Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfusc.

[Guy]

Using my previous "KiFastSystemCall" wrapper, I found it quite easily possible to rewrite portions of the Windows API, removing dependencies on core-system files.

For example:

Code:

BOOL WINAPI CloseHandle( HANDLE Object )
{
	return( _NtClose( Object ) );
}

VOID WINAPI ExitProcess( UINT ExitCode )
{
	_NtTerminateProcess( 0xFFFFFFFF, ExitCode );
}

HANDLE WINAPI OpenThread( DWORD DesiredAccess, BOOL InheritHandle, DWORD ThreadId )
{
	HANDLE ThreadHandle;
	_NtOpenThread( &ThreadHandle, DesiredAccess, InheritHandle, ThreadId );
	return( ThreadHandle );
}

BOOL WINAPI TerminateThread( HANDLE Thread, DWORD ExitCode )
{
	return( _NtTerminateThread( Thread, ExitCode ) );
}

BOOL WINAPI VirtualProtect( LPVOID Address, SIZE_T Size, DWORD NewProtect, PDWORD OldProtect )
{
	return( _NtProtectVirtualMemory( 0xFFFFFFFF, Address, Size, NewProtect, OldProtect ) );
}

BOOL WINAPI VirtualProtectEx( HANDLE Process, LPVOID Address, SIZE_T Size, DWORD NewProtect, PDWORD OldProtect )
{
	return( _NtProtectVirtualMemory( Process, Address, Size, NewProtect, OldProtect ) );
}

DWORD WINAPI ResumeThread( HANDLE Thread )
{
	return( _NtResumeThread( Thread, 0 ) );
}

DWORD WINAPI SuspendThread( HANDLE Thread )
{
	return( _NtSuspendThread( Thread, 0 ) );
}

The idea is fairly easy to grasp; if you obfuscate the above calls before the system call is handed off, then you're forcing reversers/attackers to dump every syscall being used for their specific OS build, then in the context they're being used under, etc.

Feedback?

[MentaL]

[illxmike]

I dont really get it :(

[Guy]

I forgot to add, this is a parallel to Themida's "API obfuscation" utility, except it has compatibility for varying builds of Windows NT, and saves you some trouble from being vulnerable to hooks in ring 3; even hooks on Zw* functions won't leave you affected in this setup.

[exercitus]

He probably still doesn't get it.

Themida is a kind of packing system right, so it's encrypted or something.. O-O

Oh yeah, it'd help if you could translate all the above in ENGLISH. O_O
PS. Good luck.

[Wucas]

very cool... but honestly, most of today's gunz hackers will stop at the first sign of trouble, seeing that they are more in the leecher category. Yes this is useful, but maybe not as necessary now as it will be in the future xD

[ThePhailure772]

What is it with you and undocumented functions? Well, I see where you're coming with this, but what if I go ring0? :P

[ThievingSix]

You missed it jacob

[Guy]

What is it with you and undocumented functions? Well, I see where you're coming with this, but what if I go ring0? :P

You missed it jacob

Baha, you beat me to that punch.

Jacob, hooking the Nt* functions in ring 0 would be the way to still hook library calls (IAT, EAT, inline hooking current libraries all in ring 3 does nothing with this new setup). As long as you require kernel integrity checks (Both in memory and on disk), and require only signed drivers to be loaded to memory, then there isn't much you can do.

Sure, you could use a hypervisor to monitor API calls, or attempt to spoof the fact that a driver is signed or not, but at the end of the day, you're still treading on heavy ground, where one slight mistake means a BSOD. Which is entirely intended: this is a safe, user-mode solution.

very cool... but honestly, most of today's gunz hackers will stop at the first sign of trouble, seeing that they are more in the leecher category. Yes this is useful, but maybe not as necessary now as it will be in the future xD

Do you even have an idea of what's being discussed?