Sign in to follow this  
Followers 0

ProDLLer: Unknown code running? Befriend or Kill!


100 posts in this topic

Posted

Ascend4nt: Wow! Yet again you come to the rescue! I'll check into it. I'll download and see if I can check. Otherwise I'll beg for a copy... :mellow:

storme: I had to skip fileinstalling the "skeleton.sys"-driver cause some anti-virus complained of suspicious behaviour.

Now you have to manually copy all files to the same dir. Especially the .exe, .dll and .sys has to be in same dir even though it's compiled.

Still got problems?

And yes, I will make them msgboxes again. I changed all msgboxes because they don't work if one suspends certain procs...

...but as these notifications occur before that scenario, it should not be a problem.

Thanks!

/Manko

Share this post


Link to post
Share on other sites



Posted (edited)

storme: I had to skip fileinstalling the "skeleton.sys"-driver cause some anti-virus complained of suspicious behaviour.

Now you have to manually copy all files to the same dir. Especially the .exe, .dll and .sys has to be in same dir even though it's compiled.

Still got problems?

Yep saw the comment about that. It is a shame. :party:

All I did to start with was extract the files from your zip file and click the EXE file.

I.E. everything that you supplied was there in the one directory. :party:

Actually becauce I don't trust EXE files I used your source first then when it didn't work I tried the pre-compiled version. :mellow:

I also tried it from my laptop and it gives the same error.

And yes, I will make them msgboxes again. I changed all msgboxes because they don't work if one suspends certain procs...

...but as these notifications occur before that scenario, it should not be a problem.

I understand. :P Edited by storme

Share this post


Link to post
Share on other sites

Posted (edited)

@storme:I think I might have fixed tghe issue you reported. Try it! (As a sideeffect it seems you can run multiple copies of ProDLLer now. Don't know if that is good...)

Also I have changed to Messageboxes. :mellow:

@Ascend4nt:I have done tooltips for the buttons now. Hope you'all won't be afraid to test them now! :P

I have been unsuccessful at repeating your problem as of yet. Though I have tried 6 copies of the file you mentioned...

/Manko

; 0.494
; Fixed: Skeleton service not loading properly under unknown circumstances... Reported by storme. Fixed?
; Added: Tooltips for buttons. Hope it enboldens users. There is no selfdestruct... almost... Muahhahahaha!
Edited by Manko

Share this post


Link to post
Share on other sites

Posted

I hope 64bit version will be available somewhere in the future. I would really love to try new versions :mellow:

Share this post


Link to post
Share on other sites

Posted

on win 7 x64

Line 12378  (File "C:\Users\rain\Desktop\lol\ProDLLer.exe"):


Error: Variable used without being declared.

Did u make dll and exe yourslf?

Share this post


Link to post
Share on other sites

Posted

I made dll and all but the skeleton of the driver myself, yes, in assembler, and that is the problem... the assembler i use does not support 64-bit. There is a 64-bit version of masm, but there are problems...

Hmm... You're not even supposed to be able to run it in 64-bit...

@trancexx: I'm sorry. That day is sadly far off right now...

/Manko

Share this post


Link to post
Share on other sites

Posted

does yourprogram inject that dll in sme process?

Share this post


Link to post
Share on other sites

Posted

Manko, thanks for those much-needed tooltips :mellow:

Hopefully the driver I directed your way will help.. though I don't know how you could actually test it effectively without loading it into memory. Or are you able to load it? (I figured it wouldn't load without the actual soundcard present).

If you still can't find the issue on you're own, you're gonna have to give me some sort of debug output version of the DLL (at least for that function) so we could see where things are going.

I just did a test myself on the driver with my NTQuery experimental module, and was able to read most everything I've been experimenting with, except I was unable to get TEB/TIB basic info for 22 of 27 threads (even with SEDEBUG privilege).

Things I tested successfully: Traversing through memory using VirtualQueryEx to find DLL/EXE load locations, Reading and interpreting PEB, LDR_DATA, MODULE_INFO_NODE's and other minor misc data.

Share this post


Link to post
Share on other sites

Posted (edited)

Well, Manko.. turns out the problem had to do with a deadlocked/crashed driver!! I rebooted my machine and re-ran ProDLLer, and it worked flawlessly this time.

I'm also able to get info on all the threads now through NtQuery* functions. (I suppose there may have been a few threads still working when it crashed?)

Anyhow, I reproduced the problem and the issue arose again. As odd as it sounds, TrueCrypt crashes the audio driver when I dismount a drive. Its weird because all the programs that rely on audio run flawlessly even afterwards.

So, the only real 'problem' with ProDLLer is that it somehow does something in that DLL that tries to access a hung/crashed executable. I've seen this problem before, if you recall, with my Full-Screen Crash Recovery program. (I had to figure out which functions and operations were safe to perform on a hung application.)

Since I was still able to get all the information about modules, heaps, and other stuff from the process memory, I'm guessing the issue might have to do with the (crashed) threads (the ones that weren't reporting back basic info (0) when I used 'NtQueryInformationThread'). I'm not sure if you use something similar in your DLL, but whatever you are using, you might need to either add error checking (not that I'd ever accuse you of not using such things :mellow:), or somehow check for problem threads..?

*oh, and another thing - I couldn't terminate the darn audio driver either, through task manager, with ProDLLer, or 'DTaskManager'. A reboot worked though *shrug*

Edited by Ascend4nt

Share this post


Link to post
Share on other sites

Posted

@storme:I think I might have fixed tghe issue you reported. Try it! (As a sideeffect it seems you can run multiple copies of ProDLLer now. Don't know if that is good...)

Also I have changed to Messageboxes. :P

Sorry, not fixed but different. :mellow:

Now I get a message "Couldn't start skeleton.sys so I can not aquire DRIVER handle!" :party:

If I can help in anyway let me know.

Share this post


Link to post
Share on other sites

Posted

Very good :P this is extremely useful :mellow: i like it ^^ no doubt that 5 stars.

Share this post


Link to post
Share on other sites

Posted (edited)

Very good :party: this is extremely useful :party: i like it ^^ no doubt that 5 stars.

Thanks! :P

Okay, I tracked down the issue. It has to do with this function call:

$mlret = DllCall($hDll, "str*", "GetModuleNameFromAddress", "int", $threads[$i][1], "int", $threads[$i][4])

Yup. That code runs RtlQueryProcessDebugInformation, which apparently was used in Process Explorer and ran into the same troubles with cygwin... I'll try and move back to toolhelp-functions. They are slower, but as a bonus they seem to get modules of "protected" processes...

The strange part is that the toolhelp-function uses RtlQueryProcessDebugInformation... (They do other interesting stuff in there that I have not had the time or will to analyse...)

I am looking into maybe doing RtlQueryProcessDebugInformation in a separate thread and looking for lockups...

does yourprogram inject that dll in sme process?

No. It doesn't, though there is atleast one Microsoft-API I use that injects microsoft-code in other procs to get info; RtlQueryProcessDebugInformation.

Sorry, not fixed but different. :mellow:

If I can help in anyway let me know.

Run this code and try to start ProDLLer.

If it doesnt work. Run it again and restart windows before trying again...

RegDelete("HKLM\SYSTEM\CurrentControlSet\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet001\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet002\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet003\Services\Skeleton")

/Manko

Edited by Manko

Share this post


Link to post
Share on other sites

Posted

Yup. That code runs RtlQueryProcessDebugInformation, which apparently was used in Process Explorer and ran into the same troubles with cygwin... I'll try and move back to toolhelp-functions. They are slower, but as a bonus they seem to get modules of "protected" processes...

The strange part is that the toolhelp-function uses RtlQueryProcessDebugInformation... (They do other interesting stuff in there that I have not had the time or will to analyse...)

I am looking into maybe doing RtlQueryProcessDebugInformation in a separate thread and looking for lockups...

Ahh, another 'undocumented' function I hadn't really noticed before. I see its in one of the books I use for reference (Windows NT/2000 Native API Reference), but I guess I skipped over it. I wonder now that you mention the part about Protected processes... are there certain DLL's that are allowed access to Protected processes, or is there really some hidden trick to bypass the protection mechanism? It sure would be nice to get a hold of the 'bypass code' if its out there, so one could access most all information we would want. I remember reading that even WMI can't get some/all info about Protected processes. But ahh, a subject of discussion for another thread I suppose. At least we know the problem can be solved. :mellow:

Share this post


Link to post
Share on other sites

Posted

New version.

; 0.496
; Fixed: Sometimes old procs, next to new ones, would get marked as new.
; Fixed: RtlQueryProcessDebugInformation, (part of threads enumeration) is prone to lockups. Now runs in separate thread. (Reported by Ascend4nt)
; Change: Display GUI earlier. (Though it gives an impression of a slower start, on a slow system, we will atleast know it's started...)
; Fixed: Further errorchecking at driver load. Can't start driver from mapped drive. => Copy to local dir and start... (Reported by storme.)

@Ascend4NT: The protected procs/services ala Vista/Win7 is easy to disable, just a bitsetting in _EPROCESS structure in kernel. Others: like anti-virus and also malicous code with selfprotection, often rely on hooking api's we would like to use to get AT them... There are just too many ways...

/Manko

Share this post


Link to post
Share on other sites

Posted

Hi Manko,

though I have joined this forum very recently but have been working with Autoit for quite sometime now. (that explains my newbie status)

For past few months I have been working on a security app for pendrives, for which I was looking for a method which is available in the script which you have written. (No new procs and procs only from prodller) DLLCalls go above my head - as on this moment.

I want to integrate this specific feature in my project. but am unable to understand as to how this is being done within the script.

Could you shed some light onto this?

Regards

Slashh.

Share this post


Link to post
Share on other sites

Posted

Hi Manko,

Figured it out...

One last querry:

Whats the sourcecode for skeleton.sys ?

regards

slashh

Share this post


Link to post
Share on other sites

Posted

Hi!

It's good you found a way.

The source-code for the driver is messy (like most of my code...) and uncommented.

If there's some part of it you'd like clarified, I could do that before putting it here...

Also, I have to warn you about using my driver in ways I had not intended, it is only bugfixed for my needs and it is always early beta...

Also the piece of code you're after is not tested on all configurations (certainly not working on x64....).

btw, feel free to inspire me on new things to do with prodller... (except dump it in the bin...)

/Manko

Share this post


Link to post
Share on other sites

Posted

btw, feel free to inspire me on new things to do with prodller... (except dump it in the bin...)

Hi Manko,

I have used this code and skeleton.sys for the following:

App1 - initiates skeleton.sys with @AutoitPID

App1 - executes App2.

App2 - acquires the handle of skeleton.sys and executes App4, App5 - these are decrypting modules and password generation modules.

App3 - Simply executes the code.

This ensures that at every moment no new process can be started except from within the designated applications.

Debuggers and other reverse engineering tools have been taken care of.

---------

Second application is for Virus Removal, modifying it to suit the algorithm, Algorithm is as follows : it does an analysis of the threads and the processes , gets their path and checks the RC section of the file, awards points based on the information stored in the file and the ones with least points are tagged as suspicious. 1% False Positive. Dlls and their dates blabh blabh (for any injection attempt)

This is an idea - trying to complete it. I hope this entices you to go ahead and build AI into prodller.

Regards

Slashh

Share this post


Link to post
Share on other sites

Posted (edited)

Refuses to work for me, I have tried the exe version and the script

both startup then I get the message "no ntoskrnl.exe or similar???"

I click ok and then the gui dissappears.

oops should have said, I use XP(sp2)

Edited by Hellooopsforgotsendcommand

Share this post


Link to post
Share on other sites

Posted (edited)

A few additions:

1: IE causes a problem when started from within the process but Firefox just works great.

Well well well.... what do we have here --- Auto Downloaded Malware is unable to execute a process but embeded video and mp3 files just work fine.

2: None of the Antivirus Applications seem to have an answer for that as they themselves are unable to start heir scanning process ... thats bad news or just bad coding from AV guys...

3: GMER works great .... now it is able to terminate the processes without the worry of restart, nor does GMER hang.

4: GMER doesnt detect Spy apps but Prodller is 1+ point up ... can detect kernel spy processes ....

Rgds

Slashh

PS: a lil bit of tweakin makes it work on W2k3

Edited by slashh

Share this post


Link to post
Share on other sites

Posted

Refuses to work for me, I have tried the exe version and the script

both startup then I get the message "no ntoskrnl.exe or similar???"

I click ok and then the gui dissappears.

oops should have said, I use XP(sp2)

Yes, sadly I never tried it on xp(sp2). Din't know people still used. Is there something in the sp3 you don't wanna have onboard?

/Manko

Share this post


Link to post
Share on other sites

Posted

Yes, sadly I never tried it on xp(sp2). Din't know people still used. Is there something in the sp3 you don't wanna have onboard?

/Manko

Something in sp3 I dont want, nothing in particular, just dont see any need for it as my pc is running well, and sp3 may just take up extra space (quite a bit) and may slow the sytem down, dont know really but if it aint broke... anyway didnt know it wouldnt work with sp2 or I wouldnt have tried it!!

never mind.

Share this post


Link to post
Share on other sites

Posted

Something in sp3 I dont want, nothing in particular, just dont see any need for it as my pc is running well, and sp3 may just take up extra space (quite a bit) and may slow the sytem down, dont know really but if it aint broke... anyway didnt know it wouldnt work with sp2 or I wouldnt have tried it!!

never mind.

I did not know that myself.

/Manko

Share this post


Link to post
Share on other sites

Posted

A few additions:

1: IE causes a problem when started from within the process but Firefox just works great.

Well well well.... what do we have here --- Auto Downloaded Malware is unable to execute a process but embeded video and mp3 files just work fine.

2: None of the Antivirus Applications seem to have an answer for that as they themselves are unable to start heir scanning process ... thats bad news or just bad coding from AV guys...

3: GMER works great .... now it is able to terminate the processes without the worry of restart, nor does GMER hang.

4: GMER doesnt detect Spy apps but Prodller is 1+ point up ... can detect kernel spy processes ....

Rgds

Slashh

PS: a lil bit of tweakin makes it work on W2k3

Interesting observations. If I get time, I would like to make the blocking mechanism interactive. It would not be ALL that much work...

I should look on that IE prob...

I have to ask, I have not put in special scanning of hidden processes, when you say "can detect kernel spy processes" what is it detecting?

/Manko

Share this post


Link to post
Share on other sites

Posted

with IE the issue is that IE8 starts multiple processes,.

In Prodller, you have Kernel Spy Process, i.e. those process which are in listen only mode. all other apps whch I have been using for weeding out rootkits dont have this feature.

PS: XP SP2 or XP SP3 wrks fine ... W2k3 ok.... been testing all the time on W2k3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0