View previous topic :: View next topic |
Author |
Message |
CZ3R0C Grandmaster Cheater Reputation: 0
Joined: 17 Nov 2006 Posts: 792
|
Posted: Thu May 17, 2007 10:00 am Post subject: npptNT2.sys dasm? |
|
|
Has anyone ever disassembled npptNT2.sys(might be npptNT.sys)? I was wondering because it has some very interesting API calls in it. So far I see:
Edit:lolerz they b ntoskrnl.exe calls
MmAllocateNonCachedMemory
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
Ke386SetIoAccessMap
ke386IoSetAccessProcess
IoGetCurrentProcess
MnFreeNonCachedMemory
IoDeleteSymbolicLink
------------------------(Nice rootkit ya got there)Strings:
Entering DriverEntry
ERROR:IoCreateSymbolicLink failed
ERROR:IoCreateDevice failed
Leaving DriverEntry
Entering PortIoDispatch
IRP_MJ_CREATE
IRP_MJ_CLOSE
IRP_MJ_DEVICE_CONTROL
IOCTL_PORTIO_ENABLEDIRECTIO
IOCTL_PORTIO_DISABLEDIRECTIO
ERROR: Unknown IRP_MJ_DEVICE_CONTROL
Leaving PortIoDispatch
Entering PortIoUnload
ERROR: IoDeleteSymbolicLink
Leaving PortIoUnload
NB10
E:\Work\Gameguard\npsc\ref\PortIO\sys\Release\npptNT2.pdb
I also saw this insignifigant address in there 041204b0
I assume the DriverEntry point is \Device\NPPTNT2\DosDevices\NPPTNT2
it Unloads from \DosDevices\NPPTNT2
_________________
|
|
Back to top |
|
|
appalsap Moderator Reputation: 0
Joined: 27 Apr 2006 Posts: 6753 Location: Pakistan
|
Posted: Thu May 17, 2007 12:03 pm Post subject: |
|
|
wow RtlInitUnicodeString that looks dangerous GUYS I THINK ITS A ROOTKIT
|
|
Back to top |
|
|
the_undead Expert Cheater Reputation: 1
Joined: 12 Nov 2006 Posts: 235 Location: Johannesburg, South Africa
|
Posted: Thu May 17, 2007 12:30 pm Post subject: |
|
|
My thoughts exactly.
_________________
|
|
Back to top |
|
|
CZ3R0C Grandmaster Cheater Reputation: 0
Joined: 17 Nov 2006 Posts: 792
|
Posted: Thu May 17, 2007 12:35 pm Post subject: |
|
|
Well...just fuck it then -_-.
-------------------------------------
I was being sarcastic -_-. If they don't want people to hack it then they should have an encrypted resource, make the file hidden at least.
Sooo..GG is packed with Themida now -_-
_________________
|
|
Back to top |
|
|
linden Master Cheater Reputation: 0
Joined: 10 Mar 2006 Posts: 319
|
Posted: Thu May 17, 2007 5:43 pm Post subject: |
|
|
Oh...
The functions of our interest from this driver are
Ke386SetIoAccessMap
ke386IoSetAccessProcess
This fucking driver opens up security holes in IOPM, so that GG can access hardware (i.e. the keyboard) directly from user mode, but nothing more.
More important is "dump_wmimmc.sys", which does all the dirty work and rootkit like stuff, so you might want to take a look at it, or decrypt (almost impossible though ) it.
|
|
Back to top |
|
|
CZ3R0C Grandmaster Cheater Reputation: 0
Joined: 17 Nov 2006 Posts: 792
|
Posted: Thu May 17, 2007 8:33 pm Post subject: |
|
|
linden wrote: | Oh...
The functions of our interest from this driver are
Ke386SetIoAccessMap
ke386IoSetAccessProcess
This fucking driver opens up security holes in IOPM, so that GG can access hardware (i.e. the keyboard) directly from user mode, but nothing more.
More important is "dump_wmimmc.sys", which does all the dirty work and rootkit like stuff, so you might want to take a look at it, or decrypt (almost impossible though ) it. |
Ke386IoSetAccessProcess
PEPROCESS IoGetCurrentProcess(void)
and
void__fastcall IofCompleteRequest(PIRP Irp,CCHAR PriorityBoost)
extrn IofCompleteRequest
extrn __imp_Ke386SetIoAccessMap
extrn __imp_Ke386IoSetAccessProcess
I actually removed the Ke386IoSetAccessProcess Function with a hex editor, then I corrected the CRC. I got as far as "hacking atempt detected"...but imma try it again.
looks like oreans.sys is built into that *.sys file.
_________________
Last edited by CZ3R0C on Tue May 22, 2007 6:46 am; edited 1 time in total |
|
Back to top |
|
|
linden Master Cheater Reputation: 0
Joined: 10 Mar 2006 Posts: 319
|
Posted: Thu May 17, 2007 10:31 pm Post subject: |
|
|
CZ3R0C wrote: |
I actually removed the Ke386IoSetAccessProcess Function with a hex editor, then I corrected the CRC. I got as far as "hacking atempt detected"...but imma try it again. |
You can't simply disable that driver. When GG finds that all I/Oport access are disabled, it will close the game. If you don't like GG accessing I/O ports directly, let that fucking driver load once, and then later reset all I/O permission map to block any user mode I/O port access (you'll have to write your own driver to do that though)
|
|
Back to top |
|
|
CZ3R0C Grandmaster Cheater Reputation: 0
Joined: 17 Nov 2006 Posts: 792
|
Posted: Fri May 18, 2007 6:07 am Post subject: |
|
|
LOL npggt.des(DLL) calls its own hooked api's intstead of calling them from the neccesary *.dll's.
Also interestingly npggNT.des(DLL) calls Kernel32.Sleep(looks exploitable to me)
_________________
|
|
Back to top |
|
|
|