Hi, BTW, +SPLAJ!

in respect for Woodmann's job, I forced myself to write this little gift(?),
for show: this RCE-MB is NOT for cracking, but for researching & knowledge_sharing


So..my DEAdR Protetors, lets enlarge your phuntasy.
For now, letz EASY-PEASY defiat some futures of "some" SiCe plugin called "ICEDUMP".


1. Future- "/PROTECT"
This quite cool future changes IDT's memory attribute to "SUPERVISOR",
so easy reports Read-Write attempt from Ring3 code.
However that is also quite easy way for detect this or change
using STANDARTness windz-API!

DETECT it using "VirtualQuery" function for IDT memory page.

CHANGE it using "VirtualProtect" function.
[note: R-only pages upper 80000000 won't change, because API so coded. {Hint!?}]


2. Future- in function "/TRACEX"- option "Emulate NT win32-selectors"

Read from & write back into selectors, & will self-defiated!
(:injoi


3. in function "/TRACEX" RDTSC is badly simulated.
in EDX returns 0;
EAX not increments;
???~:0???


4. under "/TRACEX" SIDT simulation:
A) reports IDT address upper C0000000h. Check it, so easy
(because of it "VirtualQuery" will fail anyway!)
B) DAEMON already reported, that address points to fake IDT with strange structure.

.
more come tomorrow

*-*
in attachment I put sample EXEcuteble
Usage:
1. Set "/PROTECT ON" in ICEDUMP & execute. It will detect & restore RW/User attrib.
2. Load EXE, start tracer with command "/TRACEX 401000 401040"
2a. if you enable "Emulate NT win32-selectors" with command "/OPTION T E" & again
try "/TRACEX 401000 401040", EXE will crash.

but keep in mind that some of antivirus software also protects IDT pages (agains ring0 virii)

so if it will RW/S, VProtect API can do RW/U
& then check for IDT..

1. Future- "/PROTECT"
This quite cool future changes IDT's memory attribute to "SUPERVISOR",
so easy reports Read-Write attempt from Ring3 code.
However that is also quite easy way for detect this or change
using STANDARTness windz-API!

so easy reports Read-Write attempt from Ring3 code <--- RingX :/
it's taking usage of the page_table

uhmm NO emulation is perfect... the owl said it is compatible to a LOT of protections! of course it's always a cat'n'mouse game u write emulation, next guy writes detection code...

^DAEMON^

Hi Evaluator,


Here you can see how Svkp detects if IceDumps is in memory:

017F:xxxxxxxx MOV ESI, AddressOfExportsByOrdinal of Kernel32.dll
...(GARBAGE)
017F:xxxxxxxx XOR EDX, EDX ; reset counter
...(GARBAGE)
017F:0D7778BD CMP EDX,[EDI+14] ; check if EDX = max ordinal exports
...(GARBAGE)
017F:0D7778C5 JAE 0D77808F ; If Icedump isn't in memory will never jump
...(GARBAGE)
017F:0D7778D8 MOV ECX,00000007 ; check 7 times
...(GARBAGE)
017F:0D7778E1 INC EDX ; Inc Counter
...(GARBAGE)
017F:0D7778FA LODSD ; load current export in table
...(GARBAGE)
017F:0D77790F CMP EAX,[ESI] ; check if current Export are equal than previous
...(GARBAGE)
017F:0D777916 JNZ 0D7778A5 ; jump if "Bad Boy"
...(GARBAGE)
017F:0D777925 LOOP 0D7778DD ; check again (7times)



* AddressOfExportsByOrdinal of Kernel32.dll WITHOUT IceDump
--------------------------------------------------------------------------------
ÄÄÄÄÄKERNEL32!ResetNLSUserInfoCache+7054ÄÄÄÄÄÄÄÄÄÄdwordÄÄÄÄÄÄÄÄÄÄÄÄÄPROTÄÄÄ(0)ÄÄ
0030:BFFC01D8 000013D4 000013D4 000013D4 000013D4 ................
0030:BFFC01E8 000013D4 000013D4 000013D4 000013D4 ................


* AddressOfExportsByOrdinal of Kernel32.dll WITH IceDump
--------------------------------------------------------------------------------
ÄÄÄÄÄKERNEL32!ResetNLSUserInfoCache+7054ÄÄÄÄÄÄÄÄÄÄdwordÄÄÄÄÄÄÄÄÄÄÄÄÄPROTÄÄÄ(0)ÄÄ
0030:BFFC01D8 000013D4 00056000 00056005 0005600A .....`...`...`..
0030:BFFC01E8 0005600F 00056014 00056019 0005601E .`...`...`...`..


As you can see SVKP checks if there are 7 EQUAL AND CONTIGUOUS DWORDS within
ExportsByOrdinalTable from Kernel32.dll. Since IceDump hooks some K32_Ordinals,
Svkp won't find those contiguous 7Dwords and then will exit silenty.


Best regards,
Gaia