haggar
08-21-2005, 09:53 AM
Hi. I hope that somebody here will be able to give me answer/help on my question.
I've been trying to unpack/study SDprotector 1.12 Basic/Pro edition. It's one more commercial protector for PE files and this one is pretty good, at least very hard for me. My question is not about unpacking it although it has to do something with it. This protector has inner list of enemy processes and windows names (classes of olly, LordPE , filemon,... just to name few) and it constantly searching for presence of them. But it also has one more smart thing that makes it extremely unpleasant to deal with - it adds new enemies to it's list. For example:
You want to attach to the active process that is protected with this protector. You run target, then Olly and immediately you get message that debugger is discovered and both closes. It uses threads for that job. Then you rename olly to something else, use re-pair for example. New named Olly will not be closed and you'll be able to attach but, when you run target within olly it discovers it and closes again. Now, you open that renamed olly and start target again and this time protector recognizes that renamed instance of olly! It has added this new name to some list and you'll need to rename olly again. Conclusion is that protector probably writes that information somewhere in registry or some file. Using sysinternals tools I didn't find any interesting files, found couple CLSID keys which I have deleted, but still that isn't help. Then I found that sdprotector and targets packed with it (if you use time trial options) have one reg key. The name of this key can be what you call him, but it has one sub key - version. Now this is place where I'm stuck. This subkey is impossible to open/delete/rename using regedit or any other tool, you get error message. Lot of googling and asking on the forums brought me to the terms like rootkit, embedded nulls, native win API's. It seams that this key uses some trick/exploit that makes him impossible to access. I used sysinternals RootkitRevealer to se what info it can give me, but this tool doesn't find this key. This ends for me in the blind street. I'm not coder, not much of some cracker too, and I don't know what to do.
Well, my question would be; did somebody of you guys have business with this kind of problem, is there are some tools that can gave me access to this, some material to read about this subject from reversers point of view? Can tool for recognizing this key can be made at all?
Regards , haggar.
I've been trying to unpack/study SDprotector 1.12 Basic/Pro edition. It's one more commercial protector for PE files and this one is pretty good, at least very hard for me. My question is not about unpacking it although it has to do something with it. This protector has inner list of enemy processes and windows names (classes of olly, LordPE , filemon,... just to name few) and it constantly searching for presence of them. But it also has one more smart thing that makes it extremely unpleasant to deal with - it adds new enemies to it's list. For example:
You want to attach to the active process that is protected with this protector. You run target, then Olly and immediately you get message that debugger is discovered and both closes. It uses threads for that job. Then you rename olly to something else, use re-pair for example. New named Olly will not be closed and you'll be able to attach but, when you run target within olly it discovers it and closes again. Now, you open that renamed olly and start target again and this time protector recognizes that renamed instance of olly! It has added this new name to some list and you'll need to rename olly again. Conclusion is that protector probably writes that information somewhere in registry or some file. Using sysinternals tools I didn't find any interesting files, found couple CLSID keys which I have deleted, but still that isn't help. Then I found that sdprotector and targets packed with it (if you use time trial options) have one reg key. The name of this key can be what you call him, but it has one sub key - version. Now this is place where I'm stuck. This subkey is impossible to open/delete/rename using regedit or any other tool, you get error message. Lot of googling and asking on the forums brought me to the terms like rootkit, embedded nulls, native win API's. It seams that this key uses some trick/exploit that makes him impossible to access. I used sysinternals RootkitRevealer to se what info it can give me, but this tool doesn't find this key. This ends for me in the blind street. I'm not coder, not much of some cracker too, and I don't know what to do.
Well, my question would be; did somebody of you guys have business with this kind of problem, is there are some tools that can gave me access to this, some material to read about this subject from reversers point of view? Can tool for recognizing this key can be made at all?
Regards , haggar.