Hello,

as i see there are ways to hide the exe from toolhelp32 *like vecna did* and a registry key from regedit.exe

how can i protect myself from this and how can i found out that there is something wrong ?

im very new to asm and i understand half what the function do to hide something.
can i make a function who check if kernel32 is hooked ?

thx

ps:im not asking how can i hide this and that ,i want to protect me from this and i hope that vecna or another coder has a way to do this :)
Posted on 2001-07-24 01:44:35 by CodeMonkey
Posted on 2001-07-24 02:27:22 by bazik
Hi

thanks for the answer.
but i mean not how i can hide a regkey on nt.

i like to know if there is a hidden regkey or exe file on my sytem and im thinking on a way to find it out :)

in win98 there is a hook on toolhelp32 to hide a exe and a hook for the regenum..
so i think i need a tool who can find hooks.

but since i cant write a hook ,how should i make a tool that find a hook on something ? *bg*

so i start asking if this is possible or are there better ways to know if there is a hook installed.

seams i have to learn how to make hooks first....

cu
Posted on 2001-07-24 08:39:08 by CodeMonkey
Hello,

for the ones who are interrested.....

if someone make a hook on regenum ,then only in REGEDIT.exe will the regkey be hidden.
if you code a small tool what checks the hidden regkey direct,you can see it :)

like you hide key : software/TEST
and in this key TEST is a value TESTVALUE
in regedit.exe you dont see TEST.
but if you read the key like open regkey with asm....you see it.

thats what i want....see if there is a hidden regkey.
just easy as it is :)

now i try to find something to find a hidden exe.

cu
Posted on 2001-07-26 02:10:35 by CodeMonkey
I think that this registry-key-hiding-stuff is very interesting....
Good that it can't be abused by for example virus programmers, can it???

[-alloces-]
Posted on 2001-07-26 03:21:24 by NOP-erator
I don't know..just ask *cough*vecna*cough* :)

Latigo
Posted on 2001-07-26 09:27:31 by latigo
so vecna, what do you think about that?
Posted on 2001-07-26 10:07:25 by NOP-erator
codemonkey,

you can scan memory for the hide.exe signature, but isnt a good way, coz will only work against this code, not a similar one.

a good way to check if toolhlp32 apis are hooked is check if it point outside of imagebase->imagebase+imagesize range(seens that NAV antivirus do this), or, better, outside of the .code section.

but this will not help in hide.exe, coz the api is hooked by patching its start with a jmp(0xe9) instruction.

the easiest way is use the above check in the api entrypoint, and then, if the first opcode in the api is a jmp or call or like, get the offset and check again. a limited form of tracing.

the best way is get the internals tables that w9x use for the processes, and scan it directly. in matt pietrek's book he teach how calculate the _obfuscator xor value, and transform the ProcessId /ThreadId in a pointer to the structures. this could be hard to code and undocumented, but seens the best way.

other approach, that i saw in a virus i dont remember the name, is, in a loop, try OpenProcess() in all possible values. Then, if it open(valid handle found), you can get the filename and compare to toolhlp32 output. but this looks somewhat lame...



alloces,

this trick seens good, but requires some care in the use. this trick only work in w2k, where the file will be started, and the entry will be hidden.

but, under all other w32 os, the entry will not do anything, thus the virus/worm will not exec, nor spread. so, the virus will need check the OS to choose between a normal or a 'tricky' registry entry...

the best way, for me, if you need auto-start a file, is put it into the dir pointed by SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders.

just by dropping the file there, it will autostart, and you can use a scheme like hide.exe to hide from process lists, and also a hook in FindFirstFile/FindNextFile, as i did in a backdoor(but this still left you open to ring0/dos file search)

ancev
Posted on 2001-07-26 16:54:22 by ancev
And don't you forget it!
Posted on 2001-07-26 17:33:51 by Hiroshimator
Hello,

first hiro :)
its ok if u watch me...i dont make trouble with this.

i tell you what i make:
i check some time ago a lot security soft and found out that the most firewalls can be disabled by setting a simple regkey from 1 to 0.

so i start first writting a tool who checks every second for the regkeys of atguard.
if they are changed and the handle:atguarf settings is not shown, then a trojan or so has change the keys and i got a pop up message.

that was a lot work....because lot regkeys to watch.
now i had the idea i think !

why not HIDE those keys when im online ?
also when i hide the exe ,no trojan user can see my security tool when he got my tasklist :)

also i can post any time the src. i wrote for the secure tool since im searching people who like to code it with me bigger.

id like to insert a function into my tool ,what can see if there is another programm try to hide something.

so i try what happend if i use a hook on regenum and i see the key can be found by using regopenkey.
but what if now some one make a hook on regopenkey....?

cu

ps:i personal think ,that hide stuff is known long time by handfull people and no tool against this is aviable today.
i never show ,explain or post a src. how i do it.
id like to discuss how i can protect me.
Posted on 2001-07-27 01:22:06 by CodeMonkey
first i like to say : very great idea you had ,hiding a exe.
and hope it sound not bad when i say as a newbie that your
code looks to me clear and understandable.

i got totaly shocked when i try out your tool.
also i try to inform a lot people about this and for what it can be used....but no one was interrested.

also thanks for helping me and describing ways how to find it !

im wondering why microsoft dont tell anything about this.
for me its like a big problem where no one speak about in hope others will forget it.

im a bit angry about this meaning and so i start finding a way by myself :)

i test a lot times your hide exe and must say: today NO av soft can find it or say anything if i start it.

i will read your answer 2 or 5 times :) and then i start thinking what i can do.

thanks :)
Posted on 2001-07-27 01:31:19 by CodeMonkey
I totally agree to CodeMonkey when he sais that he's angry that m$ doesn't tell us anything about that.
You can watch me, too, hiro, but for me it's just interesting to know that. At the moment this stuff is above my programming skills level so that it's useless for me, but as I said, it's just good to know.
Thank you vecna for your detailed answer. :alright:

[-alloces-]
Posted on 2001-07-27 01:59:20 by NOP-erator
hey vecna,
just seen that your name is turned around, what's your proper name now, vecna or ancev?

[-secolla-] :tongue:
Posted on 2001-07-27 02:02:03 by NOP-erator
my tool look actual like this : http://aol-sicherheitsluecke.port5.com/SAFE.exe

any ideas , tips or comments are welcome :)

have a nice day
Posted on 2001-07-27 07:05:53 by CodeMonkey
Hey CodeMonkey,
can't you imagine that most people won't download the file? it's an exe file called "safe.exe" and the url "AOL-Sicherheitsl?cke" sais it all. it would be better if you include the source and put it in a zip file.
just a hint.

[-alloces-]
Posted on 2001-07-27 07:46:12 by NOP-erator
hm...so theres a problem with thrusting here it seams.
funny that i had to explain the name of the url !

if id like to send u trojans ...why the hell im here posting and not send it to u by email !

man...dont get all paranoid here !
test it or not...i dont publish any unfinished source code.


ps> the name SAFE.exe = programm name : Security and Firewalls enabled........no more to say
Posted on 2001-07-27 08:34:12 by CodeMonkey
don't get mad codemonkey :)

I wouldn't run it either without examining it a bit. You have to be cautious these days :)
Posted on 2001-07-27 08:42:36 by Hiroshimator
codemonkey,

i fell happy coz you understand my code. complex code, hard to understand and debug, have a place, but surely isnt in something you distribute with sources ;)

altought i had the idea independently, seens it was already done, before and in c++, in bo2k sources. about microsoft, i dont think this flaw is the biggest one... i mean, if you permit that kernel32, that is shared by all processes, be modificated, or left IDT and GDT read/write enable, soon or late will appear 'malicious' code exploiting this.

and i think this can be made even better... get the _obsfuscator and XOR it with the process id. you will get a pointer to the process database entry of the process. corrupt the filename(and set flags to NukeProcess+ServiceProcess, just to be cool :cool: ) and i think you dont even need hook toolhlp32

alloces,

ancev is better i think. the other variant is too full of 'infamy' :rolleyes: so is better forget it, now i retired.

ancev the win32asm coder is better than vecna the vx coder :)

ancev
Posted on 2001-07-27 12:14:07 by ancev
Sorry CodeMonkey, it was no offence! I just told you how things are today...

[-alloces-]
Posted on 2001-07-27 13:25:06 by NOP-erator