Warden: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
==Current methods of attack== | ==Current methods of attack== | ||
*Hashing module names | *Hashing module names | ||
**Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes. | |||
*Hashing regions of memory | *Hashing regions of memory | ||
'''Offset Size''' | '''Offset Size''' | ||
| Line 28: | Line 29: | ||
**OoOoOoooo0oOO | **OoOoOoooo0oOO | ||
**BG_DESERTER | **BG_DESERTER | ||
==Exploits== | ==Exploits== | ||
Some exploits i'm willing to make public are: | Some exploits i'm willing to make public are: | ||
Revision as of 05:23, 1 September 2008
Current methods of attack
- Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
- Hashing regions of memory
Offset Size 0x420541 0xA 0x48A2CC 0x6 0x48A2F0 0x5 0x48D4A0 0xC 0x490430 0xC 0x49DBB2 0x7 0x4AA9C2 0x5 0x5CDC20 0x6 0x61535A 0x9 0x681778 0x5 0x7B9D42 0x6 0x7BAA98 0xC 0x8C8398 0x8 0x8C845C 0x8 0x8F7AC8 0x8 0xB93714 0x8
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- OoOoOoooo0oOO
- BG_DESERTER
Exploits
Some exploits i'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- Module32First/Next - You can either use these API to hide your module.
- An alternative to this is just to remove your module from the PEB linked list.