Lack of activity

Rhys M. — Mon, 23 Aug 2010 19:36:04 +0000

Well its been quite a while now since I’ve last updated my blog, yet its just passed 42,600 hits! Anyway, my time is now predominantly taken up by a new activity, with minimal time spent behind a computer, and even less time spent programming. I’ve taken up flying.

[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook

Rhys M. — Sat, 21 Nov 2009 20:01:48 +0000

Ok well a few of my pieces of code here rely upon the ImageFileName element within the EPROCESS structure (which you can find in the ntifs_6001.h) header I’ve uploaded. Again, in 7600 it seems to be missing. Weird.
Anyway, the problem was that ImageFileName was returning nothing. Blank. So evidently the offset has changed. I wrote a peice of code to enumerate the base addresses of each EPROCESS structure and then looked at them in Win Dbg, have a look:

That image should pretty much give you an idea of what to do. Count the bytes. Find the new offset.
Previously the offset for ImageFileName was +0×154 now all of a sudden its +0×174. To implement search for this offset programmatically, search the memory from each EPROCESS base for the string “system”. As it will ALWAYS be there, makes for an easy way to determine the correct offset.

I have attached an updated version of my NtOpenProcessHook below with the fix.
The hack (this is too crude to be a fix!) lies in the RetrievePID() function. So have a look there for comparison.

[ Link ] My Old NtOpenProcessHook post
[ C - Source ] New NtOpenProcessHook Driver
[ C - Source ] Old NtOpenProcessHook Driver
[ C - Header ] ntifs_6001.h

[ C ] Entry Point Hook

Rhys M. — Fri, 30 Jan 2009 19:31:30 +0000

This was an idea that I used in the Rootkit idea below.
Just a extract explained.
[ .rar ] Project files
[ C - Source ] PEInfect

Unmodified program shown in PE Explorer.
Unmodified programs entry point shown in ollydbg.

Modified program shown in PE Explorer:

Modified programs entry point shown in ollydbg:

[C - Unfinished] simple-rootkit-worm?

Rhys M. — Tue, 27 Jan 2009 18:47:01 +0000

This was the result of me messing around last November.
Shows just how easy a rootkit with simple worm characteristics could be to write, but I got bored with it and it hasnt progressed for the past two months, but I may as well post it.
What needs to be finished, as far as I can see is:
-prevent remodifying the target-files PE-Header.
-the mailbox system. Makes sure only one copy of the file is run at a time to ensure agaisnt driver crashes.
-all the strings need to be encrypted and then decrypted when used and erased.
-all allocated memory needs to be deallocated.
Rootkit:
[ .rar ]Project Files (Driver/Application)
[ C - Source ]Driver
[ C++ - Source ]Main program
ntifs.h

[C] A simple interpreted language

Rhys M. — Sat, 03 Jan 2009 10:46:00 +0000

Someone asked me the other-day about writing a simple scripting language, so I got around to playing around a bit, and ended up writing a simple interpreter. In appearance I guess it looks something like a cross between assembly (source, destination) and BASIC:

It supports a simple form of loops, variable storage and retrieval, basic (limited functionality at this point) conditional statements, variable output.
Download:
-source code here.
-Project Files here (contains script file)
-sample script file

[ C ] NtOpenProcess hook.

Rhys M. — Sat, 04 Oct 2008 00:03:21 +0000

A ‘Crude’ method of preventing access to a program is by hooking NtOpenProcess and denying any request for a handle. Simple. The screenshot below shows what happens when I tried to terminate notepad, which at the time was ‘protected’ by this hook. A detour hook would be preferable to an SSDT pointer change as it is less detectable, but I’ll cover that some other time.

[ C - Source ] Driver.c
[ C++ - Source ] DriverControll.cpp
Download the compiled executable.
ntifs.h
NEW post regarding NtOpenProcess hooks

Operation: Once the executable has been run and you’ve entered your target process name (with the .exe!) and you are presented with an arrow (–>), you have three commands. HOOK, UNHOOK, EXIT. They’re fairly explanatory. Unhook before you exit. Make sure you’ve spelt the process name correctly.

Ok, as with many previous things this is XP only. The call number would need to be changed for other OS’s or SP’s. Look here for different call numbers.

[Unfinished - C++]DirectX 2D Tile Engine

Rhys M. — Sun, 31 Aug 2008 21:39:06 +0000

So I decided to give DirectX a shot and try and create a Tile Engine (wikipedia link for those who dont know..)

Without much reading or forethought I went ahead and started coding. Not really happy with the results, has a quite a few things which I would do different. A pixel based camera rather than a tile based one, so I’m posting this here and leaving it as is. I’ll salvage bits from this code and recode it and see what I come up with.

Anyway, heres a picture of it:

The values in the map file are stored in little endian format, and the structure of the map file explained here in picture format.

Source Code (.cpp)
Source Code (.h)
PNG #1
PNG #2

[C++] WINSOCK send hook.

Rhys M. — Sun, 27 Jul 2008 22:25:32 +0000

I see a few people looking for information on winsock and WINAPI hooks in general.
Well, heres an easily modifiable inline hook.
It works quite simply by replacing the 5 byte preamble at the start of the target function (NOTE: in pre win-xp sp2 systems this will be 3 bytes, and not five, so that would need to be changed) with a jump to our function, doing whatever we need to do then jump back to the original code. However, because we’re replacing that preamble, for things to work we have to add those commands in our hook function.

Hook diagram

C/C++ – Source Code

MSDN – send

New Content

Rhys M. — Wed, 28 May 2008 14:41:29 +0000

So its been just over five months since my last post, which is pretty pathetic but I’m at a sheer loss of idea’s for content.

If you wanna see something specific, write a comment with your thoughts and requests and I’ll see what I can do.

Rootkit Detector v2

Rhys M. — Tue, 25 Dec 2007 00:27:26 +0000

I recently decided to rework a piece of code I wrote earlier this year, and decided to expand upon it.

My intent is to eventually have something resembling a fully fledged rootkit-detector, but I think thats still a while off. I did however add a few new functions to my previous version: amongst them the ability to detect both detour hooks and ssdt-table pointer hooks, that and the ability to detect hidden processes – the latter being something I still need to do a bit of work on, but I’ll include that in my next version.

I also had some fun and reworked the GUI and came up with a cool way of doing so. I thought it came out looking pretty stylish (as you can see in the screenshot below ).

You can download it here:
EXE Download (.zip)
Some screenshots:
In action…
The reworked GUI again

And the original programs post

Note: wont work on pre XP-sp2 systems. Nor do I think it will work on Vista.