deroko
December 14th, 2006, 07:24
I hope themida will be used more and more 
If so this will be heaven for virii untill they fix bug in their driver.
I have attached small code that will hook NtClose using bug in oreans32.sys which is explained in ARTeam ezine #2. It is just poc, don't run .exe outside of VM, and before running .exe in VM make sure that at least one of themida apps is started (or at least was running before you run attack.exe because oreans32.sys stays in memory).
attack.asm will simply use IOCTL 1A00 to execute any ring3 code at DPL0, and hook NtClose in SDT, ofcourse, also you might use this trick to modify system strucutres. (EPROCESS for example or maybe perform hyper-infection by hooking NtCreateFile)
As always nice ideas from ARTeam,
deroko/ARTeam
If so this will be heaven for virii untill they fix bug in their driver.I have attached small code that will hook NtClose using bug in oreans32.sys which is explained in ARTeam ezine #2. It is just poc, don't run .exe outside of VM, and before running .exe in VM make sure that at least one of themida apps is started (or at least was running before you run attack.exe because oreans32.sys stays in memory).
attack.asm will simply use IOCTL 1A00 to execute any ring3 code at DPL0, and hook NtClose in SDT, ofcourse, also you might use this trick to modify system strucutres. (EPROCESS for example or maybe perform hyper-infection by hooking NtCreateFile)
As always nice ideas from ARTeam,
deroko/ARTeam
