Attached here for historical purposes. Itself signed backdoor driver allowing execution of code in kernel mode. Written in best tradition of old 200x chinese rootkits - when you are wondering not about what it is doing but why it is even working. Main drama here, IOCTL 0xAA013044, string deobfuscation code in sub_103AC, used to deobfuscate driver device name and symbolic link. No security checks present.
Code: Select all
As you might already guessed this is part of game "defense-in-depth approach". Despite current hysteria about this issue, its nothing new and GameGuard/StarForce/Frost did much more damage to PC/OS in the past.signed __int64 __fastcall sub_10524(PVOID IOCTL_InputBuffer)
{
signed __int64 result;
__int64 OldCR4Value;
void (__fastcall *CallbackFunc)(PVOID (__stdcall *)(PVOID));
PVOID (__stdcall *FunctionParameter)(PVOID);
if ( *(IOCTL_InputBuffer - 1) == IOCTL_InputBuffer )
{
CallbackFunc = IOCTL_InputBuffer;
FunctionParameter = MmGetSystemRoutineAddress;
OldCR4Value = 0i64;
DisableSMEP(&OldCR4Value);
CallbackFunc(FunctionParameter);
SetCR4Value();
result = 1i64;
}
else
{
result = 0i64;
}
return result;
}Attachments
pass: shitware
(6.64 KiB) Downloaded 42 times
(6.64 KiB) Downloaded 42 times
Ring0 - the source of inspiration
