ASPR 1.23 loader SEH approach [Archive] - RCE Messageboard's Regroupment

View Full Version : ASPR 1.23 loader SEH approach

Mrklippel

April 18th, 2004, 09:20

hi guys,

i'm not a newbie concerning aspr protection, but compared to you
i might be considered one..

in the latest ASPR protections i found that if i would create a loader
that patches bytes in memory, that my loader wouldn't function..

because of a loader protection scheme of Alexey..

Now i used Olly to approach the victim, and after a few SEH's
( depending on the target 15 to 23 SEH's ) i was able to patch the memory
and have the program run without any nags anymore..

now comes my question..

I know it is possible to do SEH handling inside ASM but as i am fairly new to that, i'd like some help if possible..

i can create a loader in asm, that patches bytes in memory, but...

i need to do this after a few SEH's ( depending on the target )

how can i do this ?

load a target, so that it handles SEH's

count the SEH's that occurred and after a number of SEH's start to look for
the bytes in memory to patch..

i tried to look for asm and SEH examples on the internet, and on this forum, but i only found a few examples that had SEH handling inside, and these examples weren't loaders.

is there someone who wants to help me out here and give me / point me
to an example of a loader in ASM that handles SEH ?

or someone who wants to do this part together...

I never started with unpacking ASPR myself, because i hate stolen bytes and api simulation etc..
and i like the idea of leaving the target "physically" untouched

anyone able to provide me with some knowledge ?

if i have the complete sollution for a "SEH" enabled aspr loader, i'll share a template with you guys..

grtz, MrKlippel

crUsAdEr

April 18th, 2004, 10:09

Code:



invoke CreateProcessA, addr ProgName, NULL, NULL, NULL, NULL,\

                   DEBUG_PROCESS+DEBUG_ONLY_THIS_PROCESS+NORMAL_PRIORITY_CLASS,\

                   NULL, NULL, addr startInfo, addr processInfo

.if eax==0

lea eax, Cant_create_Process

	jmp @error

.endif							; create the damn process

DebugLoop:                           

        invoke WaitForDebugEvent,offset DebugEvent,INFINITE

        mov eax,DebugEvent.dwDebugEventCode



        cmp eax,CREATE_PROCESS_DEBUG_EVENT

        jz CreateProcessEvent 



        cmp eax,EXIT_PROCESS_DEBUG_EVENT

        jz ExitProcessEvent



        cmp eax,EXCEPTION_DEBUG_EVENT

        jz ExceptionEvent



        jmp ContinueProcess

		

CreateProcessEvent:

        mov eax,DebugEvent.dwProcessId		

        mov processInfo.dwProcessId,eax		

        mov eax,DebugEvent.u.CreateProcessInfo.hThread

        mov processInfo.hThread,eax

        jmp ContinueProcess

        

ExitProcessEvent:

        invoke ContinueDebugEvent,DebugEvent.dwProcessId,\

        	   DebugEvent.dwThreadId,DBG_CONTINUE

        invoke ExitThread,0						; EXIT

        

ExceptionEvent:

; is exception a Breakpoint?

        ;here do the SEH counting & PATCHING                    	    	

		

ContinueProcess:

        invoke ContinueDebugEvent,DebugEvent.dwProcessId,DebugEvent.dwThreadId,DBG_CONTINUE

        jmp DebugLoop    		

.endif

I dig up some old notes on aspr.. hope this helps.. you will need to modify and tweak it a bit i guess...
search on DebugAPI for more info..

Mrklippel

April 18th, 2004, 10:13

Quote:

[Originally Posted by crUsAdEr]
I dig up some old notes on aspr.. hope this helps.. you will need to modify and tweak it a bit i guess...
search on DebugAPI for more info..

@crUsAdEr

thanx for such a quick reply,
i'm gonna try it immediately..

thx again d00d

Mrklippel

April 18th, 2004, 17:21

hi guys,

i made a rather successfull approach with my loader sofar

Crusader, you gave me the right direction, however i adjusted things a bit..

what i did :

in my loader i counted the number of seh's

and after 15h of ( for my victim) them i patched the memory..

sometimes this can be a lower number sometimes higher
because ASPR sometimes skips routines..

it really is a simple approach..

i'm only diving into defeating the trial protection part... once i am able to implement that into my loader... i got it working, and i'll share it with you guys..

i searched the board on aspr and trial protection, and found some interesting articles, however i didn't find what i'm looking for..

i read that aspr not only adds a key in it's own part of the registry but
somewhere in the CLSID ....

does anyone have a clue how to find that reg entry ?

because i could regclean my system, but i cannot implement that in my loader

if someone wants to take a look at unfinished ASPR loader code
private message me, i'll mail it

bye for now

grtz MrKlippel

gook

April 20th, 2004, 01:41

Hello Mrklippel,

Maybe you want to take a look at Manko's asprdbgr. Reading the source can be a great way to help you in the direction. It can be found on this board.

Greetings

Mrklippel

April 20th, 2004, 09:34

Quote:

[Originally Posted by gook]Hello Mrklippel,

Maybe you want to take a look at Manko's asprdbgr. Reading the source can be a great way to help you in the direction. It can be found on this board.

Greetings

mmmm i'm thinking about a different approach...

i'm gonna monitor registry access during the ASPR seh's...

and do a lil trick with that..