work at win2k,Themida hook all kernel function show:
NtAllocateVirtualMemory
ZwCreateThread
ZwQueryVirtualMemory
ZwReadVirtualMemory
NtRequestWaitReplyPort
ZwTerminateProcess
ZwWriteVirtualMemory
Themida_NtAllocateVirtualMemory:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 56C67F5h
cmp dword ptr [esp+28h], 0FFFFFFFFh
jz short loc_EB98CC4E ; if handle==NULL goto true function address
push edx ; save Absolute Address
push 0 ; NULL
lea eax, [edx+56C687Eh] ; edx+56C687Eh save Object
push eax
push 0 ; KernelMode
xor eax, eax
push eax ; NULL
push 10h ; ACCESS
push dword ptr [ebp+8] ; process handle
mov eax, 8044D57Ah
call eax
; call function ObReferenceObjectByHandle get allocate process of memory's handle to object
; ObReferenceObjectByHandle(ebp+8,0x10,NULL,KernelMode,&(edx+56C687Eh),NULL);
pop edx ; renew Absolute Address
cmp dword ptr [edx+56C687Eh], 0
jz near ptr 0EB98C6EDh ; if process object==0 to address invalid EB98C6EDh,system die
mov eax, [edx+56C687Eh]
mov ebx, eax
and ebx, 7FFFFFFFh
mov esi, 0EBABB000h
loc_EB98CC17:
///////////////////////////////////////////////////////////////////////////////////// attention
add esi, 4
cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking
jz short loc_EB98CC4E ; jump of call system true function
cmp [esi], eax
jz short loc_EB98CC2C ; compare protect process object
cmp [esi], ebx
jz short loc_EB98CC2C
jmp short loc_EB98CC17 ; while compare protect Process Object ;; attention
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC2C:
///////////////////////////////////////////////////////////////////////////////////// attention,is protect process
push fs
mov eax, 30h
mov fs, ax
mov eax, large fs:124h ; ETHREAD
mov eax, [eax+44h] ; KPROCESS
pop fs
cmp eax, [edx+56C687Eh]
jz short loc_EB98CC4E
/////////////////////////////////////////////////////////////////////////////////////
popa
pop ebp
retn 18h ; attention,not call system function
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC4E:
/////////////system function
popa
pop ebp
push 804C73E8h ; NtAllocateVirtualMemory
retn
//attention
//80414520h Themida protect process object
//00400000h Themida protect process base address
//02E40000h Themida protect process memory size
//EB99C410 data,length 20h
00000000h: F4 EE 67 4E 20 45 41 81 00 00 40 00 00 00 E4 02 ; 纛gN EA?.@...?
00000010h: F5 EE 67 4E 00 00 00 00 00 00 00 00 00 00 00 00 ; 躅gN............
EB99C956:
loc_EB99C956:
cmp dword ptr [esi], 4E67EEF5h ; constant 4E67EEF5h,address end marking
jz short loc_EB99C967
cmp [esi], eax
jz short loc_EB99C97D
add esi, 4
jmp short loc_EB99C956 ; while compare Process Object ;; not attention
loc_EB99C967:
/////////////////////////////////////////////////////////////////////////////////////////////
mov esi, 0EB99C410h ; get protect process information data address
loc_EB99C96C:
cmp dword ptr [esi], 4E67EEF5h ; constant 4E67EEF5h,address end marking
jz short loc_EB99C997 ; jump of call system true function,can read or write process of memory
cmp [esi], eax
jz short loc_EB99C97D ; attention ,is protect process object goto loc_EB99C97D
add esi, 4
jmp short loc_EB99C96C ; while compare protect Process Object ;; attention
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB99C97D:
mov ecx, [ebp+0Ch] ; ebp+0Ch get read process of memory base address
mov edx, ecx
add edx, [ebp+14h] ; ebp+14h get read process of memory size
cmp edx, [esi+4]
jb short loc_EB99C997 ; compare protect area
cmp ecx, [esi+8]
ja short loc_EB99C997 ; compare protect area
popa
pop ebp
push 804D66F6h ;ZwSetInformationObject
retn
loc_EB99C997:
cmp edi, 1
jz short loc_EB99C9A0
popa
pop ebp
jmp short loc_EB99C9A8 ;
loc_EB99C9A0:
popa
pop ebp
push 804D2562h ; ZwReadVirtualMemory
retn
loc_EB99C9A8:
push 804D2678h
retn
Themida_NtRequestWaitReplyPort:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 5676FCAh
mov eax, 0
or eax, eax
jz short loc_EB9391C0
mov eax, [ebp+0Ch]
mov eax, [eax]
jmp short loc_EB9391C6
loc_EB9391C0:
mov eax, [ebp+0Ch]
mov eax, [eax+20h]
loc_EB9391C6:
or eax, eax
jz short loc_EB9391EA
lea esi, [edx+567701Ch]
loc_EB9391D0:
//////////////////////////////////////////////////////////////////////////////////////////////
cmp dword ptr [esi], 8A87D3A3h ; constant 8A87D3A3h,address end marking
jz short loc_EB9391EA ; no, JMP loc_EB9391EA
cmp [esi], eax
jz short loc_EB9391F4 ; ok protect
jmp short loc_EB9391E5 ; while compare attention
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB9391DF:
push 804C3080h ;NtRequestWaitReplyPort
retn
loc_EB9391E5:
add esi, 4
jmp short loc_EB9391D0
loc_EB9391EA:
jmp short loc_EB9391F0
loc_EB9391F0:
/////////////ret system function
popa
pop ebp
jmp short loc_EB9391DF
loc_EB9391F4:
/////////////attention,not call system function
popa
pop ebp
xor eax, eax
retn 0Ch
Themida_ZwTerminateProcess:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 56C24FAh
push edx ; save Absolute Address
push 0 ; NULL
lea eax, [edx+56C256Ah]
push eax ; edx+56C256Ah save Object
push 0 ; KernelMode
mov eax, 80481EA4h ; PsProcessType,no use seem
xor eax, eax
push eax ; NULL
push 10h ; ACCESS
push dword ptr [ebp+8] ; process handle
mov eax, 8044D57Ah
call eax
; call function ObReferenceObjectByHandle get process's handle to object
pop edx ; renew Absolute Address
cmp dword ptr [edx+56C256Ah], 0
jz short loc_EB938A3A ; if process object==0 to goto true function address
mov eax, [edx+56C256Ah]
mov ebx, eax
and ebx, 7FFFFFFFh
mov esi, 0EBAC8000h
loc_EB938A1D:
//////////////////////////////////////////////////////////////////////////////////////////////
add esi, 4
cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking
jz short loc_EB938A3A
cmp [esi], eax
jz short loc_EB938A32
cmp [esi], ebx
jz short loc_EB938A32
jmp short loc_EB938A1D ; while compare protect Process Object ;; attention
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB938A32: ; if is protect Process, clean Process Object ,Process Object=0FFFFFFFF;
mov dword ptr [esi], 0FFFFFFFFh ; [esi] attention attention attention ;
jmp short loc_EB938A42
loc_EB938A3A:
/////////////system function
popa
pop ebp
push 0ECDEA7AEh
retn
loc_EB938A42:
/////////////attention,not call system function
popa
pop ebp
xor eax, eax
retn 8
