Themida Kernel Reverse-Engineering

Cracker:KernelKiller

Name:YangMin

ICQ:248509868

EMAIL:YM-LP@163.COM



program:Themida Demo Release: 1.0.0.2



work at win2k,Themida hook all kernel function show:

NtAllocateVirtualMemory

ZwCreateThread

ZwQueryVirtualMemory

ZwReadVirtualMemory

NtRequestWaitReplyPort

ZwTerminateProcess

ZwWriteVirtualMemory





Themida_NtAllocateVirtualMemory:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 56C67F5h

cmp dword ptr [esp+28h], 0FFFFFFFFh

jz short loc_EB98CC4E ; if handle==NULL goto true function address

push edx ; save Absolute Address



push 0 ; NULL

lea eax, [edx+56C687Eh] ; edx+56C687Eh save Object

push eax

push 0 ; KernelMode

xor eax, eax

push eax ; NULL

push 10h ; ACCESS

push dword ptr [ebp+8] ; process handle

mov eax, 8044D57Ah

call eax

; call function ObReferenceObjectByHandle get allocate process of memory's handle to object

; ObReferenceObjectByHandle(ebp+8,0x10,NULL,KernelMode,&(edx+56C687Eh),NULL);

pop edx ; renew Absolute Address

cmp dword ptr [edx+56C687Eh], 0

jz near ptr 0EB98C6EDh ; if process object==0 to address invalid EB98C6EDh,system die

mov eax, [edx+56C687Eh]

mov ebx, eax

and ebx, 7FFFFFFFh

mov esi, 0EBABB000h

loc_EB98CC17:

////////////////////////////////////////////////////////////////////// /////////////// attention

add esi, 4

cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking

jz short loc_EB98CC4E ; jump of call system true function

cmp [esi], eax

jz short loc_EB98CC2C ; compare protect process object

cmp [esi], ebx

jz short loc_EB98CC2C

jmp short loc_EB98CC17 ; while compare protect Process Object ;; attention

////////////////////////////////////////////////////////////////////// ///////////////

loc_EB98CC2C:

////////////////////////////////////////////////////////////////////// /////////////// attention,is protect process

push fs

mov eax, 30h

mov fs, ax

mov eax, large fs:124h ; ETHREAD

mov eax, [eax+44h] ; KPROCESS

pop fs

cmp eax, [edx+56C687Eh]

jz short loc_EB98CC4E

////////////////////////////////////////////////////////////////////// ///////////////

popa

pop ebp

retn 18h ; attention,not call system function

////////////////////////////////////////////////////////////////////// ///////////////

loc_EB98CC4E:

/////////////system function

popa

pop ebp

push 804C73E8h ; NtAllocateVirtualMemory

retn



//EBABB000h data,length 20h

//47616420h address end marking

//81407D60h Themida protect process object

00000000h: 20 64 61 47 60 7D 40 81 20 64 61 47 00 00 00 00 ; daG`}@?daG....

00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................





Themida_ZwCreateThread:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 5676055h

cmp dword ptr [esp+28h], 0FFFFFFFFh

jz short loc_EB98CD44 ; if handle==NULL goto true function address

push edx ; save Absolute Address



push 0 ; NULL

lea eax, [edx+56760DAh] ; edx+56760DAh save Object

push eax

push 0 ; KernelMode

xor eax, eax

push eax ; NULL

push 10h ; ACCESS

push dword ptr [ebp+14h] ; process handle

mov eax, 8044D57Ah

call eax

; call function ObReferenceObjectByHandle get process's handle to object

pop edx

cmp dword ptr [edx+56760DAh], 0

jz short loc_EB98CD44 ; if process object==0 to goto true function address

mov eax, [edx+56760DAh]

mov ebx, eax

and ebx, 7FFFFFFFh

mov esi, 0EBABB000h ; data address

mov edi, esi

add edi, 3E8h ; add offset

jmp short loc_EB98CD50

loc_EB98CD22:

////////////////////////////////////////////////////////////////////// /////////////// attention,is protect process

push fs

mov eax, 30h

mov fs, ax

mov eax, large fs:124h ; ETHREAD

mov eax, [eax+44h] ; KPROCESS

pop fs

cmp eax, [edx+56760DAh]

jz short loc_EB98CD44 ; compare

////////////////////////////////////////////////////////////////////// /////////////// attention

popa

pop ebp

retn 20h ; attention,not call system function

////////////////////////////////////////////////////////////////////// ///////////////

loc_EB98CD44:

/////////////system function

popa

pop ebp

push 804DF0F8h ;ZwCreateThread

retn

loc_EB98CD50:

////////////////////////////////////////////////////////////////////// /////////////// attention

add esi, 4

add edi, 4

cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking

jz short loc_EB98CD44 ; jump of call system true function

cmp [esi], eax ; attention esi

jz short loc_EB98CD22

cmp [edi], eax

jz short loc_EB98CD22

cmp [esi], ebx ; attention esi

jz short loc_EB98CD22

cmp [edi], ebx

jz short loc_EB98CD22

jmp short loc_EB98CD50 ; while compare protect Process Object ;; attention

////////////////////////////////////////////////////////////////////// ///////////////



//EBABB000+3E8h data,length 20h

//47616420h address end marking

00000000h: 20 64 61 47 00 00 00 00 20 64 61 47 00 00 00 00 ; daG.... daG....

00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................





Themida_ZwQueryVirtualMemory:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 56C4980h

cmp dword ptr [esp+28h], 0FFFFFFFFh

jz short loc_EB938B53 ; if handle==NULL goto true function address

push edx ; save Absolute Address



push 0 ; NULL

lea eax, [edx+56C4A08h] ; edx+56C4A08h save Object

push eax

push 0 ; KernelMode

xor eax, eax

push eax ; NULL

push 10h ; ACCESS

push dword ptr [ebp+8] ; process handle

mov eax, 8044D57Ah

call eax

; call function ObReferenceObjectByHandle get process's handle to object

pop edx

cmp dword ptr [edx+56C4A08h], 0

jz short loc_EB938B53 ; if process object==0 to goto true function address

mov eax, [edx+56C4A08h]

mov ebx, eax

and ebx, 7FFFFFFFh

mov esi, 0EBAC8000h

loc_EB938B19:

////////////////////////////////////////////////////////////////////// /////////////// attention

add esi, 4

cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking

jz short loc_EB938B53 ; jump of call system true function

cmp [esi], eax

jz short loc_EB938B2E

cmp [esi], ebx

jz short loc_EB938B2E

jmp short loc_EB938B19 ; while compare protect Process Object ;; attention

////////////////////////////////////////////////////////////////////// /////////////// attention

loc_EB938B2E: ;is protect process

push fs

mov eax, 30h

mov fs, ax

mov eax, large fs:124h ; ETHREAD

mov eax, [eax+44h] ; KPROCESS

pop fs

cmp eax, [edx+56C4A08h]

jz short loc_EB938B53

////////////////////////////////////////////////////////////////////// /////////////// attention

mov dword ptr [esp+28h], 0 ;fuck Themida, handle=0;

loc_EB938B53:

/////////////system function

popa

pop ebp

push 804D1DFAh ;ZwQueryVirtualMemory

retn



//EBAC8000h data,length 20h

//47616420h address end marking

//813E5020h Themida protect process object

00000000h: 20 64 61 47 20 50 3E 81 20 64 61 47 00 00 00 00 ; daG P>?daG....

00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................







Themida_ZwWriteVirtualMemory:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 567DB24h

xor edi, edi ; attention ,edi=0 call write,edi=1 call read

jmp short loc_EB938029

Themida_NtAllocateVirtualMemory:

push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 567DB38h

mov edi, 1

loc_EB938029:

push edx

push 0

lea eax, [edx+567DBB3h]

push eax

push 1

mov eax, 80481EA4h

xor eax, eax

push eax

push 10h

push dword ptr [ebp+8]

mov eax, 8044D57Ah

call eax

pop edx

mov eax, [edx+567DBB3h]

lea esi, [edx+567DBB7h]

mov ecx, 0EB938956h ;see my comment address EB99C956h

jmp ecx



Themida_ZwReadVirtualMemory:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 58BC582h

mov edi, 1 ; attention ,edi=1 call read,edi=0 call write

push edx ; save Absolute Address



push 0 ; NULL

lea eax, [edx+58BC5FDh] ; edx+58BC5FDh save Object

push eax

push 1 ; UserMode

mov eax, 80481EA4h ; PsProcessType,no use seem

xor eax, eax ; eax=0;

push eax ; NULL

push 10h ; ACCESS

push dword ptr [ebp+8] ; process handle

mov eax, 8044D57Ah

call eax

; call function ObReferenceObjectByHandle get read process of memory's handle to object

////////////////////////////////////////////////////////////////////// ////////////////////// pop edx

mov eax, [edx+58BC5FDh] ; process object

lea esi, [edx+58BC601h] ; edx+58BC5FDh+4,Themida data address

mov ecx, 0EB99C956h

jmp ecx ; to Themida code

////////////////////////////////////////////////////////////////////// //////////////////////

.............

.............

.............



//constant 4E67EEF4h==address start marking

//constant 4E67EEF5h==address end marking





//edx+58BC5FDh data,length 20h

00000000h: 20 00 2E 81 F4 EE 67 4E BC 3A 10 20 00 00 40 00 ; ..侓頶N?. ..@.

00000010h: 00 00 E5 02 F5 EE 67 4E 00 00 00 00 00 00 00 00 ; ..?躅gN........



//81394820h ;process object

//edx+58BC601h-4 data,length 4

00000000h: 20 48 39 81 ; H9



//attention

//80414520h Themida protect process object

//00400000h Themida protect process base address

//02E40000h Themida protect process memory size

//EB99C410 data,length 20h

00000000h: F4 EE 67 4E 20 45 41 81 00 00 40 00 00 00 E4 02 ; 纛gN EA?.@...?

00000010h: F5 EE 67 4E 00 00 00 00 00 00 00 00 00 00 00 00 ; 躅gN............



EB99C956:

loc_EB99C956:

cmp dword ptr [esi], 4E67EEF5h ; constant 4E67EEF5h,address end marking

jz short loc_EB99C967

cmp [esi], eax

jz short loc_EB99C97D

add esi, 4

jmp short loc_EB99C956 ; while compare Process Object ;; not attention

loc_EB99C967:



////////////////////////////////////////////////////////////////////// ///////////////////////

mov esi, 0EB99C410h ; get protect process information data address

loc_EB99C96C:

cmp dword ptr [esi], 4E67EEF5h ; constant 4E67EEF5h,address end marking

jz short loc_EB99C997 ; jump of call system true function,can read or write process of memory

cmp [esi], eax

jz short loc_EB99C97D ; attention ,is protect process object goto loc_EB99C97D

add esi, 4

jmp short loc_EB99C96C ; while compare protect Process Object ;; attention

////////////////////////////////////////////////////////////////////// ////////////////////////

loc_EB99C97D:

mov ecx, [ebp+0Ch] ; ebp+0Ch get read process of memory base address

mov edx, ecx

add edx, [ebp+14h] ; ebp+14h get read process of memory size

cmp edx, [esi+4]

jb short loc_EB99C997 ; compare protect area

cmp ecx, [esi+8]

ja short loc_EB99C997 ; compare protect area

popa

pop ebp

push 804D66F6h ;ZwSetInformationObject

retn

loc_EB99C997:

cmp edi, 1

jz short loc_EB99C9A0

popa

pop ebp

jmp short loc_EB99C9A8 ;

loc_EB99C9A0:

popa

pop ebp

push 804D2562h ; ZwReadVirtualMemory

retn

loc_EB99C9A8:

push 804D2678h

retn





Themida_NtRequestWaitReplyPort:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 5676FCAh

mov eax, 0

or eax, eax

jz short loc_EB9391C0

mov eax, [ebp+0Ch]

mov eax, [eax]

jmp short loc_EB9391C6

loc_EB9391C0:

mov eax, [ebp+0Ch]

mov eax, [eax+20h]

loc_EB9391C6:

or eax, eax

jz short loc_EB9391EA

lea esi, [edx+567701Ch]

loc_EB9391D0:

////////////////////////////////////////////////////////////////////// ////////////////////////

cmp dword ptr [esi], 8A87D3A3h ; constant 8A87D3A3h,address end marking

jz short loc_EB9391EA ; no, JMP loc_EB9391EA

cmp [esi], eax

jz short loc_EB9391F4 ; ok protect

jmp short loc_EB9391E5 ; while compare attention

////////////////////////////////////////////////////////////////////// ////////////////////////

loc_EB9391DF:

push 804C3080h ;NtRequestWaitReplyPort

retn

loc_EB9391E5:

add esi, 4

jmp short loc_EB9391D0

loc_EB9391EA:

jmp short loc_EB9391F0

loc_EB9391F0:

/////////////ret system function

popa

pop ebp

jmp short loc_EB9391DF

loc_EB9391F4:

/////////////attention,not call system function

popa

pop ebp

xor eax, eax

retn 0Ch



Themida_ZwTerminateProcess:



push ebp

mov ebp, esp

pusha

call $+5

pop edx

sub edx, 56C24FAh

push edx ; save Absolute Address



push 0 ; NULL

lea eax, [edx+56C256Ah]

push eax ; edx+56C256Ah save Object

push 0 ; KernelMode

mov eax, 80481EA4h ; PsProcessType,no use seem

xor eax, eax

push eax ; NULL

push 10h ; ACCESS

push dword ptr [ebp+8] ; process handle

mov eax, 8044D57Ah

call eax

; call function ObReferenceObjectByHandle get process's handle to object



pop edx ; renew Absolute Address

cmp dword ptr [edx+56C256Ah], 0

jz short loc_EB938A3A ; if process object==0 to goto true function address

mov eax, [edx+56C256Ah]

mov ebx, eax

and ebx, 7FFFFFFFh

mov esi, 0EBAC8000h

loc_EB938A1D:

////////////////////////////////////////////////////////////////////// ////////////////////////

add esi, 4

cmp dword ptr [esi], 47616420h ; constant 47616420h,address end marking

jz short loc_EB938A3A

cmp [esi], eax

jz short loc_EB938A32

cmp [esi], ebx

jz short loc_EB938A32

jmp short loc_EB938A1D ; while compare protect Process Object ;; attention

////////////////////////////////////////////////////////////////////// ////////////////////////

loc_EB938A32: ; if is protect Process, clean Process Object ,Process Object=0FFFFFFFF;

mov dword ptr [esi], 0FFFFFFFFh ; [esi] attention attention attention ;

jmp short loc_EB938A42

loc_EB938A3A:

/////////////system function

popa

pop ebp

push 0ECDEA7AEh

retn

loc_EB938A42:

/////////////attention,not call system function

popa

pop ebp

xor eax, eax

retn 8

 

Блин, ну есть ведь такая фича, аттач зовется. Зачем же так-то..

 

я как-то пытался с ним разговаривать, но по-моему его английский еще хуже моего

 

Особенно круто смотрятся его комментарии.

 

Это автор xprot stripper, если я не ошибаюсь?

 

он самый. ты же сам его стриппер пробовал - не работает

 

Стриппер (версия 1.1) работает, но не полностью.



Интересно бы попробовать его SDK, но пока кроме списка процессов, как в примере, ничего извлечь не удалось.



А сам стриппер - черный ящик - тоже запакован. Наверное, каким-то хитрым китайским пакером со следами UPX'a...