Well KeAttachProcess is hooked because themida want to deny any pte changing from ring0 and process dumping from ring0. Well
it doesn't hook KeStackAttachProcess so we can still attach to process fromring0 and dump it, but we are also able to emulate
KeAttachProcess verysimple.
Now let's see what we have inIDT:
01h 0008:FFFFFFFF Interrupt 32 bit 03 0
03h 0008:FFFFFFFF Interrupt 32 bit 03 0
0Bh 0008:EBF0E3E8 Interrupt 32 bit 00 1
0Eh 0008:EBF0E000 Interrupt 32 bit 00 1
Oki, int1 and int3 are “hooked” with 0xFFFFFFFF, the reason why themida hooks int 0eh is to catch 0xFFFFFFFF memory access
and according to instruction that caused access to 0xFFFFFFFF totransfer executionto KiTrap01 orKiTrap03, inother words,
default handlers. Ofcourse ifit finds int3h in themida protected process, my best guess is BSOD because I didn't want to
experiment and to cause another BSOD just to learn in hard wayto do not mess withthemida hooks
Ifyou tryto remove anyofthese hooks you willget BSOD.
So to understand themida hooks I used one small home made ring0 memory dumper to dump hooks. But before we move to hook dumps
I willshow you hooks for KeAttachProcess and vsprintf in ntoskrnl.exe dumped withLiveKd:
kd> u KeAttachProcess
nt!KeAttachProcess:
804e3173 E9884E5D78 jmp F8AB8000
804e3178 56 push esi
804e3179 57 push edi
kd> u ntoskrnl!vsprintf
nt!vsprintf:
8050716b 33C0 xor eax,eax
8050716d C3 ret
Oki, ifwe dump memorycontent ofhook storedin KeAttachProcess we willsee this code:
push ebp
mov ebp, esp
pusha
call $+5
pop edx
sub edx, 940FB78h
push fs ; save FS
mov eax, 30h ; make it point to kpcr
mov fs, ax ;
mov eax, large fs:124h ; grab CurrentThread from kpcr
mov eax, [eax+44h] ; grab EPROCESS from ETHREAD
mov [edx+940FC00h], eax ; save EPROCESS struct
pop fs ; restore fs
mov eax, [ebp+4] ; now it takes saved EIP from stack
cmp eax, [edx+940FBF0h] ; this part is not interesting for us
jbe short loc_F8AB8040 ; because it is junk
cmp eax, [edx+940FBF4h] ;
jnb short loc_F8AB8040
jmp short loc_F8AB807D
loc_F8AB8052:
mov eax, [ebp+8] ;oki now we get to good stuff
cmp eax, [edx+940FC00h] ;cmp passed EPROCESS to KeAttachProcess
jz short loc_F8AB8076 ;with EPROCESS of protected process
mov esi, 0F8AAC000h ;themida internal struct
add esi, 4 ;esi points to EPROCESS field in
;internal struct
loc_F8AB8065:
cmp dword ptr [esi], 47616420h ;is it signature?
jz short loc_F8AB807D ;if so end of loop
cmp [esi], eax ;EPROCESS of protected process
jz short loc_F8AB8076 ;compared to saved one
add esi, 4 ;go to next entry in struct
jmp short loc_F8AB8065 ;loop
; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
; dumped structure comes here so it is easier to follow code
dd 47616420h ;signature (' daG'
dd 81B58DA0h ;EPROCESS of protected process
dd 47616420h ;signature again
dd 0
; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
loc_F8AB8076: ;return w/o attaching to target process
popa
pop ebp
xor eax, eax
retn 4
loc_F8AB807D: ;call some code in oreans.sys
popa
pop ebp
jmp short loc_F8AB8095
loc_F8AB8095:
mov edi, edi
push ebp
mov ebp, esp
jmp near ptr 804E3178h ;KeAttachProcess+5
To write driver that will be able to use KeAttachProcess we have to write small procedure that will be wrapper for
KeAttachProcess, but this is completely unnecessary work because we may attach using KeStackAttachProcess but what the hell,
we are doing this for fun and to learn something, at least that's the onlyreasonwhyI'mplaying withthemida.
KeAttachProcessWraper:
mov edi, edi
push ebp
mov ebp, esp
iMOV eax, KeAttachProcess
add eax, 5
jmp eax ;execute KeAttachProcess+5
Simple isn't it
This is very important instruction inabove code:
mov esi, 0F8AAC000h ;themida internal struct
If we take a look in disassembly of hook in IDA we might see that this instruction is located at hook_base + 5Dh:
If we step into procedure at BB07CDh we might see how it reads from ring0 memory and how int1 and int3 entries in IDT are
changed from ring3 code to point to some code in ring3. At first I thought that I'm crazy and I don't see well but honestly
there is code that sets IDT entries from ring3. I was wondering how this is performed. I dumped cs/ds registers just to make
sure that those are ring3. Then I wrote small driver to walk trough memory addresses from 80000000h ? FFFFFFFFh and check
PDE/PTE for User/Supervisor flag set in them. If 3rd bit of PDE or PTE, depending onpage size, is set that page can be
accessed fromanyring that is lover thanring0 (lover DPL) so afterrunning mydriver I gotthis fromDebugView:
00000000 0.00000000 Page at 0x8003F000 user visible
Huh, 0x8003F000 is base of IDT and is visible/writable/present in PTE so this address can be accessed by any ring3 program
without problem. Themida will deny access to this memory to any ring3 process except protectedone,ofcourse.
Then to test my theory I recoded int0e handler used by themida to allow access to any ring3 application to play with IDT
(write/read) and set int1/int3 handlers. Here is disassembly ofthemida int0e handler [check intfoobar driver]:
mov eax, [esp+28h] ;eip in eax
cmp eax, 0FFFFFFFFh ;is it caused by eip = ffffffff in other words
jz short loc_39 ;caused by execution of int1 and int3
mov eax, [esp+24h] ;takes ErrorCode
cmp eax, 0FFFFFFFFh ;errorcode cann't be -1 so this jmp is taken
jnz loc_1DD
...
mov eax, [ebx] ;this takes EIP passed to int1/int3
cmp byte ptr [eax-1], 0CCh ;and check if -1 is caused by int3h
jz short loc_1E5 ;pass exception to _KiTrap03
cmp word ptr [eax-2], 3CDh ;caused by INT 3h
jz short loc_1E5 ;pass exception to _KiTrap03
cmp word ptr [eax-2], 1CDh ;caused by INT 1h
jz short loc_1B1 ;pass Exception to _KiTrap0D
popa
popf
add esp, 10h
jmp short loc_1F0 ;pass Exception to _KiTrap01
This code is very simple, since int1 and int3 handles are set to 0FFFFFFFFh each occurrence of int3h (cc, cd03) from ring3
will try to call 0FFFFFFFF which will result in calling page fault handler (int 0eh), also if Trap Flag is set in eflags or
drX registers are used it will result in 0FFFFFFFF access. Calling int 1 (cd01) will also result in 0FFFFFFFF because themida
sets int1 handler to DPL 3, and in normal case its DPL is 0 which means each occurrence of int1 in ring3 will result in
calling Global Protection fault aka _KiTrap0D or int 0d handler(remember SoftIce detection via int1trick?). Oki, here is how
Now it tries to access address at 0FFFFFFFFhand page fault is generated so stack looks like this:
+------------+
| Eflags | saved from int1/int3
+------------+
| CS | saved from int1/int3
+------------+
| EIP | saved from int1/int3
+------------+
| Eflags | saved for int 0e
+------------+
| CS | saved for int 0e
+------------+
| EIP | EIP == 0FFFFFFFFh
+------------+
| ErrorCode | ErrorCode
+------------+
Now if int 0e handler detects that access to 0FFFFFFFFh is caused by certain conditions as shown in above disassembly it will
align stack, eg. remove data passed to int 0e handler and call KiTrap01/KiTrap03/KiTrap0D depending on instruction that
caused access violation. For fun I wrote small driver to do the same thing as themida and you may find it in [intfoobar]
folder witch will grant any ring3 application to read/write IDT and also will set int1/int3 handlers to 0FFFFFFFFh. Run your
debugger and debug any application w/o problem. Difference between my driver and oreans.sys is that oreans.sys will BSOD your
system if int1/int3 exception occurs in protected process. You may change protection in themida protected application and
inject nonintrusive tracers in it to see what is happening withcodeonce we reachcode caves.
We MAY use PAGE_GUARD in protected process to trace its execution. PAGE_GUARD, PAGE_NOACCESS and other page attributes are
implemented in Windows memory manger troughPage File. Ifwe trace VirtualProtect withany "weird" attributes set that are not
CPU specific we may see how page is erased from PTE and P bit is set to 0, also ntoskrnl.exe generates some "internal
protection mask" , stores PFN in PTE and uses invlpg to flush TLB, making sure that any access to PAGE goes trough int0e
handler. Once _KiTrap0E gains control it will check "internal protection mask" and decide what exception to throw back to
ring3. If no exception is needed PAGE is brought back to memoryand PTE is set to point to right Physical frame and P flag is
set to 1. Playing with PFN saved in PTE is kinda dangerous, we don't know if Microsoft is going to change PFN format so we
can't write any generic toolto check for presence ofPAGE_GUARD, in such way themida int 0e handler doesn't know if exception
occurred due to PAGE_NOACCESS or PAGE_GUARD. For moreonthis subject please refer to [6].
Role of int 0e handler hook is to prevent system from crashing if some other application access int1/int3, and to grant
access to the themida protected process to ring0 memory allocated by oreans.sys and to IDT as well.
Now when we know theory we should try that in practice, and see if everything worked as we planned. For this I have used
again hook in GetModuleHandleA to reach OEP, but now, I redirect executionto mycode whichwillprepare nonintrusive tracer.
Before we move to nonintrusive tracer forthemida protected application, you must be aware that we are not allowed to use
int1/int3 in it or we will get BSOD. So how to step over instruction which generated exception? Simple, use some other
instruction, privileged instruction. I used CLI, its usage in ring3 will generate privileged instruction exception and its
size is one byte (0fah), same size as int3h(0cch).
Okiletstake a lookat our crypted codeagain:
.dumped:0082E03E call @System@@LStrAsg$qqrv
.dumped:0082E043 call near ptr sub_BB07CD
.dumped:0082E048 or eax, [eax]
.dumped:0082E048 ; ----------------------------------------------------
.dumped:0082E04A db 0
.dumped:0082E04B db 0
.dumped:0082E04C db 0
.dumped:0082E04D db 0
.dumped:0082E04E db 0
.dumped:0082E04F db 0
.dumped:0082E050 db 3Ah
.dumped:0082E051 db 1
.dumped:0082E052 db 0
.dumped:0082E053 db 0
.dumped:0082E054 db 20h
.dumped:0082E055 dd 8F20EF73h
.dumped:0082E059 dd 0AF22EC81h
.dumped:0082E05D dd 8ACBEB98h
.dumped:0082E061 dd 8ACBEB98h
…
.dumped:0082E18D db 0
.dumped:0082E18E db 0
.dumped:0082E18F db 0
.dumped:0082E190 db 1
.dumped:0082E191 db 0
.dumped:0082E192 db 0
.dumped:0082E193 db 0
.dumped:0082E194 db 3Ah
.dumped:0082E195 db 1
.dumped:0082E198 db 20h
.dumped:0082E199 ; --------------------------------------------------------
.dumped:0082E199 mov cl, 1
.dumped:0082E19B mov edx, esi
.dumped:0082E19D mov eax, [ebp-4]
Call at 0082E043h will actually leave on stack address of crypted code and jmp to decrypt proc. Also you might see how there
is same code marker at 0082E048 and 0082E18D, don't be confused with or eax, [eax] it is also signature but disassembled
byIDA
My next approach was to change call near ptr sub_BB07CD with jmp to my hook which will initialize nonintrusive tracer, store
good ret address on stack and wait for access in code section. Actually I didn't know at first that this code is crypted, my
original intension was to log which part of code are accessed, what register values re used at that point, and then, later
on, to emulate those calls. After running tracer for 1st time I was more then happy, I had decrypted code. After I saw that
my approach is working I created two loaders: loader_bingo and loader_type3. Loader bingo is supposed to tell me from where
starts decrypted code, and loader_type3 is used later on to dump that memory region. There is totally 5 code crypt blocks, 3
during initialization and 2 during gallerycreation. [Allofdumped blocks are supplied withthis document]
82E055h
82E6C3h
855361h
826C84h
82740Ch
Let's take a lookat important partsofnonintrusive tracer forthis application:
cmp [ebp+4], 407419h
je __makefun
mov eax, 400000h
pop ebp
retn 4
__makefun: pusha
call newcodedelta
newcodedelta: pop ebp
sub ebp, offset newcodedelta
mov edi, 082e043h
lea ebx, [ebp+test2]
mov ecx, edi
add ecx, [edi+1]
add ecx, 5
mov dword ptr[ebp+ring0ring3address+1], ecx
mov ecx, edi
mov byte ptr[edi], 0e9h
add ecx, 5
sub ebx, ecx
mov dword ptr[edi+1], ebx
popa
mov eax, 400000h
pop ebp
retn 4
This part of code is called from GetModuleHandleA hook, and is used to check when we are close to our OEP. When we reach OEP
we will hook 1st call to themida decrypt code and redirect executiontoourcodewhichwillinitialize nonintrusive tracer:
bingo_address - address where decrypted code is (find it with loader_bingo)
bingo_size - len of crypted code
call_address - address where call to Decrypt is
ret_address - adress left on stack by call (call_address+5)
end_address - address of 1st valid instruction after crypted code
You have to repeat these steps for all 5 code blocks, you have all addresses, you have all dumped regions allyou have to do
is to applythemusing [ofixer.exe].
And we are done, we run unpacked application and try to produce some “gallery” and we see that we have unpacked it
perfectly:
IMAGE-09
That's it… if you want to crack it go ahead; I was interested in themida ring0 protection, not in application itself.
5. Conclusion
Verygood protection, verygood, ifI was software developer I would use themida 1.0.0.5 to protect my application. That would
for sure nook 90% ofreversing communityand your application would remain uncracked for a long time It was fun to play with
themida, just to show myself that I can do it. Now Iwillfocus onsome other protector
S verom uBoga, deroko/ARTeam
Allthe code provided withthistutorialis free forpublic use, just make a greetzto the authors and the ARTeamifyou
finditusefulto use. Don'tuse these concepts formaking illegaloperation, allthe info here reported are only meant forstudying
andtohelp having a betterknowledge ofapplication code security techniques.
6. References/Tools
[1] Unpacking Armadilloed DLL, deroko, http://tutorials.accessroot.com
[2] DebugView, Mark Russinovich, www.sysinternals.com
[3] AdvancedSubmitter 4.1.4,Target,
http://root.accessroot.com/tools/AdvSubmitter-v4.1.4-Unregistered.exe
[4] Unpacking and Dumping ExeCryptorand coding loader, deroko,http://tutorials.accessroot.com
[5] Anti-Anti-Dump and nonintrusive tracers, deroko, http://tutorials.accessroot.com
[6] Microsoft c Windows R Internals, Mark Russinovich, David Solomon, Microsoft Press
7. Greetings
I wish to tank all the ARTeam members for sharing their knowledge, to 29a virus writing group for one of the best e-zines, to
my friends from phearless e-zine, and to all great coders out there… and ofcourse you for reading this article.
