Log in

View Full Version : antisptd

smoke
July 1st, 2008, 15:30
antisptd is a driver that makes it possible for softice to load when sptd.sys is present. It uses the method described by Kayaker and that is, by removing the notifyroutine sptd sets to prevent ntice.sys to load. After ntice.sys gets loaded, it restores the notifyroutine and the keyboard hooks in i8042prt.sys that have been screwed by the sptd.sys.

Usage:
Just put the startsi.exe in a directory with antisptd.sys and execute startsi.exe.

Compatibility:
The driver should work on XP SP2/SP3 with the latest softice installed. I have no idea if it'll work on XP SP1 (cause I have used hardcoded values to locate the patch locations in i8042prt.sys). If it doesnt work, feel free to modify the sources and recompile the driver yourself.

Quote:
http://www.woodmann.com/forum/attach/rar.gif antisptd.rar ("http://www.woodmann.com/forum/blog_attachment.php?attachmentid=18&d=1214943690") (10.4 KB)
dELTA
July 1st, 2008, 15:43
Nice, thanks for the contribution.

CRCETL:
http://www.woodmann.com/collaborative/tools/Antisptd
JMI
July 1st, 2008, 16:23
Somehow, I just knew dELTA was going to create an entry for this tool in the CRCETL!



Regards,
Kayaker
July 2nd, 2008, 14:45
Nice one smoke, especially restoring the keyboard hook in i8042prt.sys from the SPTD one to the Softice one. It's about time there was a patch to the SPTD rootkit behaviour.

Something others should be aware of, PsRemoveLoadImageNotifyRoutine is not supported in Win2K, so your driver would have to remain resident (no DriverUnload) if you want to use this method. However, for the purposes of this patch it should be possible to read/write directly to the _PspLoadImageNotifyRoutine table of callbacks if you must.

So instead of using PsRemoveLoadImageNotifyRoutine and PsSetLoadImageNotifyRoutine, just do a direct memory transfer.

_PspLoadImageNotifyRoutine is dword table which holds the addresses of up to 8 system callbacks that drivers can register. It's not 100% guaranteed that the first entry will be the SPTD callback, but since SPTD loads _very_ early in the boot loading process it's probably a safe bet.


For a bit of reference concerning the Softice keyboard hook of i8042prt, if you look at the messages Softice outputs when it loads you see

NTICE: Patching Keyboard using method 0
NTICE: Keyboard driver found - i8042prt.sys
NTICE: Keyboard successfully patched using RPUC hook
NTICE: Keyboard successfully patched lookup table using RPUC hook


Search for these strings and you can find the entire keyboard hook routine. Here's a portion which shows exactly where the hook function is, at READ_PORT_UCHAR_Hook

Code:


:000A867B BF 77 84 0A 00     mov     edi, offset aRead_port_uchar ; "READ_PORT_UCHAR"

:000A8680 B9 10 00 00 00     mov     ecx, 10h

:000A8685 E8 56 D8 FC FF     call    StringCheck

:000A868A 74 06              jz      short loc_A8692

:000A868C 83 C3 04           add     ebx, 4

:000A868F 40                 inc     eax

:000A8690 EB D2              jmp     short loc_A8664

:000A8692                   ; ---------------------------------------------------------------------------

:000A8692

:000A8692    loc_A8692:                 ; CODE XREF: Hook_Keyboard+97

:000A8692 5B                  pop     ebx

:000A8693 8B 73 10            mov     esi, [ebx+10h]

:000A8696 03 35 66 84 0A 00   add     esi, ds:dword_A8466

:000A869C 8D 34 86            lea     esi, [esi+eax*4]

:000A869F B8 EB 84 0A 00      mov     eax, offset READ_PORT_UCHAR_Hook

:000A86A4 89 06               mov     [esi], eax

:000A86A6 C6 05 2F DF 0E 00+  mov     Is_KB_Hooked, 1

:000A86AD 56                  push    esi

:000A86AE BE 66 CA 16 00      mov     esi, offset aNticeKeyboar_5 ; "NTICE: Keyboard successfully patched\n\r"

:000A86B3 E8 6D 6A FD FF      call    pPrintMsg



For background on the entire subject, beginning with the keyboard hook, see

SoftICE + SPTD
http://www.woodmann.com/forum/showthread.php?p=66143

Regards,
Kayaker
smoke
July 2nd, 2008, 21:01
I was waiting for your reply Kayaker.

About manually removing the Notifyroutine. I actually did try removing it manually (by just erasing the entry from the _PspLoadImageNotifyRoutine table) but when I started Rootkit Unhooker it showed that the routine was still present somehow, I have no idea why . Oh btw, I actually noticed that my system became really unstable after a while when both SPTD and Softice were running at the same time (sudden crashes for example). I have no idea if I did something wrong or if SPTD really hates Softice that much.

Hum.. I wonder why Softice fails to patch the keyboard if sptd is running..
Kayaker
July 2nd, 2008, 22:46
What it looks like, the first thing ntoskrnl!_PsSetLoadImageNotifyRoutine does is to create a tagged memory block in _ExAllocateCallBack with the tag 'Cbrb'. You can tell from the pattern that a doubly linked list is being set up to store the addresses of the NotifyRoutine callbacks.

Code:


PAGE:0056CE41                 push    'brbC'          ; Tag

PAGE:0056CE46                 push    0Ch             ; NumberOfBytes

PAGE:0056CE48                 push    1               ; PoolType

PAGE:0056CE4A                 call    _ExAllocatePoolWithTag@12

PAGE:0056CE4F                 test    eax, eax

PAGE:0056CE51                 jz      short loc_56CE62

PAGE:0056CE53                 mov     ecx, [ebp+NotifyRoutine]

PAGE:0056CE56                 and     dword ptr [eax], 0

PAGE:0056CE59                 mov     [eax+4], ecx

PAGE:0056CE5C                 mov     ecx, [ebp+arg_4]

PAGE:0056CE5F                 mov     [eax+8], ecx


This is in addition to writing the callback routine to the _PspLoadImageNotifyRoutine callback table, so it seems there are actually 2 references to these callbacks present in system memory.

You could likely find these tagged blocks when they are present with PoolTag. As a guess, RKU might be doing the same thing and that's why it shows the callback still present.


As an aside, it's *really* time for a more advanced PoolTag, where you could explore the actual memory blocks.



>I wonder why Softice fails to patch the keyboard if sptd is running..

??

I'm not sure that patching the i8042prt IAT with the address of the Ntice READ_PORT_UCHAR Hook is needed actually. In theory Softice should do that itself when it starts (which your PsRemoveLoadImageNotifyRoutine call permits).

It might be better to patch the IAT with the *original* i8042prt address, which SPTD has already overwritten, and then load Softice. This would let Softice have the original address (instead of the SPTD one) in case it wants to chain or fall through to that routine. This might help the stability.


Interesting use of ZwLoadDriver to load Softice. I wonder what differences there might be in loading it from kernel mode vs loading it through the usual 'net start ntice'?

Something I've never tested, is nt!PsCallImageNotifyRoutines even called when a driver is loaded by ZwLoadDriver?
If not, then anti-sptd would simply be loading Softice from kernel mode!!
JMI
July 3rd, 2008, 00:18
And Kayaker proves, once again, that he is the resident guru, high potentate, Big Khuna ( Hawaiian word, defined in the Pukui & Elbert Dictionary as "Priest, sorcerer, magician, wizard, minister, expert in any profession) of all things related to Softice inner workings.

Regards,
deroko
July 4th, 2008, 10:20
Quote:
[Originally Posted by Kayaker;75596]
Interesting use of ZwLoadDriver to load Softice. I wonder what differences there might be in loading it from kernel mode vs loading it through the usual 'net start ntice'?



I do it all the time (with NtLoadDriver from r3)
Code:


                        .586p

                        .model flat, stdcall

                        locals

                        jumps



include                 c:\tasm32\include\shitheap.inc

include                 c:\tasm32\include\extern.inc 

include                 ring0.inc                       

public C start



                        .data

service:                unis     <\Registry\Machine\System\CurrentControlSet\Services\ntice>

                        align   4

service_us              unicode_string  <>

status                  dd      ?



start:                  call    RtlAdjustPrivilege, SE_LOAD_DRIVER_PRIVILEGE, 1,0, o status

                        call    RtlInitUnicodeString, o service_us, o service

                        call    NtLoadDriver, o service_us

                        call    ExitProcess, 0

                        end     start




Quote:

Something I've never tested, is nt!PsCallImageNotifyRoutines even called when a driver is loaded by ZwLoadDriver?
If not, then anti-sptd would simply be loading Softice from kernel mode!!


It should be if I'm not mistaken, as LoadImageNotifyRoutine can check if image is mapped in user/kernel space in IMAGE_INFO struct In bottom line both (r0 and r3) will endup in KeServiceDescriptorTable.NtLoadDriver so I guess those will act the same