SIDE. [Archive] - RCE Messageboard's Regroupment

View Full Version : SIDE.

Indy

August 5th, 2013, 17:21

(Syscall IDP Engine).

Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher).

o X86, KM, MI, KDR.
o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow.

Vid http://rghost.ru/47763708 ("http://rghost.ru/47763708")

Org http://vx.security-portal.cz/ ("http://vx.security-portal.cz/")

2787

Indy

August 18th, 2013, 06:16

log added.

http://s020.radikal.ru/i716/1308/2b/14a7e88cbf56.png (http://radikal.ru/fp/5ae0fd6b38a3453ab79e0976efc583f1)

2800

Indy

October 19th, 2013, 00:46

filter(anti anti debug).

2821

Indy

October 23rd, 2013, 11:09

Big update, source is private(vxforum.net). Best of existing addons(phantom & strong is crap!).

Code:

Int 0x2e(rEcx & rEdx)



NtQueryInformationProcess(ProcessDebugObjectHandle)

NtQueryInformationProcess(ProcessDebugPort)

NtQueryInformationProcess(ProcessDebugFlags)

NtQueryInformationProcess(InheritedFromUniqueProcessId)

NtTerminateProcess

NtClose(#IH)

NtOpenProcess(Name)

NtOpenProcess(Debug privilege)

NtSetInformationThread(ThreadHideFromDebugger)

NtSetInformationThread(ThreadBreakOnTermination)

NtQueryInformationThread(ThreadBreakOnTermination)

NtCreateFile("\??\SYSER" etc)

NtSetDebugFilterState

NtContinue

NtQueryPerformanceCounter

NtQuerySystemInformation(SystemKernelDebuggerInformation)

NtQuerySystemInformation(SystemProcessInformation, InheritedFromUniqueProcessId)

NtQueryObject(ObjectAllTypesInformation, "DebugObject"

NtRemoveProcessDebug

NtQuerySystemTime

NtSetSystemInformation(SystemVerifierInformation)

NtSetSystemInformation(SystemFlagsInformation)

NtSystemDebugControl

NtQueryObject



- NtQueryInformationProcess(ProcessBreakOnTermination)

- NtSetInformationProcess(ProcessBreakOnTermination)



FindWindow("OLLYDBG" etc)

RtlQueryProcessDebugInformation(RTL_QUERY_PROCESS_HEAP_ENTRIES)

BlockInput()



Time log:

SetTimer()

NtSetTimer

NtDelayExecution

NtWaitForKeyedEvent

NtReleaseKeyedEvent

NtSignalAndWaitForSingleObject

NtWaitForSingleObject

NtWaitForMultipleObjects

NtQuerySystemInformation(SystemTimeOfDayInformation)

2827

disavowed

October 23rd, 2013, 20:54

Seems to fail against Obsidium's debugger detection.

Indy

October 24th, 2013, 02:43

Not all methods are implemented.

Indy

October 27th, 2013, 22:47

Upd.

Code:

Fix waiters, IsProtectedDevice()

Add NtQuerySystemInformation(SystemObjectInformation)

Add NtOpenProcess(debug process)

Add NtQuerySystemInformation(SystemHandleInformation, DebugObject)

Fix trap in Filter(), OPT_ENABLE_TRACE

Add NtQueryInformationProcess(ProcessBreakOnTermination)

Add safe dispatch NtClose, OPT_SAFE_HANDLES

Del dispatch RtlQueryProcessDebug[Heap]Information

Fix NtClose(STATUS_HANDLE_NOT_CLOSABLE)

2830

Indy

October 30th, 2013, 18:33

Code:

Fix Filter: stack align, trap(OPT_ENABLE_RF) etc.

Add SystemSessionProcessInformation

Add SystemExtendedProcessInformation

Fix NtClose, performance.

Add ProcessHandleTracing

Add SystemExtendedHandleInformation

Fix SYSTEM_HANDLE_TABLE_ENTRY_INFO.UniqueProcessId

Add local breakpoints.

Fix time convertion.

Add NtQueryWindow

Add NtUserBuildHwndList

Del FindWindow(), add NtUserFindWindowEx

Del BlockInput(), add NtUserBlockInput

Add break on attach(!PEB.BeingDebugged), break on startup.

2832

Indy

November 1st, 2013, 18:47

disavowed

Bypass Obsidium(v 1.5.0) dbg detect(olly 2), XP only tested.

2833

six_L

November 4th, 2013, 18:19

Quote:

нтиспам
Пожалуйста ответьте на вопрос. Этот процесс предотвращает автоматическую регистрацию спамеров.

Разреверсите крекми по ссылке: http://vxforum.net/b/c.rar . В нем находится PNG картинка с кодом.

what's the meaning?
is it right of the following?

Quote:

ntispam
Please answer the question. This process prevents automatic registration spammers.
Razreversite krekmi link: http://vxforum.net/b/c.rar. It is a PNG image with the code.

Indy

November 5th, 2013, 00:47

six_L

To restrict site of inappropriate content

Code:

Add NtUserWindowFromPoint

Add NtUserGetGUIThreadInfo

Add hide debug thread.

Fix NtOpenProcess

Fix IsProtectedProcess(), IsCurrentProcessThread().

Fix GetDebugObjectTypeIndex(W7).

Add SIDE check.

Add hide process name in snapshot.

Fix shadow initialize(W7).

http://yadi.sk/d/ESK5_yuvC9TsU

Kayaker

November 5th, 2013, 01:06

Quote:

[Originally Posted by Indy;95683]To restrict site of inappropriate content

vxforum != inappropriate content

That's funny

Indy

November 5th, 2013, 01:41

Relative to what.. Nice captcha

six_L

November 5th, 2013, 09:48

Quote:

six_L

To restrict site of inappropriate content

Code:
Add NtUserWindowFromPoint
Add NtUserGetGUIThreadInfo
Add hide debug thread.
Fix NtOpenProcess
Fix IsProtectedProcess(), IsCurrentProcessThread().
Fix GetDebugObjectTypeIndex(W7).
Add SIDE check.
Add hide process name in snapshot.
Fix shadow initialize(W7).

Ответ неверный. Повторите попытку или поменяйте вопрос.

how do i answer rightly the question while i reg on vxforum?

Indy

November 5th, 2013, 16:07

Indy

November 8th, 2013, 15:18

Many fixes, added rdtsc monitor/emulator.

http://yadi.sk/d/EcIZV-DHCNoQL ("http://yadi.sk/d/EcIZV-DHCNoQL")

Indy

November 14th, 2013, 17:04

Added fast rdtsc dispatch:
2840
2839

Indy

November 22nd, 2013, 06:16

Kernel backdoor added.

2855