Jump to content
Tuts 4 You

[CrackMe] my name is loader.exe


simple

Recommended Posts

Had this sitting around and thought I'd see what happens w/it here!

 

Goal is to remove the kernel based protection, from inside the kernel (driver must be loaded). Or make any of the functions in the picture work.Any solution w/driver loaded is valid - patching, custom driver to unload protection, etc. X86.sys or X64.sys must be loaded.REQUIREMENTS:- Vista x86/x64 & newer (no xp)
- Admin Privs
- Test Mode Enabled
INSTRUCTIONS:
 
This requires driver test mode enabled. Before running, from an admin cmd prompt type the following, then restart -bcdedit /set TESTSIGNING on
bcdedit /set loadoptions INTEGRITY_CHECKS_DISABLEDGood luck!
 

106yo9z.png

MY_NAME_IS_LOADER.rar

  • Like 1
Link to comment

excellent work Mr. X ! U get the bronze medal !


 


I see u patched the strcmp & resigned - there are better ways. this way wont work so well on a real program


 


I've tested these methods successfully on Avast & Kaspersky but I'm 99.9999999999999% positive they will work on hackshield, punkbuster, tenprotect & any other software w/reliance on ObRegisterCallbacks


 


My way - method 1-


 


Get address of 2nd argument to ObRegisterCallbacks (the handle), add it to Base address of driver (EnumDeviceDrivers()/GetDeviceDriverBaseName(), then reference it in a call to ObUnregisterCallback() from a diff. driver & viola no more protection : )


 


Methd 2 - mimikatz / gentilkiwi - dl - http://blog.gentilkiwi.com/mimikatz


 


this tool is serious ; ), dl the tool, the driver is already legit signed too, run !notifobject, get the address of the handle, then pass the adress !notifremove 0xhandle address & viola


 


I'm working on a tool to automate all this, so all u do is load the driver & no more protection.


 


edit - also I personally prefer my method1, because mimikatz scans kernel memory address which maybe is a it dangerous, but it definately works


Edited by simple
Link to comment

Well, didn't say anything about doing it without patches :) Oh and I couldn't get OpenProcess to fail with this (the original driver), maybe I did something wrong, but the filter didn't appear to do anything (case insensitive compare fail maybe?).

Anyways, thanks for the hints on how to dynamically disable those callbacks. Might be interesting to try some time.

Link to comment

OpenProcess() should work, anything after that shouldn't. If u can terminate the process - it isn't work. Please let me know if it isn't work & I'll ul a new version, but it works on all machines tested for me.


 


Man, I tried that dude from kernelmode.info's DSE exploit & THAT SH!T WORKS AWESOME!!!!! What a kind fellow.  So my next challenge will not require driver test mode : ) : ) : )


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...