We all know that gg overwrites the first 5 bytes of KeAttachProcess, KeStackAttachProcess and KiAttachProcess. Now, they've extended this method for the following functions too:
NtOpenProcess
NtReadVirtualMemory
NtWriteVirtualMemory
NtProtectVirtualMemory
NtDeviceIoControlFile
The first 5 bytes of these functions are all altered. And they stopped hooking the SSDT for these functions. (The only SSDT hooking that remains now, is for NtUserSendInput, but I think sooner or later, they will overwrite this one too!)
I've never used Saruen or GR, but I imagine that they worked by avoiding the hooked SSDT. But now, the function body itself is hooked, so in order to make new bypass, you need to make jumpers for all these functions just as you did with KxxxAttachProcess in jumper.c. (Well, CE itself doesn't directly call NtOpenProcess, NtReadVirtualMemory, and NtWriteVirtualMemory, but you might want to make a bypass for NtProtectVirtualMemory. As to NtDeviceIoControlFile, it's going to be tricky, so the easiest would be to change IOCTL codes and their parameter format as usual)
By the way, here's the file image of dump_wmimmc.sys for rev939
'Security' 카테고리의 다른 글
| 제로보드 pl7 (0) | 2007.03.08 |
|---|---|
| XSS - 메일로 전송하기 (0) | 2007.03.08 |
| Bypass REV 878 (0) | 2007.03.08 |
| About GameGuard (0) | 2007.03.08 |
| Bypass REV 833 (0) | 2007.03.08 |