Causing BSOD’s

I’m bored! So I’m posting this… If you want to play a “joke” on your friend and you are tired of those things that open and close the CD drive, and you want something more hardcore? I got the thing for you (lol) Actually all you need to do is call KeBugCheck and thats all.

#include “ntddk.h”
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
KeBugCheck(0);
}

If you tried it, and didn’t get a BSOD, only a crash, you have to change some settings in you computer. Goto Control Panel -> System -> Click the Advanced tab -> Click the last Settings -> Uncheck Automatically restart.

If you want, you can also take a look at KeBugCheckEx

Hooking Nt* functions

Not a long time ago I posted a article about how to hook ZwOpenProcess to protect your own process, but you may want to hook a Nt* function instead. Why? Well as you may know Zw* functions are wrappers for Nt* function , calling the Nt* API through the system service dispatcher. You may want to read this article to better understand the Native API. So like I was saying, there’s no way of calling an API without a Nt* API being executed.

In this example we are going to hook NtOpenProcess. The concept between hooking Zw* and Nt* API’s is pretty much the same, but while hooking Nt* API’s you must do something else. You need to use system call number. There’s also this macro:

#define SYSTEMSERVICE(_function)KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]

What is does is it takes a exported Zw* API and gets the Nt* equivalent. The only thing is that there’s a lot of API’s that are NOT exported. So thats why we are going to use system call numbers.

This is the site that shows you a full system call table. As you may of noticed, they change from OS to OS. Thats why we must determinate what operation system is running on the computer. I’m going to show you 2 way: PsGetVersion and NtBuildNumber.

Using PsGetVersion

ULONG majorVersion;
ULONG minorVersion;

DRIVER_DATA* driverData;

// Get the operating system version
PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );

// Major = 4: Windows NT 4.0, Windows Me, Windows 98 or Windows 95
// Major = 5: Windows Server 2003, Windows XP or Windows 2000
// Minor = 0: Windows 2000, Windows NT 4.0 or Windows 95
// Minor = 1: Windows XP
// Minor = 2: Windows Server 2003

if ( majorVersion == 5 && minorVersion == 1 )
{
DbgPrint(“Running on Windows XP”);
CallNumber = 0×07A;
}
else if ( majorVersion == 5 && minorVersion == 0 )
{
DbgPrint(“Running on Windows 2000″);
CallNumber = 0×06A;
}
else
{
DbgPrint(“Running on unknown system”);
}

Using NtBuildNumber

switch (*NtBuildNumber)
{
case 2195: //Microsoft Windows 2000
DbgPrint(“Microsoft Windows 2000 detected”);
CallNumber = 0×06A;
break;

case 2600: //Microsoft Windows XP
DbgPrint(“Microsoft Windows XP detected”);
CallNumber = 0×07A;
break;

default:
DbgPrint(“Unsupported OS detected”);
//As far as I know, this will never happen
return STATUS_NOT_IMPLEMENTED;
break;
}

Now that we determined what system call number to use, we must use a macro that will let use easily access the call number in the table:

#define SYSTEMSERVICE(_callnumber) KeServiceDescriptorTable->ServiceTable[_callnumber]

We are going to use this macro this way:

OldNtOpenProcess = SYSTEMSERVICE(CallNumber);

SYSTEMSERVICE(CallNumber) = NewNtOpenProcess;

You get the point.

I’m not going to explain how protecting our process work, just go to my previous post about hooking ZwOpenProcess, it’s going to be the same.

Heres a code snippet, the full source code can be downloaded at the end of the article.

switch (*NtBuildNumber)
{
case 2195: //Microsoft Windows 2000
DbgPrint(“Microsoft Windows 2000 detected”);
CallNumber = 0×06A;//NtOpenProcess Call number in Win2000
break;

case 2600: //Microsoft Windows XP
DbgPrint(“Microsoft Windows XP detected”);
CallNumber = 0×07A;//NtOpenProcess Call number in WIN XP
break;

default:
DbgPrint(“Unsupported OS detected”);
//As far as I know, this will never happen
return STATUS_NOT_IMPLEMENTED;
break;
}

OldNtOpenProcess = SYSTEMSERVICE(CallNumber);//Our NtOpenProcess

__asm

{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax

}

SYSTEMSERVICE(CallNumber) = NewNtOpenProcess; //We change the real NtOpenProcess to the fake, the hook is activated.
__asm

{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}

Notice that I used the CR0 to disable the memory protection, but you can also use the MDL method. I used that in my other article, just wanted to show another way of doing it.

Important!!! My example is not complete, it’s kinda of a “proof of concept” I hardcoded the PID but it shouldn’t be hard to pass the PID from the userland, even get the PID from the kernel if you want. The source code can be downloaded from the link below. If you find any errors or bug, please let me know.

Later.

Download

Executable size

Ever downloaded a crackme or a program and realized how huge it was and it was only doing something really simple? I did and unfortunately I even released my own programs and they were full of bloat. In this article I’m going to show you 3 steps that I always do now when I build a final version of my programs.

I’m using MVC++ 6 as my complier, but the tricks that I am going to do can be done in other compliers as well. Okay let’s start of with a simple “Hello World” program.

#include “stdio.h”
int main(void)
{
printf(“hello, world\n”);
return 0;
}

Without touching my complier settings, the executable size is: 152kb Thats a lot for a simple Hello World program. And if you open it in an disassembler, you will see that there’s so much bloat.

1st step
You need to do a “Release build” instead of a “Debug build” This will reduce the size dramatically. You can do that by going to Build -> Set Active Configuration and click Win32 Release.

Okay now let’s build it again! And a new folder named “Release” has appeared and the executable is now 28kb, we reduced the size 5 and half times!

Step 2
Now we are going to modify settings. Goto Project -> Settings -> Click the “Link” tab. Now look at the edit box where it says “Object/library modules”

Okay now remove everything from there and type “MSVCRT.LIB kernel32.lib user32.lib” and build. The executable size is now: 16kb. This is very important! only using those 3 libraries will cause some of your API not to work. For example, RegOpenKeyEx Why? Because it needs “Advapi32.lib” How do you know? Go to the API MSDN page, scroll all the way down till you see the “Requirements” So now all you need to do is add the required library.

Step 3
This is really not hard, goto Project -> Settings -> click the link tab and now see that big edit box? Add this line “/ALIGN:4096″ there. Build, and the executable size is now 2.50kb! and we started at 152kb.

You can learn about this linker option at MSDN: /ALIGN

Now you executable is small and not full with bloat. You can open it in an assembler and you will see its more cleaner and sleek. I gave you my 3 steps that I always do, however a simple google search will show you more in depth tricks to reduce the size to 1kb and less! Thanks for reading. And I’m almost done writing a article about hooking Nt* functions, will publish later today.

Later.

Protecting by hooking ZwOpenProcess

Today I’m going to explain to you how you could protect your process by hooking ZwOpenProcess. It may be easy, but damn it took me sometime to figure it out! I would assume that you guys know the basics of kernel driver development and know the basics of hooking. If not, go get yourself Rootkits: Subverting the Windows Kernel or Professional Rootkits But of course if you don’t want to spend money on them, search the internet =) Both books helped me a lot, also you may want to take a look to the Rootkit website Rootkit

ZwOpenProcess opens a handle to a desired process. With a handle you can do many things, but in this post we are going to talk about how to deny access when someone is trying to terminate your protected process. You have probably encounter such a hook since almost every anti-virus/firewall uses them to prevent malicious software from terminating them.

Let’s take a look at ZwOpenProcess:

ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);

What we want here is ClientsId since that’s a pointer to the Client ID, we could use it to check if a application is trying to get a handle to our protected process PID. Here’s a code snippet:

NTSTATUS NewZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
HANDLE ProcessId;

__try /*we do this to avoid crashes*/
{

ProcessId = ClientId->UniqueProcess;

}
__except(EXCEPTION_EXECUTE_HANDLER) /*we do this to avoid crashes*/
{
/*DbgPrint(“Exception”)*/
return STATUS_INVALID_PARAMETER;

}

if (ProcessId == (HANDLE)2816) /*Check if the PID matches our protected process PID*/
{

/*DbgPrint(“Access Denied!”);*/
return STATUS_ACCESS_DENIED; /*What we want, access denied.*/
}

else /*Important, if you don’t do this your system will and and crash/BSOD*/
return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId);
}

Here’s the result:

In my example I use “firefox.exe”, as you can see I got Access Denied and also notice that Process Explorer was unable to list the loaded modules in our process.

Now try to kill your protected process, it most probably failed. Why most probably? Because your process is not invisible. There’s some tools that can still terminate your process. Also, a user can simply check if ZwOpenProcess is hooked in the SDT, and recover it, therefor your hook is dead.

Important!!! My example is not complete, it’s kinda of a “proof of concept” I hardcoded the PID but it shouldn’t be hard to pass the PID from the userland, even get the PID from the kernel if you want. The source code can be downloaded from the link below. If you find any errors or bug, please let me know.

Later.

Download

EDIT: Well I have received a e-mail asking how to hook Nt* functions. The concept is still the same, but there’s some changes, I may write another article on that if you guys want.

Process Token Privileges

In the past week I’ve been reading posts in forums, and I realized that many people are surprise that some of their API don’t work. For example InitiateSystemShutDown, SetSystemTime or for that matter terminating a critical process. They don’t work because the calling process requires to have some sort of a privilege on it’s tokens, which are disabled by default. There’s many more API’s then those mentioned above. It may be a good thing for an average user because it increases security, but for us it’s not. In this post I’m going to teach you how to adjust your process tokens privileges and enable debug privileges.

Our goal today is to enable SE_DEBUG_NAME privilege to be able to kill a critical processes (Will cause a crash/BSOD) As you may know to kill a process, we use OpenProcess() and TerminateProcess() The code will look like this:

printf(“Enter PID you want to terminate: “);
scanf (“%d”,&processID);

hProcess=OpenProcess(PROCESS_ALL_ACCESS, false, processID);
hTerminate=TerminateProcess(hProcess,0);

This will terminate your average process, but now try to kill “winlogon.exe” for example. Won’t work, why? Open Process Explore And do the fallowing.

As you see SeDebugPrivilege is disable, we are going to enable it. To do so we are going to use 3 API’s : LookupPrivilegeValue(), OpenProcessToken() and AdjustTokenPrivileges()

The first thing we have to do is use LookupPrivilegeValue() to get the LUID (Locally Unique Identifier) of the privilege we want, in our case SE_DEBUG_NAME.

TOKEN_PRIVILEGES Debug_Privileges;
LUID luid;

if (!LookupPrivilegeValue (NULL,
SE_DEBUG_NAME,
&luid))
{
printf (“LookupPrivilege() error %u\n”, GetLastError());
CloseHandle (hToken);
return false;
}

If everything went well, we should now received the LUID value of our privilege. Now we are going to use OpenProcessToken(). Since we want to enable or disable the privileges we are going to use this flag: TOKEN_ADJUST_PRIVILEGES. To see a full list of all the available flags visit this page .

HANDLE hToken;
if (!OpenProcessToken (GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken))
{
printf (“OpenProcessToken() error %u\n”, GetLastError());
return false;
}

We are almost done, 1 step to go. This time we are going to use AdjustTokenPrivileges(). We use this adjust the privileges. You can either enable or disable a privilege with this API.

if (!AdjustTokenPrivileges (hToken,
FALSE,
&Debug_Privileges,
0,
NULL,
NULL))
{
printf (“AdjustTokenPrivileges() failed with code %d\n”, GetLastError());
CloseHandle (hToken);
return false;
}

Now if everything went well, open Process Explorer and check is the SE_DEBUG_NAME is still disable, it shouldn’t be.

If it’s blank, it means everything went well (I don’t know why it doesn’t say Enable) If you may think that an API is failing because it requires a privilege, go to your API MSDN page and read the “Remarks” section. It will inform you with everything you need to know. The full sources are below, and if you find any error or any bug, please make me know about them. Thank you for reading.

Download

This Blog is sleeping…

This Blog is sleeping until I find something interesting/informative to write about.

See you later.