arteam ezine nr.2

Page 65

ARTEAM EZINE 0008:00AD12F3 0008:00AD12F8 0008:00AD12FA

PAGE 65 MOV JGE INC

EDI,37CE5484 _00AD1309 EBX

Ohoho, 0x1A00 is only gateway for ring3 code to become ring0 code ☺ Luckily this is used only 2 times in TheMida so lets trace this code because it seems like this is going to perform some debugger checks (what else would be the reason for new TheMida to use Ring0). After a little bit of tracing we find very interesting stuff here: 0008:00AD150E 0008:00AD1511

CMP JNZ

BYTE PTR [ECX],68 _00AD162D

Well ECX is pointing to address of INT 41h and then TheMida checks for push instruction. When SoftICE is not loaded int 41h will point to HalpDispatchInterrupt, but when SoftICE is loaded we will have this hook code: 0008:F3645662 0008:F3645667 0008:F364566C 0008:F3645671 0008:F3645676

PUSH JMP SUB PUSH JMP

_HalpDispatchInterrupt _F358BACB EAX,8003F400 F4868B5C _F35FE601

And HalpDispatchInterupt looks like: hal!HalpDispatchInterrupt: 806e79cc 54 push 806e79cd 55 push 806e79ce 53 push 806e79cf 56 push 806e79d0 57 push 806e79d1 83ec54 sub 806e79d4 8bec mov 806e79d6 89442444 mov

esp ebp ebx esi edi esp,0x54 ebp,esp [esp+0x44],eax

TheMida is scanning for SoftICE hook in INT 41h if there is push (68h) debugger detected, otherwise, everything is just fine. So let’s go and write simple hook to make our SoftICE invisible for this scan, shall we? Use ExAllocatePool and allocate small piece of memory because we only need 7 bytes to make our patch (or we can find some unused place in ntoskrnl.exe and assemble our patch there), here is patch anyway: :idt 41 0041 IntG32

0008:81C1E040

:u 81c1e040 0008:81C1E040 0008:81C1E041 0008:81C1E046 0008:81C1E047

NOP PUSH RET ADD

[EAX],AL

:u f3645662 0008:F3645662 0008:F3645667

PUSH JMP

_HalpDispatchInterrupt _F358BACB

DPL=0

P

F3645662

Run TheMida protected application (the one with oreans32.sys) and it will start w/o a problem.

3. Final Remarks If you don’t want to write your own hooking “engine”, you can use the loader supplied with this document, but IMHO, people that are using SoftICE already know driver programming so… I feel lame for providing a loader with this document.. Well I wish to thank to ARTeam, ma mates ☺, Snow Panther for cool DS 3.2 patches, 29a for the best eZine (apart from this one!) and, of course, you for reading this small contribution.

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.