KROW @ SRESREVER

oh man

2007-10-31T04:34:00.000-07:00

quite some time passed since my last posting ere.... well all i wanna tell the people is, whenever you are at a party and you are drunk as the-f-word...

puh

2007-05-18T02:02:00.000-07:00

there's absolutely N-O-T-H-I-N-G going on in my life despite of me visiting the gym now ;)

the desktop wallpaper for 2k7 is here ;D

2007-03-27T16:44:00.001-07:00

the first enemy has arrived :)

2007-03-01T14:50:00.000-08:00

finally :) the first enemy is moving on the screen ;D

guys, don't forget....

2007-02-22T16:32:00.000-08:00

health probs...

2007-02-16T15:12:00.000-08:00

jah got some health probs which kept me from finishing the game yet... will do it asap

and another small update...

2007-02-02T02:20:00.000-08:00

:) still loads of things to do, there's no enemies yet integrated into the game and my level loading lacks... and some other things... but with every day i come closer to my own clone

some time later... i find myself rewinding our lovescenes in my daydreams

2007-01-21T16:12:00.000-08:00

yeh there we are :) slowly it starts to look like a working game...

there's still a f**k load of sh*t-work todo BUT i think iam doing quite good progress on it...

Giana hits 720p (my personal version)

2007-01-11T05:07:00.000-08:00

Giana Clone for my personal needs :)

HAPPY NEW YEAR! + XNA and me :>

2007-01-03T07:48:00.000-08:00

damn it, since i own a x360 i also wanna prog some crap for it, after a while i decided to write a little tetris clone for it ;)

Beta 2

2006-12-13T07:23:00.000-08:00

Beta 2 is out ;)

O1MFG T3H B3TA IS OUT!!!!!!!!

2006-12-06T00:23:00.000-08:00

http://daemon.reverse-engineering.net/ugdbgbeta1.rar - there you go boy ;)

oh yeh and rtfm...

coming closer

2006-12-02T02:26:00.000-08:00

this is a more decent picture of the whole thing :) not up to date but like i said, u can imagine better how it looks like atm

Why we do this ? Because we CAN !

2006-11-20T01:42:00.000-08:00

Yup, as you can see on the screenshot iam doing good progress...

a zombie ? an old friend of us, died recently

2006-11-10T08:46:00.000-08:00

well at least we could try to let the (innovative) UI survive partially :)

pic on bottom shows you a highlighted conditional jmp...

my keyboard has it's OWN life

2006-11-04T02:07:00.000-08:00

well if i look that close at it, i find it also disgusting :D but well iam still waiting for the day that it starts to talk... yet to come...

dealing with smartcards

2006-10-19T03:17:00.000-07:00

lately i stumble around with some smartcard stuff, quite interesting devices :D basically iam just playing around with some electronic stuff...

else well, been travelling a lot in the last few months... hope to find some time soon, i might release some of my older stuff and stuff that never hit the public, also if i can find some time i will invest some time to disable this nasty ring3 debuggers :)

STILL BORING :)

2006-06-03T14:59:00.000-07:00

sorry but there's no real news from my place ;) least not when it comes to computers...

PUH

2006-04-22T14:11:00.000-07:00

well pretty boring, somehow... nothing goes on... might spend some time reversing some events in the kernel...

THE ALMIGHTY KENReplay v1.2

2006-03-02T06:23:00.000-08:00

this is somewhat soooo not special but i thought it might be nice to put it here anyway, the KENReplay is a small piece of software that does nothing else than back then the action replay(TM) did.... and of course there's already more than enough such of those little funky thingys publicly available just like TSearch or similiar... anyway didn't stop me to write it on my own... just another one of my fun projects ;)

And another pinky little demo

2006-03-02T06:11:00.000-08:00

...BURP... and another demo created ;) this time with a logo-wobble-effect and a 3d starfield bound to the peak of the MP3... (+ a "rastered" scroller which changes it's color)

Catweasel ImageTool v1.0

2006-02-12T15:15:00.000-08:00

since i received my Catweasel controller from Individual Computers lately and sadly had to figure out that their supplied Imaging utility isn't very userfriendly i decided to write my own one... nothin special, just the very basic stuff got added to it.

Something different

2006-02-07T04:35:00.000-08:00

This time it's not about reversing it's more about gfx stuff... lately i've written a "Demo"... so if i find the time&motivation to cleanup portions of the code, i might publish it... (written in C++)

Happy new year!

2006-01-02T16:23:00.000-08:00

new year has landed and i wish all of you just the best for 2006

ANTI DLL INJECTION - A "C++" PORT

2005-12-28T23:20:00.000-08:00

since i released the asm version of it some time ago i thought it's maybe a nice gift to also release a C port of it...

the following source will display every injected dll / thread that exists in the process

compiled output should be like this below, if you notice more dll's in the process or more threads this can be of more reasons:

1. anti-dialer/trojan/virus software is installed / or some firewall app
2. you got infected by some malware

this can also be used to detect virus infections...
-------------------------------------------------------
Detecting injected DLL's v0.1

Process Environment Block found @ 0x7FFDF000
PEB_LDR_DATA found @ 0x00241E90
InLoadOrderModuleListHead found @ 0x00241EC0

===[ THIS MODULE ]===

ExeModuleFileName found @ 0x00020A28
ExeModuleName = G:\readtree.exe

===[ MODULES ]===

ModuleFileName found @ 0x77FB1618
ModuleName = E:\WINDOWS\System32\ntdll.dll - DLL OKAY!
ModuleFileName found @ 0x00241F70
ModuleName = E:\WINDOWS\system32\kernel32.dll - DLL OKAY!

===[ THREADS ]===

Active TH_CTR : 00000001
-------------------------------------------------------

#include "stdafx.h"
#include "windows.h"
#include "stdio.h"

DWORD GetPEB();
DWORD result;

//NTSTATUS NtQuerySystemInformation(
// SYSTEM_INFORMATION_CLASS SystemInformationClass,
// PVOID SystemInformation,
// ULONG SystemInformationLength,
// PULONG ReturnLength
//);

typedef BOOL (__stdcall *_NtQuerySystemInformation)(DWORD x,DWORD y,DWORD z,DWORD b);
_NtQuerySystemInformation NtQuerySystemInformation;

int main(int argc, char* argv[])
{
printf ("Detecting injected DLL's v0.1\n\n");
// GRAB PEB
DWORD pPEB = GetPEB ();
printf ("Process Environment Block found @ 0x%8.8X\n",pPEB);
DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
printf ("PEB_LDR_DATA found @ 0x%8.8X\n",PEB_LDR_DATA);
DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
printf ("InLoadOrderModuleListHead found @ 0x%8.8X\n\n",InLoadOrderModuleListHead);

// CURRENT FILE -- FIRST ENTRY
printf ("===[ THIS MODULE ]===\n\n");
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ExeModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ExeModuleName = %s\n",ansistr);

// START LOOPING
printf ("\n\n===[ MODULES ]===\n\n");
while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C))
{
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ModuleName = %s",ansistr);
_strlwr(ansistr);
if (strstr (ansistr,"kernel32.dll") strstr (ansistr,"ntdll.dll"))
{
printf (" - DLL OKAY!\n");
}
else
{
printf (" - DLL INJECTED!\n");
}
}
//
// DETECT AND DISPLAY NUMBER OF RUNNING THREADS
//
HINSTANCE aHandle = LoadLibrary ("ntdll.dll");
if (aHandle != 0)
{
NtQuerySystemInformation = (_NtQuerySystemInformation) GetProcAddress ((HINSTANCE)aHandle,"NtQuerySystemInformation");
if (NtQuerySystemInformation != 0)
{
printf ("\n\n===[ THREADS ]===\n");
DWORD BufX = (DWORD) GlobalAlloc (GMEM_ZEROINIT,0x50000);
NtQuerySystemInformation (5,BufX,0x50000,0);
DWORD xPID = GetCurrentProcessId ();
while (*(DWORD*)BufX != 0)
{
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf (" active thread count : %8.8X\n",*(DWORD*)(BufX+4));
}
// FORWARD TO NEXT RECORD
BufX = BufX + *(DWORD*)BufX;
}
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf ("\nActive TH_CTR : %8.8X\n",*(DWORD*)(BufX+4));
}
}
}
return 0;
}

DWORD GetPEB()
{
__asm
{
mov eax,dword ptr fs:[0x30]
mov result,eax;
}
return result;
}

STREAM BABY STREAM

2005-12-27T05:38:00.000-08:00

The following example shows an idea a friend and me had some time ago, iam 100% sure others had this idea earlier and maybe there's implementations of it available on the net as well, though neither me or ma friend ever came across it, it's sort of a stream encryption... when you look closely at the source you will see what "we" mean... this below is though just an example app which shows what the idea was.... (not a final implementation)

.386P
Locals
jumps
.Model Flat ,StdCall

extrn LoadLibraryA :PROC
extrn GetProcAddress :PROC
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
;-----------------------------------------------------------------------------

.Data
caption db "test application",0
text2 db "test 2",0
msgbox dd ?

.Code
code_block_1_start equ $
mov eax,offset MessageBoxA
mov eax,[eax+2]
mov eax,[eax]
mov dword ptr [msgbox],eax
ret
code_block_1_ends equ $
fill_space_1 db 1000h - (code_block_1_ends-code_block_1_start) dup (00h)

code_block_2_start equ $
push 0
lea eax,dword ptr [ebp+caption]
push eax
lea eax,dword ptr [ebp+caption]
push eax
push 0
call dword ptr [ebp+msgbox]
ret
code_block_2_ends equ $
fill_space_2 db 1000h - (code_block_2_ends-code_block_2_start) dup (00h)

code_block_3_start equ $
xor eax,dword ptr [ebp+msgbox]
mov eax,[eax]
xor ebx,ebx
rol eax,cl
rol eax,cl
xor eax,012345678h
xor dword ptr [ebp+msgbox],ebx
ret
code_block_3_ends equ $
fill_space_3 db 1000h - (code_block_3_ends-code_block_3_start) dup (00h)

block_x dd offset code_block_1_start
block_x_2 dd offset code_block_1_start
block_ctx dd 3

get_shit dd ?

Main:
;// ENCRYPT STREAM BLOCKS
mov esi,offset code_block_2_start
mov edi,offset code_block_3_start
call encrypt_block_x
mov esi,offset code_block_1_start
mov edi,offset code_block_2_start
call encrypt_block_x

;// CALL & DECRYPT STREAMING

call $+5
pop ebp
sub ebp,offset $-1

call_next_block:
call dword ptr [block_x]
mov ecx,0400h
mov esi,offset code_block_1_start
add dword ptr [block_x_2],01000h
mov edi,dword ptr [block_x_2]
decrypt_stream:
lodsd
xor eax,[edi]
mov dword ptr [esi-4],eax
add edi,04h
loop decrypt_stream
dec dword ptr [block_ctx]
jne call_next_block

call ExitProcess

encrypt_block_x:
mov ecx,1000h
sar ecx,02h
encrypt_code_blocks:
lodsd
xor [edi],eax
add edi,04h
loop encrypt_code_blocks
ret
End Main ;end of code, JUMP-spot (main)

THE AWAKENING

2005-12-27T03:04:00.000-08:00

for those who understand, the following snippet, will make a grin on their face...

for those who don't... doesn't really matter ;)

the following source is just for educational purposes!

typedef BOOL (_stdcall *_Export3)(int nr_of_device,char * buffer,char * buffer2);
_Export3 MyExport3;
typedef BOOL (_stdcall *_Export7)(char * buffer);
_Export7 MyExport7;
typedef BOOL (_stdcall *_Export1)();
_Export1 MyExport1;

HANDLE aHandle;
static char DEVCNT[255];
static char DEVCNT2[255];
static char DEVCNT3[255];
static char msgbox[255];

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
aHandle = LoadLibrary ("daemon.dll");
MyExport1 = (_Export1)(GetProcAddress ((HINSTANCE)aHandle,(const char *)1));
MyExport1 ();
MyExport3 = (_Export3)(GetProcAddress ((HINSTANCE)aHandle,(const char *)3));
MyExport7 = (_Export7)(GetProcAddress ((HINSTANCE)aHandle,(const char *)7));
if (MyExport7 != 0)
{
if (MyExport7 (DEVCNT) != 0)
{
MessageBox (0,"failed to retrieve count of present virtual devices","error",0);
return -1;
}
sprintf (msgbox,"found %d virtual devices",DEVCNT[0]);
MessageBox (0,msgbox,"",0);
for (int i=0;i i< DEVCNT[0];i++)
{
if (MyExport3 (i,DEVCNT2,DEVCNT3) != 0)
{
MessageBox (0,"failed to retrieve drive letter!","error",0);
return -1;
}
DEVCNT2[1]+=0x40;
sprintf (msgbox,"drive %d -> assigned with drive letter : %s",i,&DEVCNT2[1]);
MessageBox (0,msgbox,"",0); }MessageBox (0,msgbox,"",0);
}
}
else
{
MessageBox (0,"failed to either retrieve export3 or daemon.dll","error",0);
}

return 0;
}

Merry Christmas

2005-12-24T01:41:00.000-08:00

yet another year passes by... i wish all of you a merry christmas!

DEEPDOWN in the SHIT

2005-12-07T13:15:00.000-08:00

I thought it might be useful / handy for the one or other it's part of my driver routine to "GetProcAddress"... simple lookup via ExportTable scanning, so it's really nothing special nor optimized.... take it or let it be ;)

example -> ULONG Blub = GetAddress ("NtDeviceIoControlFile",base_of_ntoskrnl);

ULONG GetAddress (char * ApiAscii,ULONG ModuleBase)
{
PIMAGE_DOS_HEADER DosHdr;
PIMAGE_NT_HEADERS32 NTHdr;
PIMAGE_EXPORT_DIRECTORY ExportTable;
PIMAGE_THUNK_DATA32 ThunkData;
BYTE * AddressNameOrd;
BYTE * AddressFns;
ULONG ApiOffset;
unsigned int ApiCounter;

DosHdr = (PIMAGE_DOS_HEADER) ModuleBase;
NTHdr = (PIMAGE_NT_HEADERS32) (BYTE *)(ModuleBase+DosHdr->e_lfanew);
ExportTable = (PIMAGE_EXPORT_DIRECTORY) (BYTE *)(ModuleBase+*(ULONG*)(NTHdr->OptionalHeader.DataDirectory));
ThunkData = (PIMAGE_THUNK_DATA32) (BYTE *)(ExportTable->AddressOfNames+ModuleBase);
AddressNameOrd = (BYTE *)(ExportTable->AddressOfNameOrdinals+ModuleBase);
AddressFns = (BYTE *)(ExportTable->AddressOfFunctions+ModuleBase);
for (ApiCounter=1;ApiCounter <= ExportTable->NumberOfNames;ApiCounter++)
{
if (strcmp (ApiAscii,(const char *)ThunkData->Ascii+ModuleBase) == 0)
{
ApiOffset = (*(ULONG*)(AddressNameOrd+ApiCounter*2)) & 0xFFFF;
return (ULONG)((ApiOffset-1)*4+AddressFns);
}
ThunkData++;
}
return 0;
}

Adjusted the layout

2005-12-07T13:06:00.000-08:00

well i just adjusted the layout a bit more, i find it now better to look through...

actually iam working on a small driver written in C... might get published soon'ish

Porting PBPM from 9x to NT

2005-11-23T03:35:00.000-08:00

This has been quite a nice project as i had to rewrite everything from scratch
and since BPM works (as we know) per thread i wanted it to handle all threads
seperated just like i had it done back then on 9x in icedump...

1. Problem there was no VMMCall _AllocateThreadDataSlot

which turned out to be quite a problem at first

later i found out that in the r0 TEB (which is located in PCR:0x124)

was a field that contains always 0 on all threads

mov eax,fs:[124h] ; -> TEB!
mov eax,[eax+4h]
or eax,eax
jnz memory_allocated

so i used that DWORD to store all snapshots...

2. after figuring that part out it also turned out that it wasn't as easy as i thought at first to hook
the necessary code deep enough.... hooking the point where the context gets restored (setthreadcontext)
was no problem at all, but finding a good point where i could hook the "snapshot" process was kinda tricky and this code changes heavily with each service pack and maybe even with security updates...

(i guess it was the main reason for me to never publish anything of it till today)

so i had 2 parts

the more "generic one" // where i hooked zwsetthreadcontext using the keservicedescriptortable

; SEH! stuff

mov ebx,keservicedescriptortable ; grab the fucking table
mov ebx,[ebx] ; pointer to real table
add ebx,020h*4h ; point to our really interesting
; context entry!
; service number 0x20
; -> setthreadcontext | SEH!
mov eax,[ebx] ; -> grab handler rva!
mov pOldCTXHandlerSEH,eax ; store the rva!
mov pOldCTXHandlerSEHP,ebx

mov [ebx],offset myXXsetcontextthreadseh ; install my handler!

and second the part where i hooked the snapshot process:

(therefore i disabled the supervisor bit for a short amount of time and written my hook directly into ntoskernel's code section... afterwards reenable the supervisor bit and exit)

mov ecx,cr0
mov edi,ecx
and ecx,0fffeffffh
mov cr0,ecx

pushad
mov esi,ntosbase
add esi,HARDC0DED
cmp word ptr [esi],0a5f3h
jne failed_at_signature

mov pOldKiUserHandlerP,esi

; save orig_byte_sequence
pushad
mov ecx,08h
lea edi,offset orig_bytes_buffer
db 0f3h, 0a4h ;repz movsb
mov al,068h
stosb ;store push
xchg esi,eax
stosd
mov al,0c3h
stosb
popad

lea eax,offset orig_bytes_buffer
mov my_fucking_destination,eax

xchg esi,edi
mov al,068h
stosb
lea eax,offset myXXkiuser
stosd
mov al,0c3h
stosb
popad

mov ecx,edi
mov cr0,ecx

failed_e:
popad
ret

failed_at_signature:
popad

mov ecx,edi
mov cr0,ecx

popad
ret

3. the hook itself

("kiuser" (snapshot) hook)

;Ä[MY HOOK]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
myXXkiuser equ $
pushfd
pushad
mov eax,fs:[124h]
mov eax,[eax+4h]
or eax,eax
jz dont_fill_the_context

lea edi,dword ptr [esi+4]
mov esi,eax
mov ecx,06h
db 0f3h,0a5h ; repz movsd

Invoke DbgPrint, OFFSET life_sux

dont_fill_the_context:
popad
popfd

db 068h ; push
my_fucking_destination dd ?
ret
myXXkiuserend equ $
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

and the way bigger zwsetcontextthread hook
(btw. i find it pretty confusing to name the ring3 part setthreadcontext and the ring0 part zwsetCONTEXTthread, must be one of a naming genius ;) or someone just noticed bit too late like "doh, we mixed it, damn!")

;Ä[MY HOOK]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
myXXsetcontextthreadseh equ $
pushfd
pushad

mov eax,[esp+028h] ; -> ctx storage buffer
cmp eax,010000000h
jae i_dont_trust_the_kernel

cmp dword ptr [eax+018h],0155h ; most of the time used!
je reset_now

cmp dword ptr [eax+018h],024FFh ; ... :> the evil one
jne i_dont_trust_the_kernel

reset_now:
; and dword ptr [eax+018h],0 ; reset -> dr7

mov eax,fs:[124h] ; -> TEB!
mov eax,[eax+4h]
or eax,eax
jnz memory_allocated

pushad
push 018h
push 4 ; NonPagedPool
iWin32 ExAllocatePool ; allocate buffer
; eax == pointer to allocated
; memory

or eax,eax
jnz proceed_
popad
jmp i_dont_trust_the_kernel

proceed_: mov dword ptr [esp+01ch],eax ; store it!
popad

memory_allocated: mov ebx,fs:[124h]
mov [ebx+4h],eax ; install buffer!

mov edi,eax
mov esi,[esp+028h] ; -> ctx storage!
add esi,04h
mov ecx,06h
mov edx,offset mdr0

grab_regs:
lodsd

push eax
push ecx
call convert
add edx,09h+4h
pop ecx
pop eax

and dword ptr [esi-4],0 ; -> kill it!
stosd ; save value in my buffer!
loop grab_regs

mov eax,fs:[124h] ; -> TEB!
push eax
mov edx,offset kteb_
call convert
pop eax

Invoke DbgPrint, OFFSET shit_happens

i_dont_trust_the_kernel:

popad
popfd
jmp dword ptr [pOldCTXHandlerSEH]
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Just another stupid method of "Anti DLL Injection..."

2005-11-03T14:52:00.000-08:00

The IDEA behind it

The Problem normally is that you can’t avoid DLL injection into Processes, there’s a way to scan the module list via a few Apis, Module32First/Module32Next, these could easily get hooked and fooling the detection wouldn’t be too hard. To make the cracker’s life a bit harder there’s a non API based method to get the loaded MODULES (*.dll) inside your process.

The PEB aka Process Environment Block

PEB means Process Environment Block and is nothing else than a complex structure containing information needed by Windows to handle processes, there’s another structure called TEB (Thread Environment Block) which describes each running Thread (as Windows normally just administrates Threads), but we will concentrate on the PEB structure.

To get a pointer to the PEB structure all you need to do is grabbing PCR (Processor Control Register) 0x30, or using the TEB first by using PCR (Processor Control Register) 0x18 and then grab struc member +0x30 as it points also to the actual PEB (pPEB).

Processor Control Register means fs:[x].

i.e. mov reg,dword ptr fs:[30h] -> reg = pPEB

PEB STRUCT ;
dwFlags DWORD ? ;00
Unknown04 DWORD ? ;04 == -1
ImageBaseAddress DWORD ? ;08
PebLdrData DWORD ? ;0C == *PEB_LDR_DATA
ProcessParameters DWORD ? ;10 == *PROCESS_PARAMETERS
SubSystemData DWORD ? ;14 == 0
ProgramHeap DWORD ? ;18
LockingContext DWORD ? ;1C == FastPebLock
LockRoutine DWORD ? ;20 == RtlEnterCriticalSection
UnlockRoutine DWORD ? ;24 == RtlLeaveCriticalSection
DirChange DWORD ? ;28 == 1
Unknown2C DWORD ? ;2C == apfnDispatch
Unknown30 DWORD ? ;30 == 0
Unknown34 DWORD ? ;34 == 0
Unknown38 DWORD ? ;38 == 0
Unknown3C DWORD ? ;3C == 0
Unknown40 DWORD ? ;40 == TlsBitMap
Unknown44 DWORD ? ;44 == 3FH
Unknown48 DWORD ? ;48 == 0
ProgramHeap02 DWORD ? ;4C
ProgramHeap02a DWORD ? ;50
InProgramHeap02 DWORD ? ;54
AnsiCodePage DWORD ? ;58
OemCodePage DWORD ? ;5C
UnicodeCodePage DWORD ? ;60
NumberProcessors DWORD ? ;64
GlobalFlag DWORD ? ;68
Unknown6C DWORD ? ;6C == 0
CritSectTimeout DWORD ? ;70
Unknown74 DWORD ? ;74
HeapSegmentReserve DWORD ? ;78
HeapSegementCommit DWORD ? ;7C
HeapDeCommitTotalFreeTreshold DWORD ? ;80 == 10000H

HeapDeCommitFreeBlockTreshold DWORD ? ;84 == 1000H
Unknown88 DWORD ? ;88
Unknown8C DWORD ? ;8C == 386H
Unknown90 DWORD ? ;90 == RtlpProcHeapsListBuffer
Unknown94 DWORD ? ;94
Unknown98 DWORD ? ;98 == 0
Unknown9C DWORD ? ;9C == 14H
UnknownA0 DWORD ? ;A0 == LoaderLock
dwMajorVersion DWORD ? ;A4
dwMinorVersion DWORD ? ;A8
dwBuildNumber WORD ? ;AC
CSDVersion WORD ? ;AE
dwPlatformId DWORD ? ;B0
Subsystem DWORD ? ;B4
MajorSusbsytemVersion DWORD ? ;B8
MinorSusbsytemVersion DWORD ? ;BC
ProcessAffinityMask DWORD ? ;C0
UnknownC4 DWORD 044H DUP (?) ;C4
SessionId DWORD ? ;1D4
Unknown1D8 DWORD ? ;1D8
Unknown1DC DWORD ? ;1DC
Unknown1E0 DWORD ? ;1E0
Unknown1E4 DWORD ? ;1E4
PEB ENDS ;size 1E8H, NT4 size 150H

Interesting is the following field:

PebLdrData DWORD ? ;0C == *PEB_LDR_DATA

This field contains a pointer to another structure called PEB_LDR_DATA, let’s have a look at it.

PEB_LDR_DATA STRUCT ;
cbsize DWORD ? ;00 == 24H
Flags DWORD ? ;04
Unknown8 DWORD ? ;08
InLoadOrderModuleListHead DWORD ? ;0C
PreviousInLoadOrderLdrEntry DWORD ? ;10
InMemoryOrderModuleListHead DWORD ? ;14
PreviousInMemoryOrderLdrEntry DWORD ? ;18
InInitializationOrderModuleListHead DWORD ? ;1C
PreviousInInitializationOrderLdrEntry DWORD ? ;20
PEB_LDR_DATA ENDS ;size 24H

The PEB_LDR_DATA structure contains a field called InLoadOrderModuleListHead this field is what is needed, it points again to another structure called LDR_ENTRY.

LDR_ENTRY STRUCT ;
NextInLoadOrderLdrEntry DWORD ? ;00
PreviousInLoadOrderLdrEntry DWORD ? ;04
NextInMemoryOrderLdrEntry DWORD ? ;08
PreviousInMemoryOrderLdrEntry DWORD ? ;0C
NextInInitializationOrderLdrEntry DWORD ? ;10
PreviousInInitializationOrderLdrEntry DWORD ? ;14
ModuleBase DWORD ? ;18
EntryPoint DWORD ? ;1C
ModuleSize DWORD ? ;20
ModuleFileName UNICODE_STRING <> ;24
ModuleBaseName UNICODE_STRING <> ;2C
Flags DWORD ? ;34
LoadCount WORD ? ;38
TlsIndex WORD ? ;3A
LdrpHashTableEntry0 DWORD ? ;3C
LdrpHashTableEntry1 DWORD ? ;40
TimeStamp DWORD ? ;44
LDR_ENTRY ENDS ;size 48H

And here it is a pointer to the loaded ModuleFileName (ANSI VERSION). The very first Entry in this field points to ourself, means the first module is always our actual *.exe name (GetModuleFileName does the same). Using the field NextInLoadOrderLdrEntry you can walk the list of loaded Modules, it’s getting terminated by pointing to the first entry again.

;**************************************************************************
; ANTI DLL INJECTION USING PEB
;**************************************************************************
pushad
mov ecx,cs
xor cl,cl
cmp ecx,0
jnz no_9x_for_it_tiger_style

mov eax,fs:[30h] ;// ALLOC PEB BASE!
or eax,eax
je no_9x_for_it_tiger_Style
mov eax,[eax+0Ch] ;// MOD LIST
or eax,eax
je no_9x_for_it_tiger_Style
mov eax,[eax+PEB_LDR_DATA.InLoadOrderModuleListHead]
mov esi,eax
loop_all_modules:
cmp esi,[eax+PEB_LDR_DATA.NextInLoadOrderLdrEntry]
je no_9x_for_it_tiger_style
mov ecx,[eax+LDR_ENTRY.MODULEFILENAME+4]
;///////////////////////////////////////////////////////////////
;// CHECK MODULE NAME NOW!
;// SINCE WE HAVE TO DEAL WITH ANSI STRINGS GET IT IN A PROPER WAY
;// FIRST
;///////////////////////////////////////////////////////////////
push esi
push ecx
mov esi,ecx
lea edi,dword ptr [ebp+module_name]
call normalize_string
pop ecx
pop esi

cmp dword ptr [ebp+first_loop],1
jae dont_save_current_directory
mov dword ptr [ebp+first_loop],1
;///////////////////////////////////////////////////////////////
;// SAVE CURRENT DIRECTORY
;///////////////////////////////////////////////////////////////
push ecx
push esi
push eax
lea esi,dword ptr [ebp+module_name]
call strlen_x2
mov ecx,eax
pop eax
pop esi

push esi
lea esi,dword ptr [ebp+module_name]
add esi,ecx
call getdirectory
pop esi
pop ecx
mov byte ptr [edi+2],0 ;// SET TERMINATOR

pushad
lea esi,dword ptr [ebp+module_name]
call strlen_x2
mov ecx,eax
inc ecx
lea edi,dword ptr [ebp+current_dir]
repz movsb
popad

dont_save_current_directory:
;///////////////////////////////////////////////////////////////
;// GET ACTUAL DIRECTORY AND COMPARE BOTH DIRECTORIES!
;///////////////////////////////////////////////////////////////
cmp dword ptr [ebp+first_loop],2
jne set_flag_and_loop
push ecx
push esi
push eax
lea esi,dword ptr [ebp+module_name]
call strlen_x2
mov ecx,eax
pop eax
pop esi

push esi
lea esi,dword ptr [ebp+module_name]
add esi,ecx
call getdirectory
pop esi
pop ecx
mov byte ptr [edi+2],0 ;// SET TERMINATOR

pushad
lea esi,dword ptr [ebp+module_name]
call strlen_x2
mov ecx,eax
inc ecx
lea edi,dword ptr [ebp+current_dir]
repz cmpsb
or ecx,ecx
jne fine_puh
;///////////////////////////////////////////////////////////////
;// INJECTED DLL FOUND!
;// PUT YOUR CODE HERE
;///////////////////////////////////////////////////////////////

fine_puh:
popad
set_flag_and_loop:
mov dword ptr [ebp+first_loop],2
mov eax,[eax+PEB_LDR_DATA.NextInLoadOrderLdrEntry]
jmp loop_all_modules

strlen_X2:
pushad
xor ecx,ecx
count_next_char2:
lodsb
or al,al
je con_a2
inc ecx
jmp count_next_char2
con_a2: mov dword ptr [esp+1ch],ecx
popad
ret

getdirectory:
push ecx
push esi
push eax
mov edi,esi
std
mov al,'\'
repnz scasb
cld
pop eax
pop esi
pop ecx
ret

normalize_string:
pushad
normalize_string2:
lodsb
stosb
inc esi
or al,al
jne normalize_string2
popad
ret

first_loop dd ?
module_name db 0FFh dup (00h)
current_dir db 0FFh dup (00h)

no_9x_for_it_tiger_style:
mov ecx,offset no_9x_for_it_tiger_style-offset first_loop
lea edi,dword ptr [ebp+first_loop]
mov al,00
repz stosb
popad

w00t

2005-11-03T14:26:00.000-08:00

ready for take off!