Shub-nigurrath
August 8th, 2008, 08:10
Hi all,
a new tool from deroko, full sources included so you can understand how's done the magic!
http://arteam.accessroot.com/releases.html
BR,
Shub
a new tool from deroko, full sources included so you can understand how's done the magic!
Quote:
| Don't know if anyone remembers themidaspy tool, which was designed to defeat Anti-Break and Anti-ApiSpy techinques used in themida. I won't go in details how those are implemented in themida, as anyone, whom has played with themida already know how those are implemented. TheMidaSpy tools was blacklisted, eg. not working anymore with themida, so I decided to update whole project and release new tool with sources © + templates for creating fake_kernel32.dll and fake_advapi32.dll because you may find it useful to use it in some of your projects. fake_kernel/advapi32 projects consist of all exports from both dlls. Currently, I have listed all exports from kernel32.dll and advapi32.dll which are located in those dlls on Windows XP SP3. Tnx to some of testers, I've received notification that there are some exports and imports in fake_kernel32.dll/advapi32.dll which are not present on XP SP2, on Vista on other hand, some imports are not present, so you might wanna remove them if you plan to use this tool on Vista. I choose to use themida again, as it is good example when PEB hooking might be handy, but you may use it for any other protection/project etc. In themidaloader project you may find example how to inject these dlls into targeted process. You may find sample, on how to handle hooks in fake_kernel32 project, if you lookup for f_GetModuleHandleA, f_LoadLibraryA, f_LoadLibraryExA, and f_CreateThread, now it's all up to you to decide how, and what you will filter!!! |
http://arteam.accessroot.com/releases.html
BR,
Shub
Someone needs to make a CRCETL entry for this tool.