[CrackMe] my name is loader.exe

[simple]

Had this sitting around and thought I'd see what happens w/it here!

 

Goal is to remove the kernel based protection, from inside the kernel (driver must be loaded). Or make any of the functions in the picture work.Any solution w/driver loaded is valid - patching, custom driver to unload protection, etc. X86.sys or X64.sys must be loaded.REQUIREMENTS:- Vista x86/x64 & newer (no xp)
- Admin Privs
- Test Mode Enabled
INSTRUCTIONS:
 
This requires driver test mode enabled. Before running, from an admin cmd prompt type the following, then restart -bcdedit /set TESTSIGNING on
bcdedit /set loadoptions INTEGRITY_CHECKS_DISABLEDGood luck!
 

MY_NAME_IS_LOADER.rar

[mrexodia]

this should work, didn't want to type your test program all over again so untested (but re-signed).

patched.rar

[simple]

excellent work Mr. X ! U get the bronze medal !

 

I see u patched the strcmp & resigned - there are better ways. this way wont work so well on a real program

 

I've tested these methods successfully on Avast & Kaspersky but I'm 99.9999999999999% positive they will work on hackshield, punkbuster, tenprotect & any other software w/reliance on ObRegisterCallbacks

 

My way - method 1-

 

Get address of 2nd argument to ObRegisterCallbacks (the handle), add it to Base address of driver (EnumDeviceDrivers()/GetDeviceDriverBaseName(), then reference it in a call to ObUnregisterCallback() from a diff. driver & viola no more protection : )

 

Methd 2 - mimikatz / gentilkiwi - dl - http://blog.gentilkiwi.com/mimikatz

 

this tool is serious ; ), dl the tool, the driver is already legit signed too, run !notifobject, get the address of the handle, then pass the adress !notifremove 0xhandle address & viola

 

I'm working on a tool to automate all this, so all u do is load the driver & no more protection.

 

edit - also I personally prefer my method1, because mimikatz scans kernel memory address which maybe is a it dangerous, but it definately works

Edited May 16, 2015 by simple

[mrexodia]

Well, didn't say anything about doing it without patches Oh and I couldn't get OpenProcess to fail with this (the original driver), maybe I did something wrong, but the filter didn't appear to do anything (case insensitive compare fail maybe?).

Anyways, thanks for the hints on how to dynamically disable those callbacks. Might be interesting to try some time.

[simple]

OpenProcess() should work, anything after that shouldn't. If u can terminate the process - it isn't work. Please let me know if it isn't work & I'll ul a new version, but it works on all machines tested for me.

 

Man, I tried that dude from kernelmode.info's DSE exploit & THAT SH!T WORKS AWESOME!!!!! What a kind fellow.  So my next challenge will not require driver test mode : ) : ) : )