Driver-level pattern modification-end-level no-killer PcShare

Source: Internet
Author: User
Tags ultraedit

PcShare


The best Remote Control in ChinaSoftware



One, uniqueDriver


LevelHide


Technology


This improves the concealment of PS. You must first install this function to hide it again.Features


The code library already has PSCode


So when monitoring is enabled, whenService


Release *. D1L and *. SYSFile


The kill software will trigger an alarm, so it cannot be installed. What should I do at this time? Of course, it is no-kill. Adding a shell is useless. You need to change the signature. Change file and memory
The anti-DDoS pro of the previous issues of the pattern has been introduced and can be modified as usual. There is a driver PcHide. SYS in key PS. How should we modify its pattern? Here we will talk to you about the driver-includedProgram


The latest KV2006 is used to modify the signature, and the PS uses a black base.Download


The black Alliance roseCracking


Full version. (Piracy is only a test, and more genuine versions are supported .) OthersTools


Includes the pattern modifier CCLv2.7.1, IDA pro 4.7, OllyDbg, PeInfo, IceSword, and UltraEdit.

1. Modify the driver PcHide. SYS

This is the most important thing. Let's first modify the driver's file signature. The first step is to use CCL to determine the location of the signature. The CCL usage process will not be described in detail and will be automatically located.Function


,Detection


The size is 10, and the detection range is text. The positioning result is as follows:

0001 000003DC 0000001F 000003FB

0002 000003FC 0000003E 0000043A

0003 running 1c78 running 001f running 1c97

0004 100001c98 0000003E 00001CD6

0005 listen 1cd7 0000003E 00001D15

Looking at the results, you should be smart, although there are fiveData


,
However, the first two sections and the last three sections are connected separately, that is, PcHide. SYS only has two signatures in total, from 000003DC to 0000043A and 20171c78
Listen 1d15. In this case, the two locations are connected while they are far apart. Generally, both locations must be modified. (When there are many results and the results are scattered, it may be a little difficult to judge, so I added a skill to CCL.
Yes. You can quickly determine the minimum number of modifications and the number of modifications. It will be described below .)

The following is IDA disassembly. Check the code. Let's take a look at the 3DC. It does not seem to be an assembly command. Not close
System, switch to Hex in IDA
View window observation, the original is the string "D:/PcShare/Pull/PcHide/objfre/i386/PcHide. pdb ". It's okay to see the Garbled text in the middle,
Because we see PcShare and PcHide. The simplest way to change the string is to change the case sensitivity. The principle is that it cannot interfere with the execution of the original file. The string here provides a pdb File
?) Although I do not know the specific function of the path, it is okay to change the case sensitivity. Therefore, replace all uppercase letters in UltraEdit with lowercase letters, and save them.

The modification won't work. The KV detection will trigger an alarm and confirm that the previous judgment-both must be modified-is correct. Let's take a look at the second code of 1C78. It is both a key and a difficult point to modify the code.

...

. Text: 00011C78 xor ecx, ecx

. Text: 00011C7A cmp byte_12280, cl

. Text: 00011C80 jz locret_11D68

. Text: 00011C86 push esi

. Text: 00011C87 cli

. Text: 00011C88 mov eax, cr0

. Text: 00011C8B and eax, 0 FFFEFFFFh

. Text: 00011C90 mov cr0, eax

. Text: 00011C93 mov edx, dword_130EC

. Text: 00011C99 mov edx, [edx]

. Text: 00011C9B mov esi, dword_130E0

. Text: 00011CA1 mov eax, ds: ZwQuerySystemInformation

...

 
There are two difficulties in modification: one is that the segment contains the jump command jz, and the other is that the order of commands cannot be exchanged. The driver is a file executed in the kernel. Therefore, you must note that you do not need to add the driver without adding code,
Try not to change the overall size of the original code. Therefore, a special method is used here. Note This and eax, 0 FFFEFFFFh. You need to know that eax is the most commonly used register of the CPU, so
Commands for operating eax are usually short.Speed


Also
Fast. Let's take a look at the hexadecimal code of this command: 25 ff fe ff. Obviously, 25 is the command, and FFFFFEFF is the parameter. And
What is the encoding of ebx and FFFFFEFF? The most convenient tool for viewing the instruction code is OD. Use OD to open an executable file (OD cannot open the driver file directly) and try again.
The code is 81E3.
FFFFFEFF. A byte is added. (Let's take a look at the Intel command reference. 81 represents the and command, E3 represents the ebx and operation method, and eax commands are optimized.
.) Our idea is to change the register here to ebx. But what should I do if I have one more byte? I cannot translate all the code down! We need to retrieve this Byte in the following code. View
Mov edx, dword_130EC, Which is encoded as: 8B 15 EC 30 01
00, 6 bytes in size. How can I change edx to eax? Also, in OD, type mov eax and dword ptr.
Ds: [130EC]. You can see it. The code is A1 EC300100, with only 5 bytes. This balances the code size.

Note that,
Why can we change edx to eax? If eax has other values, then the execution results of the original program will not be changed. No, because the following code exists in the next three lines: mov eax,
Ds: ZwQuerySystemInformation, indicating that the eax value is updated here. Therefore, it can be determined that modifying the eax value will not affect program execution. The method already exists,
Modify the following. First, type the following code in OD (the added body is where we modified it.

10003817 0F20C3 mov ebx, cr0

1000381A 81E3 FFFFFEFF and ebx, FFFEFFFF

10003820 0F22C3 mov cr0, ebx

10003823 A1 EC300100 mov eax, dword ptr ds: [130EC]

10003828 8B10 mov edx, dword ptr ds: [eax]

The five sentences are 19 bytes in total, which is the same as those before being modified. Because OD cannot directly open SYS, we use UltraEdit to open PcHide. SYS and directly modify the hexadecimal data. Save the modification and use KV check. How about file killing.

 
The following is a key step: Modify the file CheckSum ). This step may be the reason why the modified drivers cannot be loaded. Use PeInfo to open the sys File and click
CheckSum, the program automatically calculates the result, and then click Modify. After the driver's file signature is changed, does the memory need to be changed? Let's try: Use the driver to load the program
PcHide. sys is loaded into the memory and KV is used for memory detection. Loading tool with InstDvr (www.rootkit.com/vault/hoglund
/InstDvr.zip), enter the full path of the sys File during running, Install the file, and Start the installation. If Operation was is displayed
Successful indicates that the operation is successful. It can be detected by KV, but it cannot be detected. This avoids the trouble of modifying the memory pattern. (I was really worried before I tried it. CCL does not have a location drive.
The feature of the memory pattern of the dynamic file can be lazy and no code needs to be written !)

Pcclient.dll1_pckey.dlland pcinit.exe
Modify the part signature. PS includes four key files, except the SYS File. Since it is not a driver, it is easy to modify it. I will not talk about the process much. I just want to explain it in detail.
For PcClient. dll, the other will directly give the results, and the precautions in the middle will be raised. Position PcClient for the first timeSet


: Manually, 100 files are generated, in the range of the entire file. The positioning result is:

0001 00000000 0000028E 0000028E

0002 20172b6e 00000147 20172cb5

0003 bytes 36ed 00000147 00003834

0004 1277d2e 000002D2 00008000

 
Note: If you can manually detect that multiple remaining files are not killed (except when the file header is overwritten, for example, 0001 items), this indicates that this file already has multiple signatures, you only need to modify one of them to avoid killing. View results, Range
Large, we will increase the positioning accuracy, and then check again. Set CCL to: manual, replace with the accuracy of 16 bytes, range: 0x147 bytes starting from ipv2b6e (both 0002
ITEM), and the positioning result is one item:

0001 20172c3e 00000070 20172cae

Why do we set the accuracy to 16, but the result range is as large as 70. This indicates that the pattern itself has a large scope and can be changed easily. OK, do not use IDA to open PcClient. dll directly with OD, to 10002C3E, there is the following code:

...

. Text: 10002C41 mov edi, [esp + lpServiceName]

. Text: 10002C45 mov esi, eax

...

. Text: 10002C81 mov edi, [esp + lpDisplayName]

. Text: 10002C85 mov esi, eax

...

The easiest way is to exchange order. Save and use KV detection to avoid killing again! The following is the modification of the remaining two files. In this case, I did not use manual operations, but used automatic location. The detection range is the text segment. The results are given first. Modify PcKey. dll as follows:

. Text: 10001191 mov esi, eax

. Text: 10001193 test esi, esi

. Text: 10001195 jz short loc_100011F7

. Text: 10001197 mov ecx, 0FFh

. Text: 1000119C xor eax, eax

. Text: 1000119E lea edi, [esp + 608 h + var_400 + 1]

Replace test esi and esi with or esi. esi is acceptable. (Dizzy, changed the byte to get it done, and took the KV !) PcInit.exe is modified in two places, one is

. Text: 004016AE stosd

. Text: 004016AF stosb

The second is

. Text: 004017CE test eax, eax

I don't need to talk about how to change it. Switch order. test is changed to or. Check again. The operation is successful. By now, all file signatures of the three files have been modified successfully. Here we will talk about the CCL Positioning Result arrangement and combination function mentioned above. For example, when locating PcKey. dll, the automatic positioning result is:

0001 00001180 00000070 running 11f0

0002 00001790 00000020 running 17b0

0003 listen 17c0 00000010 listen 17d0

0004 limit 17e0 00000010 limit 17f0

The precision is small enough, but which one can be changed first. In this case, you can use the CCL function: Enable PcKey. dll, import the positioning result, and click Generate. 4. Some files named R_X_XXXXXX are generated in the output Folder. Use KV to scan the output Folder.Delete


Alert file (not deleted here). Then click the detection button. The CCL will return the following results:

Only one signature must be modified.

1st

Or 2nd

Or 3rd

Or 4th

You can modify the two signatures at the same time.

1st and 2nd

Or 1st and 3rd

Or 1st and 4th

Or 2nd and 3rd

Or 2nd and 4th

Or 3rd and 4th

You can modify the three signatures at the same time.

1st, 2nd and 3rd

Or 1st, 2nd, and 4th

Or 1st, 3rd, and 4th

Or 2nd, 3rd, and 4th

This means you only need to modify one of them. Don't try it one by one!

3. Modify the memory pattern

In the past, we have verified rising.
The file and memory use two sets of signatures. Now the KV also has the memory detection function. Are there two sets of signatures? I tried to generate the server and use KV detection. If no alert is reported, the file signature has been successfully modified. But double-click to run it and tell you that you do not have the permission or you cannot find the file. All operations on the server file are forbidden. This must be a key-value hacker.Principle


I am not quite clear. Maybe it is the memory pattern detected after the KV virtual machine is executed, but this shows a problem: the memory pattern must also be changed!

When locating the memory pattern, you can pause each round and use KV to detect the memory. Select the CCL check box based on the name of the alarm file, and click Run to enter the next round, until CCL finally gives the result. For the KV prompt "whether to clear", click "no.

The process is skipped and the result is directly given. For PcClient. dll, change call 10002BA0 at 10002C49 to call 10002C67, and add the following code to the blank at 10002C67:

10002C67 E8 34 FFFFFF call PcClient.10002BA0

10002C6C C3 retn

It is equivalent to an indirect CALL.

The second PcKey. dll directly removes the memory after modifying the file signature. The test method is to load with OD and use KV to detect the memory. The dll and exe methods are the same.

Pcinit.exe is left, which is a little troublesome, because there may be situations where no changes can be made to the location result. Let's explain it and give itSolution


Method. The location of the memory pattern of PcInit.exe is very simple:

0001 00001798 00000010 201717a8

The code here is:

00401798 je PcInit.00401A58

0040179E mov eax, dword ptr ss: [ebp-20]

004017A1 cmp eax, dword ptr ds: [esi + 8]

004017A4 jnz PcInit.00401A58

It is easy to modify.Address


Change to a blank address 004025E0 and add a jmp in the blank space: 004025E0 jmp PcInit.00401A58. After this modification, the system still generates an alarm when loading with OD. I am delayed for a while, and finally decided to change the entrance to try. Add a new entry to the blank space:

004025E5 68 3C244000 push PcInit.

004025EA 58 pop eax

004025EB FFE0 jmp eax

After saving, use peinfoto change the entry of pcinit.exe to 255.25e5. Save the modification and load it with OD and use KV to detect the memory. It seems that the determination of the soft killer pattern is indeed related to the Code (or offset) at the entrance, at least some programs are treated like this.

4. effect detection and PcShare uninstallation

 
Because I don't have bots, I can only check the running status on my own machine, but I will not try if I can work normally. It should be okay. Then, enable all KV monitoring and double-click it to run. Hey,
The server-side graph is lost in a flash, and The KV is not noticed at all. Open IcsSword and check whether the PS driver is loaded in SSDT. 5.
Yxxxxxxx. sys is the core of PS. The PS file name always starts with Y, and the last seven letters are random. What are the red lines of KRegEx. sys? It is a KV driver.
When the migration process is completed, an i‑er.exe is added, and the operation will be restarted immediately. This is because a daemon thread exists in the process of a svchost.exe.

Enable KV, no matter whether you use memory or file detection. (If it can be detected, KV won't let PS load .) By the way, first Delete windows/system32/drivers/Y *. sys in the File in IceSword, and then restartComputer


. In this case, another released file windows/system32/Y *. D1L and the data in the Registry are displayed and deleted (you can also start to delete it under DOS ). Search for Y * in the Registry and delete all items. Btw: IceSword is really fierce!

Conclusion:

Seems to rely on endless upgrades for Anti-Virus
Software and patching cannot be guaranteed.Computer



Is mainlyUser


Security awareness and level improvement. This method is not intended to allow everyone to change the horse, but to explore a method to better improve the software.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.