE;
DWORD RetBytes;
if (!DeviceIoControl(hDevice, CODE_DBG_CONTINUE,
&Input, sizeof (Input_ZwDebugContinue),
NULL, 0, &RetBytes, NULL))
{
CloseHandle(hDevice);
// who cares? (invalid parameter)
return ((NTSTATUS)0xC000000DL);
}
CloseHandle(hDevice);
return STATUS_SUCCESS;
}
BOOL OpenDevice(IN LPCTSTR DriverName, HANDLE * lphDevice)
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
/*if ( (GetVersion() & 0xFF) >= 5 ) { wsprintf(completeDeviceName, TEXT("////.//Global//%s"), DriverName); } else {*/
wsprintf(completeDeviceName, TEXT("////.//%s"), DriverName);
//}
hDevice = CreateFile(completeDeviceName, GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDevice == ((HANDLE)-1))
return FALSE;
if (lphDevice)
*lphDevice = hDevice;
else
CloseHandle(hDevice);
return TRUE;
}
BOOL APIENTRY DllMain(HANDLE hModule, DWORD Reason, LPVOID lpReserved)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls((HMODULE) hModule);
break;
}
case DLL_PROCESS_DETACH:
{
return TRUE;
}
default:
{
return FALSE;
}
}
return TRUE;
}
I don't think there's something to explain about this code. As i was saying i perform in the driver the requested operations, but how? Just by calling the original service in ntoskrnl. The problem is that ntoskrnl doesn't export in his export table the services in the SDT, how is it then possible to get the right address? There's a little trick. ntoskrnl has a copy of the SDT in itself. So i wrote the code to get the address of the original services:
//
// thanks to 90210 for the code
// http://www.rootkit.com/newsread.php?newsid=176
// u saved some of my time
//
#include "stdafx.h"
#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
#define ibaseDD *(PDWORD)&ibase
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef struct {
WORD offset:12;
WORD type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef LONG NTSTATUS;
NTSTATUS (WINAPI *pNtQuerySystemInformation)(
DWORD SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
typedef struct {
DWORD dwNumberOfModules;
SYSTEM_MODULE_INFORMATION smi;
} MODULES, *PMODULES;
#define SystemModuleInformation 11
DWORD GetHeaders(PBYTE ibase,
PIMAGE_FILE_HEADER *pfh,
PIMAGE_OPTIONAL_HEADER *poh,
PIMAGE_SECTION_HEADER *psh)
{
PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE) ||
(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE))
return FALSE;
*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE)
return FALSE;
*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC)
return FALSE;
*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
return TRUE;
}
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT)
{
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
PIMAGE_SECTION_HEADER psh;
PIMAGE_BASE_RELOCATION pbr;
PIMAGE_FIXUP_ENTRY pfe;
DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
BOOL bFirstChunk;
GetHeaders((PBYTE)hModule,&pfh,&poh,&psh);
// loop thru relocs to speed up the search
if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {
pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
bFirstChunk=TRUE;
// 1st IMAGE_BASE_RELOCATION.VirtualAddress of ntoskrnl is 0
while (bFirstChunk || pbr->VirtualAddress) {
bFirstChunk=FALSE;
pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));
for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
dwFixups++;
dwPointerRva=pbr->VirtualAddress+pfe->offset;
// DONT_RESOLVE_DLL_REFERENCES flag means relocs aren't fixed
dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;
// does this reloc point to KeServiceDescriptorTable.Base?
if (dwPointsToRva==dwKSDT) {
// check for mov [mem32],imm32. we are trying to find
// "mov ds:_KeServiceDescriptorTable.Base, offset _KiServiceTable"
// from the KiInitSystem.
if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7) {
// should check for a reloc presence on KiServiceTable here
// but forget it
dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
return dwKiServiceTable;
}
}
} else
if (pfe->type!=IMAGE_REL_BASED_ABSOLUTE)
{
// should never get here
}
}
*(PDWORD)&pbr+=pbr->SizeOfBlock;
}
}
if (!dwFixups)
{
// should never happen - nt, 2k, xp kernels have relocation data
}
return 0;
}
BOOL SDT_GetOriginalFunctions(PRESTORE_INFO pRestoreInfo)
{
HMODULE hKernel;
DWORD dwKSDT; // rva of KeServiceDescriptorTable
DWORD dwKiServiceTable; // rva of KiServiceTable
PMODULES pModules=(PMODULES)&pModules;
DWORD dwNeededSize,rc;
DWORD dwKernelBase,dwServices=0;
PCHAR pKernelName;
PDWORD pService;
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
PIMAGE_SECTION_HEADER psh;
pNtQuerySystemInformation = (NTSTATUS (WINAPI *)(
DWORD, PVOID, ULONG, PULONG)) GetProcAddress(
GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
// get system modules - ntoskrnl is always first there
rc=pNtQuerySystemInformation(SystemModuleInformation,pModules,4,&dwNeededSize);
if (rc==STATUS_INFO_LENGTH_MISMATCH) {
pModules = (PMODULES) GlobalAlloc(GPTR,dwNeededSize);
rc=pNtQuerySystemInformation(SystemModuleInformation,pModules,dwNeededSize,NULL);
} else {
strange:
return FALSE;
}
if (!NT_SUCCESS(rc)) goto strange;
// imagebase
dwKernelBase=(DWORD)pModules->smi.Base;
// filename - it may be renamed in the boot.ini
pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName;
// map ntoskrnl - hopefully it has relocs
hKernel=LoadLibraryEx(pKernelName,0,DONT_RESOLVE_DLL_REFERENCES);
if (!hKernel) {
return FALSE;
}
GlobalFree(pModules);
// our own export walker is useless here - we have GetProcAddress
if (!(dwKSDT=(DWORD)GetProcAddress(hKernel,"KeServiceDescriptorTable"))) {
return FALSE;
}
// get KeServiceDescriptorTable rva
dwKSDT-=(DWORD)hKernel;
// find KiServiceTable
if (!(dwKiServiceTable=FindKiServiceTable(hKernel,dwKSDT))) {
return FALSE;
}
// let's dump KiServiceTable contents
// MAY FAIL!!!
// should get right ServiceLimit here, but this is trivial in the kernel mode
GetHeaders((PBYTE) hKernel,&pfh,&poh,&psh);
//
// our code
//
//
// get ZwAllocateVirtualMemory
//
DWORD nServ = GrabService("ZwAllocateVirtualMemory");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwAllocateVirtualMemory =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwCreateThread
//
nServ = GrabService("ZwCreateThread");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwCreateThread =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwDebugContinue
//
nServ = GrabService("ZwDebugContinue");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwDebugContinue =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwQueryVirtualMemory
//
nServ = GrabService("ZwQueryVirtualMemory");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwQueryVirtualMemory =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwReadVirtualMemory
//
nServ = GrabService("ZwReadVirtualMemory");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwReadVirtualMemory =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwTerminateProcess
//
nServ = GrabService("ZwTerminateProcess");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwTerminateProcess =
(*pService-poh->ImageBase + dwKernelBase);
//
// get ZwWriteVirtualMemory
//
nServ = GrabService("ZwWriteVirtualMemory");
pService = (PDWORD)((nServ * sizeof (DWORD)) +
(DWORD) hKernel + dwKiServiceTable);
pRestoreInfo->ZwWriteVirtualMemory =
(*pService-poh->ImageBase + dwKernelBase);
FreeLibrary(hKernel);
}
The GrabService function is based on another little trick to get the SDT entry. In fact SDT entries change every version of windows, so the best way to get the right entry is read it from the ntdll. Look at the NtReadVirtualMemory:
.text:7C91E2BB public ZwReadVirtualMemory
.text:7C91E2BB B8 BA 00 00 00 mov eax, 0BAh ; this is the SDT entry
.text:7C91E2C0 BA 00 03 FE 7F mov edx, 7FFE0300h
.text:7C91E2C5 FF 12 call dword ptr [edx]
.text:7C91E2C7 C2 14 00 retn 14h
So i wrote this function to get the right SDT entry:
//
// thanks to gareth for the idea
// http://www.rootkit.com/newsread.php?newsid=248
//
#include "stdafx.h"
DWORD GrabService(IN CHAR *FunctionName)
{
DWORD Exp = (DWORD) GetProcAddress(
GetModuleHandle(_T("ntdll.dll")), FunctionName);
Exp++; // mov opcode
DWORD *ptr = (DWORD *) Exp;
return *ptr;
}
So i'm collecting the information i send to the driver (restore info), i also send him the original bytes of KeAttachProcess, i don't use it anymore but it could be useful to have it restored:
#include "stdafx.h"
ULONG_PTR RvaToOffset(IMAGE_NT_HEADERS *, ULONG_PTR);
BOOL GetExport(BYTE *, ULONG_PTR *, WORD *, CHAR *);
BOOL GetNtoskrnlOriginalBytes(PRESTORE_INFO pRestoreInfo)
{
TCHAR Buffer[MAX_PATH];
GetSystemDirectory(Buffer, MAX_PATH);
_tcscat(Buffer, _T("//ntoskrnl.exe"));
HANDLE hFile = CreateFile(Buffer, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return FALSE;
DWORD FileSize = GetFileSize(hFile, NULL);
BYTE *ptrNtoskrnl = (BYTE *) VirtualAlloc(NULL, FileSize,
MEM_COMMIT, PAGE_READWRITE);
if (ptrNtoskrnl == NULL)
{
CloseHandle(hFile);
return FALSE;
}
DWORD BR;
if (!ReadFile(hFile, ptrNtoskrnl, FileSize, &BR, NULL))
{
VirtualFree(ptrNtoskrnl, 0, MEM_RELEASE);
CloseHandle(hFile);
return FALSE;
}
CloseHandle(hFile);
IMAGE_DOS_HEADER *ImgDosHdr = (IMAGE_DOS_HEADER *) ptrNtoskrnl;
IMAGE_NT_HEADERS *ImgNtHdrs = (IMAGE_NT_HEADERS *)
&ptrNtoskrnl[ImgDosHdr->e_lfanew];
ULONG_PTR EP_Rva = 0;
if (!GetExport(ptrNtoskrnl, &EP_Rva, NULL, "KeAttachProcess"))
{
VirtualFree(ptrNtoskrnl, 0, MEM_RELEASE);
return FALSE;
}
BYTE *ptr = (BYTE *) (EP_Rva + (ULONG_PTR) ptrNtoskrnl);
memcpy(pRestoreInfo->KeAttachProcessPatch, ptr, 5);
VirtualFree(ptrNtoskrnl, 0, MEM_RELEASE);
return TRUE;
}
BOOL CollectInformation(PRESTORE_INFO pRestoreInfo)
{
if (SDT_GetOriginalFunctions(pRestoreInfo) == FALSE)
return FALSE;
return GetNtoskrnlOriginalBytes(pRestoreInfo);
}
The GetExport function is a function i already had, very useful, gets the information you request of an export:
BOOL GetExport(BYTE *PE, ULONG_PTR *EP, WORD *Ordinal, CHAR *FuncName)
{
IMAGE_DOS_HEADER *ET_DOS;
IMAGE_NT_HEADERS *ET_NT;
IMAGE_EXPORT_DIRECTORY *Export;
ULONG_PTR ET, *Functions;
PSTR *Names;
WORD *Ordinals;
CHAR *ApiName;
__try
{
ET_DOS = (IMAGE_DOS_HEADER *)(ULONG_PTR) PE;
ET_NT = (IMAGE_NT_HEADERS *)(ULONG_PTR) &PE[ET_DOS->e_lfanew];
ET = ET_NT->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
if (ET == NULL)
return FALSE;
ET = RvaToOffset(ET_NT, ET);
if (ET == 0) return FALSE;
Export = (IMAGE_EXPORT_DIRECTORY *)(ET + (ULONG_PTR) PE);
Functions = (ULONG_PTR *)(RvaToOffset(ET_NT,
Export->AddressOfFunctions) + (ULONG_PTR) PE);
Ordinals = (WORD *)(RvaToOffset(ET_NT,
Export->AddressOfNameOrdinals) + (ULONG_PTR) PE);
Names = (PSTR *)(RvaToOffset(ET_NT,
Export->AddressOfNames) + (ULONG_PTR) PE);
if (EP != NULL && *EP != 0)
{
for (WORD x = 0; x < Export->NumberOfFunctions; x++)
{
if (*EP == Functions[x])
{