Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Current command...
- // conveniently our hyperviser driver and dll that is test signed are both of length 0x4A. We filter NtQueryAttributesFile and NtOpenFile on ours.
- // condition checks if process executing syscall is BEService.exe
- !syscall condition { 65488B042588010000488B80B8000000488B80A805000048B942455365727669634839C874054831C0EB0748C7C001000000C3 } script {
- // fastcall (rcx, rdx, r8, r9, stack)
- if (@rax == 0x17) {
- printf("[*]BES:TID:%d: NtQueryValueKey: %ws\n", $tid, dq(@rdx+0x8));
- }
- elsif (@rax == 0x7) {
- printf("[*]BES:TID:%d: NtDeviceIoControlFile: Handle: %d\n \tIOCTL: 0x %llx\n", $tid, @rcx, (@rsp + 0x30));
- }
- elsif (@rax == 0x12) {
- printf("[*]BES:TID:%d: NtOpenKey: %ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- elsif (@rax == 0x1d) {
- printf("[*]BES:TID:%d: NtCreateKey: %ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- elsif (@rax == 0x16) {
- printf("[*]BES:TID:%d: NtQueryKey: KeyInfoClass: %d\n", $tid, @rdx);
- }
- elsif (@rax == 0x36) {
- printf("[*]BES:TID:%d: NtQuerySystemInformation: SystemInformationClass: %d\n", $tid, @rcx);
- }
- elsif (@rax == 0x3d) {
- StringLen = wcslen(dq(poi(@rcx+0x10)+0x8));
- if (StringLen == 0x4A)
- {
- printf("[*]BES:TID:%d: NtQueryAttributesFile:%ws\nMAKING CHK FAIL?\n", $tid, dq(poi(@rcx+0x10)+0x8));
- @rcx = 0; //<- not safe?
- //strPtr = (poi(@rcx+0x10)+0x8);
- //*strPtr = 0xDEADBEEFDEADBEEF;
- //printf("\t\tNew:%ws\n", dq(poi(@rcx+0x10)+0x8));
- } else { printf("[*]BES:TID:%d: NtQueryAttributesFile: %ws\n", $tid, dq(poi(@rcx+0x10)+0x8)); }
- }
- elsif (@rax == 0x19) {
- printf("[*]BES:TID:%d: NtQueryInformationProcess: Handle: %d\n", $tid, @rcx);
- }
- elsif (@rax == 0x142) {
- printf("[*]BES:TID:%d: NtQueryDirectoryFileEx: FileHandle: %d \n", $tid, @rcx);
- }
- elsif (@rax == 0x48) {
- printf("[*]BES:TID:%d: NtCreateEvent:\n", $tid);
- if (@r8 != 0) {
- printf("\nName:%ws\n", dq(poi(@r8+0x10)+0x8));
- }
- }
- elsif (@rax == 0x55) {
- StringLen = wcslen(dq(poi(@r8+0x10)+0x8));
- if (StringLen == 0x4A)
- {
- printf("[*]BES:TID:%d: NtCreateFile:%ws\nMAKING CHK FAIL\n", $tid, dq(poi(@r8+0x10)+0x8));
- @r8 = 0;
- @rcx = 0;
- } else { printf("[*]BES:TID:%d: NtCreateFile: %ws\n", $tid, dq(poi(@r8+0x10)+0x8)); }
- }
- elsif (@rax == 0x33) {
- printf("[*]BES:TID:%d: NtOpenFile: %ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- elsif (@rax == 0x6) {
- printf("[*]BES:TID:%d: NtReadFile: Handle:0x %llx\n", $tid, @rcx);
- }
- elsif (@rax == 0x119) {
- printf("[*]BES:TID:%d: NtNotifyChangeKey:KeyHdle:0x %llx, EvntHdle: 0x %llx\n", $tid, @rcx, @rdx);
- }
- elsif (@rax == 0x120) {
- printf("[*]BES:TID:%d: NtOpenKeyEx: :%ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- else { printf("[-]BES:TID:%d: Uncased syscall: 0x%x\n", $tid, @rax);
- }
- } imm yes
- !sysret condition { 65488B042588010000488B80B8000000488B80A805000048B942455365727669634839C874054831C0EB0748C7C001000000C3 } script {
- // fastcall (rcx, rdx, r8, r9, stack)
- if ()
- }
- !syscall condition { 65488B042588010000488B80B8000000488B80A805000048B942455365727669634839C874054831C0EB0748C7C001000000C3 } script {
- // fastcall (rcx, rdx, r8, r9, stack)
- if (@rax == 0x17) {
- printf("[*]BEService.exe (TID:%d): NtQueryValueKey : ValueName:%ws\n", $tid, dq(@rdx+0x8));
- }
- elsif (@rax == 0x7) {
- printf("[*]BEService.exe (TID:%d): NtDeviceIoControlFile : Handle: %d\n \tIoControlCode: 0 x %llx\n\tOutBufLen:", $tid, @rcx, (@rsp + 0x30));
- }
- elsif (@rax == 0x12) {
- printf("[*]BEService.exe (TID:%d): NtOpenKey : ObjectAttributes->ObjectName:%ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- elsif (@rax == 0x36) {
- printf("[*]BEService.exe (TID:%d): NtQuerySystemInformation : SystemInformationClass: %d\n", $tid, @rcx);
- }
- elsif (@rax == 0x19) {
- printf("[*]BEService.exe (TID:%d): NtQueryInformationProcess : Handle: %d\n", $tid, @rcx);
- }
- elsif (@rax == 0x142) {
- printf("[*]BEService.exe (TID:%d): NtQueryDirectoryFileEx : FileHandle: %d \n", $tid, @rcx);
- isValid = check_address( poi(@rbp + 0x58) + 0x8 );
- if (isValid == 1) {
- is_valid = check_address( dq(poi(@rbp + 0x58) + 0x8) );
- if (is_valid == 1) {
- printf("\tFileName->Length: %d\n", dd( poi(@rbp + 0x58)) );
- printf("\tFileName param using stack: %ws\n", dq( poi(@rbp + 0x58) + 0x8) );
- } else { printf("\tNo filename addr or we failed to offset it?\n"); }
- } else { printf("\tNo filename addr or we failed to offset it?\n"); }
- printf("\n");
- }
- elsif (@rax == 0x55) {
- StringLen = wcslen(dq(poi(@r8+0x10)+0x8));
- printf("[*]BEService.exe (TID:%d): NtCreateFile : ObjectAttributes->ObjectName:%ws\n Name Length: %d\n", $tid, dq(poi(@r8+0x10)+0x8), StringLen);
- }
- elsif (@rax == 0x33) {
- printf("[*]BEService.exe (TID:%d): NtOpenFile : ObjectAttributes->ObjectName:%ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- elsif (@rax == 0x6) {
- printf("[*]BEService.exe (TID:%d): NtReadFile : Handle:%llx\n", $tid, @rcx);
- }
- elsif (@rax == 0x120) {
- printf("[*]BEService.exe (TID:%d): NtOpenKeyEx : ObjectAttributes->ObjectName:%ws\n", $tid, dq(poi(@r8+0x10)+0x8));
- }
- else { printf("[-](TID:%d): Uncased syscall triggered for BEService.exe: 0x%x\n", $tid, @rax); }
- } imm yes
- /*if (strLen == 74) {
- printf("\tOur Driver? I'll pass null: %ws\n", (dq(poi(@r8+0x10)+0x8) + (strLen * 2) - (12 * 2)));
- // pass a null ptr for it to fail?
- //@rcx = 0;
- }*/
- // evaluates to true always
- !epthook nt!NtQuerySystemInformation condition { 90 48 ff c0 c3 } script { printf("Test %d", 1); } imm no
- Raw form: 65488B042588010000488B80B8000000488B80A805000048B942455365727669634839C874054831C0EB0748C7C001000000C3
- mov rax, gs:[0x188] # Current thread (_KTHREAD)
- mov rax, [rax+0xb8] # Current process (_EPROCESS)
- mov rax, [rax+0x5a8] # (_EPROC + 0x5a8) ImageFileName
- movabs rcx, 0x6369767265534542 # compare name of process with BEServic (civreSEB in hex)
- cmp rax, rcx
- je ReturnTrue
- xor rax, rax
- jmp Return
- ReturnTrue:
- mov rax, 0x1
- Return:
- ret
Advertisement
Add Comment
Please, Sign In to add comment
