Results 1 to 1 of 1
  1. #1
    Vitrix Maggot
    Vitrix Maggot is offline
    Member-in-training Vitrix Maggot's Avatar
    Join Date
    2013 Apr
    Location
    Brasil
    Posts
    58
    Thanks
    0
    Thanked 43 Times in 24 Posts
    Rep Power
    0

    Anti Reverse-Engeneering Library

    Bom pessoal, sempre gosto de procurar sobre segurança de softwares e criei algumas funções aqui que podem ajudar você que quer seu programa longe de RIPs...Alpha release é que como são muitas funções, eu não tenho tempo de testar então quem quiser testar ai...Mesmo sem testar eu deixei as teorias de cada função embaixo para você entender o que eu estava fazendo para não ficar perdido...Na próxima edição vejo se explico os parâmetros também para ficar igual o MSDN rsrs..Mas por enquanto da para entender o suficiente

    Espero que gostem!


    Well folks, I always like to look on security software and created a few functions here that can help you whatever your program away from RIPs ... Alpha release is that they are many functions, I do not have time to test so who want to test ai Even without testing ... I let the theories of each function below for you to understand what I was doing to not get lost ... in the next issue I see is also to explain the parameters stay the same MSDN lol .. But for now the enough to understand

    Hope you enjoy!


    * CheckForINT3BP
    * CheckForINT3BPObfunsc
    * HideThread
    * ChangeSizeOfImage
    * MemoryBreakpointDebuggerCheck
    * CheckHardwareBreakpoins
    * FindAndKillProcess
    * CanOpenCsrss
    * RestoreExceptionFilter
    * DebugMyself
    * IsParentExplorer
    * CheckOutputDebugString
    * DebugObjectCheck
    * CheckProcessDebugFlags
    * FindOllyWindow
    * ConfuseLordPE
    * TryRemoveHardwareBreakpoint
    * ClearHardwareBreakpoints

    ;################################################# #################################
    ;File created by Vitrix Maggot
    ;If you want to use post any modification of any of these functions please talk with me first
    ;You can add me on [email protected]
    ;################################################# ################################
    ;This file is protected by GNU license
    ;################################################# ################################
    ;Thanks to:
    ;ap0x
    ;ReWolf
    ;DarkProgramming
    ;################################################# ###############################
    ;This source is the first of thousans of versions of it
    ;If you find any bug please report (I didn't really tested it lol)
    ;I'll work my ass off to try to complete if with more.
    ;################################################# ###############################


    include windows.inc
    include kernel32.inc
    include user32.inc
    include ntdll.inc

    includelib kernel32.lib
    includelib user32.lib
    includelib ntdll.lib

    lpStr MACRO Text : req
    local lText
    .data
    lText db Text, 0
    .code
    exitm <addr lText>
    EndM

    ofStr MACRO Text : req
    local lText
    .data
    lText db Text, 0
    .code
    exitm <offset lText>
    EndM

    SERIAL_THRESHOLD equ 010000h
    HideThreadFromDebugger equ 011h
    ProcessDebugObjectHandle equ 01Eh
    ProcessDebugFlags equ 01Fh

    ;Main functions
    CheckForINT3BP PROTO WORD
    CheckForINT3BPObfusc PROTO WORD
    HideThread PROTO WORD
    ChangeSizeOfImage PROTO WORD
    MemoryBreakpointDebuggerCheck PROTO
    CheckHardwareBreakpoints PROTO
    ClrHwBpHandler PROTO
    ClrHwBpHandler PROTO
    ClearHardwareBreakpoints PROTO
    TryRemoveHardwareBreakpoint PROTO
    ConfuseLordPE PROTO
    FindOllyWindow PROTO
    CheckProcessDebugFlags PROTO
    DebugObjectCheck PROTO
    CheckOutputDebugString PROTO
    IsParentExplorer PROTO
    DebugMyself PROTO
    RestoreExceptionFilter PROTO
    CanOpenCsrss PROTO
    ;Other functions
    FindAndKillProcess PROTO WORD
    UnhandledExcepFilter PROTO :PEXCEPTION_POINTERS

    .safeseh ClrHwBpHandler

    .code

    FindAndKillProcess proc szProcess : DWORD
    ;This is just a tool for you to kill a process faster
    LOCAL hSnap : HANDLE
    LOCAL pe32 : PROCESSENTRY32

    invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
    cmp eax, INVALID_HANDLE_VALUE
    je Error
    mov hSnap, eax
    mov pe32.dwSize, sizeof PROCESSENTRY32
    invoke Process32First, hSnap, addr pe32
    invoke lstrcmp, addr pe32.szExeFile, szProcess
    cmp eax, TRUE
    je FoundIt
    Looping:
    cmp eax, FALSE
    je Error
    invoke Process32Next, hSnap, addr pe32
    invoke lstrcmp, addr pe32.szExeFile, szProcess
    cmp eax, TRUE
    jne Looping
    FoundIt:
    invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID
    cmp eax, INVALID_HANDLE_VALUE
    je Error
    invoke SendMessage, eax, WM_DESTROY, 0, 0
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    FindAndKillProcess EndP

    ChangeSizeOfImage proc NewSize : DWORD
    ;When you change the SizeOfImage, some dumpers have problems to read that
    mov eax, fs:[030h] ;PEB
    mov eax, [eax + 0Ch] ;PED_LDR_DATA
    mov eax, [eax + 0Ch] ;InOrderModuleList
    mov dword ptr [eax + 020h], NewSize ;SizeOfImage
    Ret
    ChangeSizeOfImage EndP

    CanOpenCsrss proc
    ;To debug a process we need to have certain privilages, the debuggers usually use SeDebugPrivilage, without it we can't open the csrss.exe process(we don't have that privilages)
    ;By using this technique we try to open it and if it opens, that means we have this privilage, so we are being debugged
    invoke GetModuleHandle, lpStr("ntdll.dll")
    invoke GetProcAddress, eax, lpStr("CsrGetProcessId")
    call eax
    invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, eax
    cmp eax, NULL
    je Error
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    CanOpenCsrss EndP

    UnhandledExcepFilter proc pExcept : PEXCEPTION_POINTERS
    ;Just a CALLBACK function
    invoke SetUnhandledExceptionFilter, pExcept.ContextRecord.Eax
    add pExcept.ContextRecord.Eip, 2
    mov eax, EXCEPTION_CONTINUE_EXECUTION
    Ret
    UnhandledExcepFilter EndP

    RestoreExceptionFilter proc
    ;We set this option(UnhandledExceptionFilter), once the debugger use some technique to cause a unhandled exception, the program will exit instead of sending the exception
    ;To the debugger
    invoke SetUnhandledExceptionFilter, addr RestoreExceptionFilter
    xor eax, eax
    div eax
    Ret
    RestoreExceptionFilter EndP

    DebugMyself proc
    ;A process can only be debugged by one at a time, this technique debugs ourselves to don't let the debuggers debug us
    LOCAL hProcess : HANDLE
    LOCAL de : DEBUG_EVENT
    LOCAL pi : PROCESS_INFORMATION
    LOCAL si : STARTUPINFO

    invoke RtlZeroMemory, addr pi, sizeof PROCESS_INFORMATION
    invoke RtlZeroMemory, addr si, sizeof STARTUPINFO
    invoke RtlZeroMemory, addr de, DEBUG_EVENT
    invoke GetStartupInfo, addr si
    call GetCommandLine
    invoke CreateProcess, NULL, eax, NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, addr si,addr pi
    invoke ContinueDebugEvent, pi.dwProcessId, pi.dwThreadId, DBG_CONTINUE
    invoke WaitForDebugEvent, addr de, INFINITE
    Ret
    DebugMyself EndP

    IsParentExplorer proc
    invoke GetParentProcessID
    Ret
    IsParentExplorer EndP

    CheckOutputDebugString proc
    ;When we are attached to a debugger we can comunicate with it calling the OutputDebugString, so the idea is simples, we call the function, if theres no error that means
    ;We have a debugger in our ass
    invoke OutputDebugString, lpStr("JMB Protection")
    call GetLastError
    cmp eax, 0
    jne Error
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    CheckOutputDebugString EndP

    HideThread proc hThread : DWORD
    ;This NT Function hides the thread from a debugger, that can be useful to don't let him use for example GetThreadContext(Check out our registrators)
    LOCAL Status : NTSTATUS

    invoke GetModuleHandle, lpStr("ntdll.dll")
    invoke GetProcAddress, eax, lpStr("NtSetInformationThread")
    mov esi, eax
    cmp hThread, NULL
    jne NotActualThread
    invoke GetCurrentThread
    push 0
    push 0
    push HideThreadFromDebugger
    invoke GetCurrentThread
    push eax
    call esi
    cmp eax, 0
    jne Error
    mov eax, 1
    ret
    NotActualThread:
    push 0
    push 0
    push HideThreadFromDebugger
    push hThread
    call esi
    cmp eax, 0
    jne Error
    mov eax, 1
    ret
    Error:
    Ret
    HideThread EndP

    DebugObjectCheck proc
    ;This method is very simple, when we debug a process we a debug object is created and can be found using the NtQueryInformationProcess, the idea is to try to catch it
    ;If we catch that means we are being debugged
    LOCAL hDebugObject : DWORD
    LOCAL Status : NTSTATUS

    invoke GetCurrentProcess
    invoke NtQueryInformationProcess, eax, ProcessDebugObjectHandle, addr hDebugObject, 4, NULL
    cmp eax, 0
    jne Error
    cmp hDebugObject, FALSE
    jne Error
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    DebugObjectCheck EndP

    CheckProcessDebugFlags proc
    ;We can check if the debugged ir inherit with out process using this function
    ;Remarks: This functions is reversed, if theres a debugger inheritten, it returns false
    LOCAL Status : NTSTATUS
    LOCAL NoDebugInherit : DWORD
    mov NoDebugInherit, 0
    invoke GetCurrentProcess
    invoke NtQueryInformationProcess, eax, ProcessDebugFlags, addr NoDebugInherit, 4, NULL
    cmp eax, 0
    jne Error
    cmp NoDebugInherit, FALSE
    jne Error
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    CheckProcessDebugFlags EndP


    FindOllyWindow proc
    ;Thats just a simple way to see if theres an OllyDBG present, i wouldn't use it...It's just soo simple that phanton can easily skip it
    invoke FindWindow, NULL, lpStr("OllyDbg - [CPU]")
    cmp eax, NULL
    mov eax, 1
    ret
    NotFound:
    mov eax, 0
    Ret
    FindOllyWindow EndP

    ConfuseLordPE proc
    ;If we change the PE Signature of the file, LordPE can't read us, it'll think its a non-PE file, so we would be protected from him
    assume fs:nothing
    mov eax, dword ptr fs:[30h]
    test eax, eax
    js @found_win9x
    @found_winNT:
    mov eax, [eax + 0Ch]
    mov eax, [eax + 0Ch]
    add dword ptr[eax + 20h], 3000h
    jmp @exit
    @found_win9x:
    invoke GetModuleHandle, NULL
    test edx, edx
    jns @exit
    cmp dword ptr[edx + 08], -1
    jne @exit
    mov edx, [edx+4]
    add dword ptr[edx + 50h], 3000h
    Ret
    ConfuseLordPE EndP

    dbgIsDebuggerPresent proc
    ;This is a simple function that is equal to IsDebuggerPresent but i didn't use the API, that can be good if you want to hide your protection
    assume fs:nothing
    mov eax, dword ptr fs:[18h]
    mov eax, dword ptr ds:[eax+30h]
    movzx eax, byte ptr ds:[eax+2h]
    cmp eax, 1
    je Detected
    mov eax, 0
    ret
    Detected:
    mov eax, 1
    Ret
    dbgIsDebuggerPresent EndP

    CheckForINT3BP proc SizeToCheck : DWORD
    ;This is very simple, theres 2 types of INT3 Breakpoint, the one with the Opcode CC(INT3) and the one with the opcode CD 03 (INT 3), we'll check our hole file and see if theres
    ;one of them, if we find that means a debugger is trying to checkout our thread
    xor ecx, ecx
    xor ax, ax
    xor ebx, ebx
    Looping:
    cmp ebx, SizeToCheck
    jbe Final
    lea ax, byte ptr ds:[ebx]
    cmp ax, 0CCh
    je FoundOne
    cmp ax, 0CDh
    jne DidntFound
    lea ax, byte ptr ds:[ebx + 1]
    cmp ax, 003h
    je FoundOne
    DidntFound:
    inc ebx
    jmp Looping
    FoundOne:
    inc ecx
    inc ebx
    jmp Looping
    Final:
    mov eax, ecx
    Ret
    CheckForINT3BP EndP

    CheckForINT3BPObfusc proc SizeToCheck : DWORD
    ;Some times debuggers hide their INT3 breakpoints using a method of xor, this method just check if theres a hidded int3 and tell you
    xor ecx, ecx
    xor ax, ax
    xor ebx, ebx
    Looping:
    cmp ebx, SizeToCheck
    jbe Final
    lea ax, byte ptr ds:[ebx]
    xor ax, 055h
    cmp ax, 099h
    je FoundOne
    cmp ax, 0CDh
    jne DidntFound
    lea ax, byte ptr ds:[ebx + 1]
    cmp ax, 003h
    je FoundOne
    DidntFound:
    inc ebx
    jmp Looping
    FoundOne:
    inc ecx
    inc ebx
    jmp Looping
    Final:
    mov eax, ecx
    Ret
    Ret
    CheckForINT3BPObfusc EndP

    MemoryBreakpointDebuggerCheck proc
    ;I couldn't think in a way to completelly protect from memory breakpoints so theres this way that we can check if theres a debugged(to be specific Olly)
    ;We just alloc a page in our memory then we include to it's protection the PAGE_GUARD(used for memory breakpoint), so we add a ret into the buffer
    ;and push a potencial return, if we are under Olly, the debugger will hit the ret and and return to where we where, otherwise it will occur the exception
    ;STATUS_GUARD_PAGE_VIOLATION and we will know that we are under a debugger
    LOCAL sysinfo : SYSTEM_INFO
    LOCAl pAlloc : DWORD
    LOCAL oldProtect : DWORD

    invoke GetSystemInfo, addr sysinfo
    invoke VirtualAlloc, NULL, sysinfo.dwPageSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
    cmp eax, NULL
    je Error
    mov pAlloc, eax
    mov ax, 0C3h ;RET Upcode
    lea pAlloc, byte ptr ds:[ax]
    invoke VirtualProtect, pAlloc, sysinfo.dwPageSize, PAGE_EXECUTE_READWRITE or PAGE_GUARD, oldProtect
    cmp eax, 0
    je Error
    mov eax, pAlloc
    push MemBPBeingDebugged
    jmp eax
    MemBPBeingDebugged:
    invoke VirtualFree, pAlloc, sysinfo.dwPageSize,MEM_RELEASE
    mov eax, 1
    ret
    Error:
    mov eax, 0
    Ret
    MemoryBreakpointDebuggerCheck EndP


    CheckHardwareBreakpoints proc
    ;This method is very simple, when we set a hardware breakpoint we set it's address in Dr0, Dr1, Dr2 or Dr3, the idea its to check if theres any hardware breakpoint trigged
    LOCAL ctx : CONTEXT
    LOCAL hThread : HANDLE
    xor ebx, ebx
    invoke RtlZeroMemory, addr ctx, sizeof CONTEXT
    mov ctx.ContextFlags, CONTEXT_DEBUG_REGISTERS
    invoke GetCurrentThread
    mov hThread, eax
    invoke SuspendThread, hThread
    invoke GetThreadContext, eax, addr ctx
    cmp ctx._Dr0, 0
    je Next1
    inc ebx
    Next1:
    cmp ctx._Dr1, 0
    je Next2
    inc ebx
    Next2:
    cmp ctx._Dr2, 0
    je Next3
    inc ebx
    Next3:
    cmp ctx._Dr3, 0
    inc ebx
    mov eax, ebx
    ret
    Error:
    mov eax, 0
    Ret
    CheckHardwareBreakpoints EndP

    ClearHardwareBreakpoints proc
    assume fs:nothing
    push offset ClrHwBpHandler
    push fs:[0]
    mov dword ptr fs:[0], esp ; Setup SEH
    xor eax, eax
    div eax ; Cause an exception
    op dword ptr fs:[0] ; Execution continues here
    add esp, 4
    ret
    ClearHardwareBreakpoints endp

    ClrHwBpHandler proc
    xor eax, eax
    mov ecx, [esp + 0ch] ; This is a CONTEXT structure on the stack
    mov dword ptr [ecx + 04h], eax ; Dr0
    mov dword ptr [ecx + 08h], eax ; Dr1
    mov dword ptr [ecx + 0ch], eax ; Dr2
    mov dword ptr [ecx + 10h], eax ; Dr3
    mov dword ptr [ecx + 14h], eax ; Dr6
    mov dword ptr [ecx + 18h], eax ; Dr7
    add dword ptr [ecx + 0b8h], 2 ; We add 2 to EIP to skip the div eax
    ret
    ClrHwBpHandler endp
    end.
    I admire most other programmers not paid any dick!!

    Admiro outros Programadores mais nao pago pau pra nenhum !!


    Skype: Vitor Monteiro

Similar Threads

  1. [Info] Java Application Analysis and Reverse Engineering
    By Bytesize in forum Game Research, Development
    Replies: 0
    Last Post: 2012-10-27, 08:32 PM
  2. [C#] NET Library for Packet Sniffing with Winpcap
    By Dwar in forum VB, .NET Framework
    Replies: 0
    Last Post: 2012-08-23, 11:39 AM
  3. [C#] [Tutorial] Create Unmanaged Export Library
    By emoisback in forum VB, .NET Framework
    Replies: 5
    Last Post: 2012-07-23, 02:40 AM
  4. [VideoTutorial] Basic Reverse Engineering: Code Cave
    By a4123278 in forum Programming Tutorials
    Replies: 1
    Last Post: 2010-11-29, 04:19 PM
  5. Replies: 0
    Last Post: 2010-11-29, 04:08 PM
Visitors found this page by searching for:

vb NtSetInformationThread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •