flat assembler
Message board for the users of flat assembler.

Index > Windows > GameGuard

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 12 Feb 2008, 02:38
Its a rootkit wich block NtQuerySystemInformation

Code:
format pe console
section '.code' code readable executable
mov ebp,esp
push 4096000
call [malloc]
mov esi,eax
push 0
push 4096000
push esi
push 5
mov edx,esp
mov eax,0xAD
int 0x2E
l:
add esi,dword [esi]
push dword [esi+68]
push dword [esi+60]
push f
call [printf]
mov esp,ebp
cmp dword [esi],0
jnz l
ret
section '.data' data readable writeable
f db '%ws      %u',13,10,0
ff db '%p',0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 5 dup 0
msvcrt_table:
malloc dd RVA _malloc
printf dd RVA _pritnf
dd 0
msvcrt_name db 'msvcrt.dll',0
_pritnf db 0,0,'printf',0
_malloc db 0,0,'malloc',0    


My code will work on xp sp2 without this rootkit. But when its active, it hungs on last process, before listing gameguard process. How can i 'bypass' it?


Last edited by asmrox on 12 Feb 2008, 17:13; edited 1 time in total
Post 12 Feb 2008, 02:38
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 12 Feb 2008, 12:22
didn't understand exactly what's the problem but try adding the below code, maybe it will help...

Code:

struc TOKEN_PRIVILEGES
{ .privilegecount dd $0
  .low            dd $0
  .high           dd $0
  .attributes     dd $0 } tkp TOKEN_PRIVILEGES

SE_DEBUG_NAME db 'SeDebugPrivilege',$0
tmp dd $0

;----------------------------------------------
xor ebx,ebx
call    [GetCurrentProcess]
stdcall [OpenProcessToken],eax,$28,tmp
stdcall [LookupPrivilegeValueA],ebx,SE_DEBUG_NAME,tkp.low
mov dword[tkp.privilegecount],$1
mov dword[tkp.attributes],$2
stdcall [AdjustTokenPrivileges],[tmp],ebx,tkp,ebx,ebx,ebx
    
Post 12 Feb 2008, 12:22
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 12 Feb 2008, 17:38
Quote:
didn't understand exactly what's the problem

i want to list GG process, but it block even a syscall.


i didnt understand your code, so i write this:
last function return 0, and it doesnt work (process cant fisish if rootkit is loaded, and its not listing hidden process).
Code:
format pe console
section '.code' code readable executable
mov ebp,esp





push tok
push 0xF00FF
push -1
call [OpenProcessToken]


push luid_low
push a
push 0
call [LookupPrivilegeValueA]




push 0
push 0
push 0
push TOKEN_PRIVILEGES
push 0
push [tok]
call [AdjustTokenPrivileges]
push eax
push ff
call [printf]







push 4096000
call [malloc]
mov esi,eax
push 0
push 4096000
push esi
push 5
mov edx,esp
mov eax,0xAD
int 0x2E
l:
add esi,dword [esi]
push dword [esi+68]
push dword [esi+60]
push f
call [printf]
mov esp,ebp
cmp dword [esi],0
jnz l
ret
section '.data' data readable writeable
f db '%ws      %u',13,10,0
ff db '%p',13,10,13,10,0
tok dd 0
a db 'SeDebugPrivilege',0
TOKEN_PRIVILEGES:
dd 0
luid_low dd 0
dd 0
dd 0
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA advapi32_name,RVA advapi32_table
dd 5 dup 0
msvcrt_table:
malloc dd RVA _malloc
printf dd RVA _pritnf
dd 0
advapi32_table:
OpenProcessToken dd RVA _OpenProcessToken
LookupPrivilegeValueA dd RVA _LookupPrivilegeValueA
AdjustTokenPrivileges dd RVA _AdjustTokenPrivileges
dd 0
msvcrt_name db 'msvcrt.dll',0
advapi32_name db 'advapi32.dll',0


_malloc db 0,0,'malloc',0
_pritnf db 0,0,'printf',0

_OpenProcessToken db 0,0,'OpenProcessToken',0
_LookupPrivilegeValueA db 0,0,'LookupPrivilegeValueA',0
_AdjustTokenPrivileges db 0,0,'AdjustTokenPrivileges',0    
Post 12 Feb 2008, 17:38
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 12 Feb 2008, 20:20
cleared
Post 12 Feb 2008, 20:20
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 14 Jun 2008, 11:02
Post 14 Jun 2008, 11:02
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.