Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfusc.

Results 1 to 8 of 8
  1. #1
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfusc.

    Using my previous "KiFastSystemCall" wrapper, I found it quite easily possible to rewrite portions of the Windows API, removing dependencies on core-system files.

    For example:

    Code:
    BOOL WINAPI CloseHandle( HANDLE Object )
    {
    	return( _NtClose( Object ) );
    }
    
    VOID WINAPI ExitProcess( UINT ExitCode )
    {
    	_NtTerminateProcess( 0xFFFFFFFF, ExitCode );
    }
    
    HANDLE WINAPI OpenThread( DWORD DesiredAccess, BOOL InheritHandle, DWORD ThreadId )
    {
    	HANDLE ThreadHandle;
    	_NtOpenThread( &ThreadHandle, DesiredAccess, InheritHandle, ThreadId );
    	return( ThreadHandle );
    }
    
    BOOL WINAPI TerminateThread( HANDLE Thread, DWORD ExitCode )
    {
    	return( _NtTerminateThread( Thread, ExitCode ) );
    }
    
    BOOL WINAPI VirtualProtect( LPVOID Address, SIZE_T Size, DWORD NewProtect, PDWORD OldProtect )
    {
    	return( _NtProtectVirtualMemory( 0xFFFFFFFF, Address, Size, NewProtect, OldProtect ) );
    }
    
    BOOL WINAPI VirtualProtectEx( HANDLE Process, LPVOID Address, SIZE_T Size, DWORD NewProtect, PDWORD OldProtect )
    {
    	return( _NtProtectVirtualMemory( Process, Address, Size, NewProtect, OldProtect ) );
    }
    
    DWORD WINAPI ResumeThread( HANDLE Thread )
    {
    	return( _NtResumeThread( Thread, 0 ) );
    }
    
    DWORD WINAPI SuspendThread( HANDLE Thread )
    {
    	return( _NtSuspendThread( Thread, 0 ) );
    }
    The idea is fairly easy to grasp; if you obfuscate the above calls before the system call is handed off, then you're forcing reversers/attackers to dump every syscall being used for their specific OS build, then in the context they're being used under, etc.

    Feedback?


  2. #2
    Account Upgraded | Title Enabled! illxmike is offline
    MemberRank
    May 2008 Join Date
    NetherlandsLocation
    508Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    I dont really get it :(

  3. #3
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    I forgot to add, this is a parallel to Themida's "API obfuscation" utility, except it has compatibility for varying builds of Windows NT, and saves you some trouble from being vulnerable to hooks in ring 3; even hooks on Zw* functions won't leave you affected in this setup.

  4. #4
    Account Upgraded | Title Enabled! exercitus is offline
    MemberRank
    Jul 2008 Join Date
    247Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    He probably still doesn't get it.

    Themida is a kind of packing system right, so it's encrypted or something.. O-O

    Oh yeah, it'd help if you could translate all the above in ENGLISH. O_O
    PS. Good luck.

  5. #5
    2D > 3D Wucas is offline
    MemberRank
    Dec 2008 Join Date
    In your bed :3Location
    2,523Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    very cool... but honestly, most of today's gunz hackers will stop at the first sign of trouble, seeing that they are more in the leecher category. Yes this is useful, but maybe not as necessary now as it will be in the future xD

  6. #6
    Mako is insane. ThePhailure772 is offline
    MemberRank
    Sep 2007 Join Date
    1,115Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    What is it with you and undocumented functions? Well, I see where you're coming with this, but what if I go ring0? :P

  7. #7
    Reverse Engineer ThievingSix is offline
    MemberRank
    Mar 2007 Join Date
    CaliforniaLocation
    901Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    You missed it jacob

  8. #8
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Wrapping the Windows API: Backward/forward-compatible method for Themida API Obfu

    Quote Originally Posted by Theoretical View Post
    What is it with you and undocumented functions? Well, I see where you're coming with this, but what if I go ring0? :P
    Quote Originally Posted by ThievingSix View Post
    You missed it jacob
    Baha, you beat me to that punch.

    Jacob, hooking the Nt* functions in ring 0 would be the way to still hook library calls (IAT, EAT, inline hooking current libraries all in ring 3 does nothing with this new setup). As long as you require kernel integrity checks (Both in memory and on disk), and require only signed drivers to be loaded to memory, then there isn't much you can do.

    Sure, you could use a hypervisor to monitor API calls, or attempt to spoof the fact that a driver is signed or not, but at the end of the day, you're still treading on heavy ground, where one slight mistake means a BSOD. Which is entirely intended: this is a safe, user-mode solution.

    Quote Originally Posted by BetrayedAcheron View Post
    very cool... but honestly, most of today's gunz hackers will stop at the first sign of trouble, seeing that they are more in the leecher category. Yes this is useful, but maybe not as necessary now as it will be in the future xD
    Do you even have an idea of what's being discussed?
    Last edited by Guy; 20-08-09 at 09:24 PM.



Advertisement