Cracker:KernelKiller
program:Themida Demo Release: 1.0.0.2


:)英文不会写了, 来点中文做全面介绍.
重所周知,Themida系列的软件都对内核进行了处理。以达到保护目的.这些保护
保护包括监听函数(注:对保护进程的写和读...)监听中断(注:异常和单步...)等等等等来实现。下面我来挖解工作在WIN2K的Themida对系统的监听函数。我提供的这一小部分分析,不能让你完全的操控Themida,但能让你明白Themida在内核中的一点点原理,让你更了解Themida。没话说了,就讲到这里:)

work at win2k,Themida hook all kernel function show:
NtAllocateVirtualMemory
ZwCreateThread
ZwQueryVirtualMemory
ZwReadVirtualMemory
NtRequestWaitReplyPort
ZwTerminateProcess
ZwWriteVirtualMemory

Themida_NtAllocateVirtualMemory:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 56C67F5h
                cmp     dword ptr [esp+28h], 0FFFFFFFFh
                jz      short loc_EB98CC4E              ; if handle==NULL goto true function address 
                push    edx             ; save Absolute Address      
                           
                push    0                               ; NULL
                lea     eax, [edx+56C687Eh]             ; edx+56C687Eh save Object
                push    eax                             
                push    0                               ; KernelMode
                xor     eax, eax 
                push    eax                             ; NULL
                push    10h                             ; ACCESS
                push    dword ptr [ebp+8]               ; process handle 
                mov     eax, 8044D57Ah
                call    eax
                ; call function ObReferenceObjectByHandle  get allocate process of memory's handle to object 
    ; ObReferenceObjectByHandle(ebp+8,0x10,NULL,KernelMode,&(edx+56C687Eh),NULL);
                pop     edx                             ; renew Absolute Address    
                cmp     dword ptr [edx+56C687Eh], 0
                jz      near ptr 0EB98C6EDh             ; if process object==0 to address invalid EB98C6EDh,system die 
                mov     eax, [edx+56C687Eh]             
                mov     ebx, eax
                and     ebx, 7FFFFFFFh
                mov     esi, 0EBABB000h
loc_EB98CC17:
///////////////////////////////////////////////////////////////////////////////////// attention 
                add     esi, 4
                cmp     dword ptr [esi], 47616420h      ; constant 47616420h,address end marking   
                jz      short loc_EB98CC4E              ; jump of call system true function
                cmp     [esi], eax                    
                jz      short loc_EB98CC2C              ; compare protect process object
                cmp     [esi], ebx
                jz      short loc_EB98CC2C
                jmp     short loc_EB98CC17              ; while compare protect Process Object  ;;  attention 
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC2C:
///////////////////////////////////////////////////////////////////////////////////// attention,is protect process 
                push    fs
                mov     eax, 30h
                mov     fs, ax
                mov     eax, large fs:124h              ; ETHREAD      
                mov     eax, [eax+44h]                  ; KPROCESS               
                pop     fs
                cmp     eax, [edx+56C687Eh]             
                jz      short loc_EB98CC4E    
/////////////////////////////////////////////////////////////////////////////////////      
                popa
                pop     ebp
                retn    18h                             ; attention,not call system function    
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CC4E:
/////////////system function
                popa
                pop     ebp
                push    804C73E8h                       ; NtAllocateVirtualMemory
                retn

//EBABB000h data,length 20h
//47616420h address end marking
//81407D60h Themida protect process object
00000000h: 20 64 61 47 60 7D 40 81 20 64 61 47 00 00 00 00 ;  daG`}@?daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................


Themida_ZwCreateThread:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 5676055h
                cmp     dword ptr [esp+28h], 0FFFFFFFFh
                jz      short loc_EB98CD44              ; if handle==NULL goto true function address 
                push    edx             ; save Absolute Address 
    
                push    0                               ; NULL
                lea     eax, [edx+56760DAh]             ; edx+56760DAh save Object
                push    eax
                push    0                               ; KernelMode
                xor     eax, eax
                push    eax                             ; NULL
                push    10h                             ; ACCESS
                push    dword ptr [ebp+14h]             ; process handle 
                mov     eax, 8044D57Ah
                call    eax
                ; call function ObReferenceObjectByHandle  get process's handle to object
                pop     edx
                cmp     dword ptr [edx+56760DAh], 0
                jz      short loc_EB98CD44              ; if process object==0 to goto true function address 
                mov     eax, [edx+56760DAh]
                mov     ebx, eax
                and     ebx, 7FFFFFFFh
                mov     esi, 0EBABB000h                 ; data address
                mov     edi, esi
                add     edi, 3E8h                       ; add offset
                jmp     short loc_EB98CD50
loc_EB98CD22:
///////////////////////////////////////////////////////////////////////////////////// attention,is protect process  
                push    fs
                mov     eax, 30h
                mov     fs, ax
                mov     eax, large fs:124h              ; ETHREAD      
                mov     eax, [eax+44h]                  ; KPROCESS               
                pop     fs
                cmp     eax, [edx+56760DAh]
                jz      short loc_EB98CD44              ; compare
///////////////////////////////////////////////////////////////////////////////////// attention 
                popa
                pop     ebp
                retn    20h                             ; attention,not call system function    
/////////////////////////////////////////////////////////////////////////////////////
loc_EB98CD44:
/////////////system function
                popa
                pop     ebp
                push    804DF0F8h ;ZwCreateThread
                retn
loc_EB98CD50:
///////////////////////////////////////////////////////////////////////////////////// attention 
                add     esi, 4
                add     edi, 4
                cmp     dword ptr [esi], 47616420h  ; constant 47616420h,address end marking   
                jz      short loc_EB98CD44              ; jump of call system true function
                cmp     [esi], eax                      ; attention esi
                jz      short loc_EB98CD22
                cmp     [edi], eax
                jz      short loc_EB98CD22       
                cmp     [esi], ebx                      ; attention esi
                jz      short loc_EB98CD22
                cmp     [edi], ebx
                jz      short loc_EB98CD22
                jmp     short loc_EB98CD50              ; while compare protect Process Object  ;;  attention 
/////////////////////////////////////////////////////////////////////////////////////

//EBABB000+3E8h data,length 20h
//47616420h address end marking
00000000h: 20 64 61 47 00 00 00 00 20 64 61 47 00 00 00 00 ;  daG.... daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................


Themida_ZwQueryVirtualMemory:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 56C4980h
                cmp     dword ptr [esp+28h], 0FFFFFFFFh
                jz      short loc_EB938B53              ; if handle==NULL goto true function address 
                push    edx             ; save Absolute Address 

                push    0                               ; NULL
                lea     eax, [edx+56C4A08h]             ; edx+56C4A08h save Object
                push    eax
                push    0                               ; KernelMode
                xor     eax, eax
                push    eax                             ; NULL
                push    10h                             ; ACCESS
                push    dword ptr [ebp+8]               ; process handle 
                mov     eax, 8044D57Ah
                call    eax
                ; call function ObReferenceObjectByHandle  get process's handle to object
                pop     edx
                cmp     dword ptr [edx+56C4A08h], 0 
                jz      short loc_EB938B53    ; if process object==0 to goto true function address 
                mov     eax, [edx+56C4A08h]
                mov     ebx, eax
                and     ebx, 7FFFFFFFh
                mov     esi, 0EBAC8000h
loc_EB938B19:
///////////////////////////////////////////////////////////////////////////////////// attention 
                add     esi, 4
                cmp     dword ptr [esi], 47616420h  ; constant 47616420h,address end marking  
                jz      short loc_EB938B53              ; jump of call system true function
                cmp     [esi], eax
                jz      short loc_EB938B2E
                cmp     [esi], ebx
                jz      short loc_EB938B2E
                jmp     short loc_EB938B19    ; while compare protect Process Object  ;;  attention 
///////////////////////////////////////////////////////////////////////////////////// attention 
loc_EB938B2E:           ;is protect process 
                push    fs
                mov     eax, 30h
                mov     fs, ax
                mov     eax, large fs:124h    ; ETHREAD
                mov     eax, [eax+44h]      ; KPROCESS      
                pop     fs
                cmp     eax, [edx+56C4A08h]
                jz      short loc_EB938B53
///////////////////////////////////////////////////////////////////////////////////// attention 
                mov     dword ptr [esp+28h], 0          ;fuck Themida, handle=0;
loc_EB938B53:
/////////////system function
                popa
                pop     ebp
                push    804D1DFAh  ;ZwQueryVirtualMemory
                retn

//EBAC8000h data,length 20h
//47616420h address end marking
//813E5020h Themida protect process object
00000000h: 20 64 61 47 20 50 3E 81 20 64 61 47 00 00 00 00 ;  daG P>?daG....
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................



Themida_ZwWriteVirtualMemory:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 567DB24h
                xor     edi, edi                          ; attention ,edi=0 call write,edi=1 call read
                jmp     short loc_EB938029
Themida_NtAllocateVirtualMemory:
                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 567DB38h
                mov     edi, 1
loc_EB938029:
                push    edx
                push    0
                lea     eax, [edx+567DBB3h]
                push    eax
                push    1
                mov     eax, 80481EA4h
                xor     eax, eax
                push    eax
                push    10h
                push    dword ptr [ebp+8]
                mov     eax, 8044D57Ah
                call    eax
                pop     edx
                mov     eax, [edx+567DBB3h]
                lea     esi, [edx+567DBB7h]
                mov     ecx, 0EB938956h              ;see my comment  address  EB99C956h
                jmp     ecx

Themida_ZwReadVirtualMemory:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx 
                sub     edx, 58BC582h
                mov     edi, 1                          ; attention ,edi=1 call read,edi=0 call write
                push    edx             ; save Absolute Address

                push    0               ; NULL
                lea     eax, [edx+58BC5FDh]             ; edx+58BC5FDh save Object
                push    eax
                push    1        ; UserMode
                mov     eax, 80481EA4h       ; PsProcessType,no use seem
                xor     eax, eax                        ; eax=0;
                push    eax                             ; NULL
                push    10h                             ; ACCESS
                push    dword ptr [ebp+8]               ; process handle 
                mov     eax, 8044D57Ah
                call    eax         
          ; call function ObReferenceObjectByHandle  get read process of memory's handle to object 
////////////////////////////////////////////////////////////////////////////////////////////                                              pop     edx
                mov     eax, [edx+58BC5FDh]             ; process object
                lea     esi, [edx+58BC601h]             ; edx+58BC5FDh+4,Themida data address
                mov     ecx, 0EB99C956h                 
                jmp     ecx                             ; to Themida code 
////////////////////////////////////////////////////////////////////////////////////////////
    .............
    .............
    .............

//constant 4E67EEF4h==address start marking
//constant 4E67EEF5h==address end marking


//edx+58BC5FDh data,length 20h
00000000h: 20 00 2E 81 F4 EE 67 4E BC 3A 10 20 00 00 40 00 ;  ..侓頶N?. ..@.
00000010h: 00 00 E5 02 F5 EE 67 4E 00 00 00 00 00 00 00 00 ; ..?躅gN........

//81394820h ;process object
//edx+58BC601h-4  data,length 4
00000000h: 20 48 39 81                                     ;  H9

//attention
//80414520h  Themida protect process object
//00400000h  Themida protect process base address
//02E40000h  Themida protect process memory size
//EB99C410 data,length 20h
00000000h: F4 EE 67 4E 20 45 41 81 00 00 40 00 00 00 E4 02 ; 纛gN EA?.@...?
00000010h: F5 EE 67 4E 00 00 00 00 00 00 00 00 00 00 00 00 ; 躅gN............

EB99C956:
loc_EB99C956:
                cmp     dword ptr [esi], 4E67EEF5h      ; constant 4E67EEF5h,address end marking
                jz      short loc_EB99C967
                cmp     [esi], eax
                jz      short loc_EB99C97D
                add     esi, 4
                jmp     short loc_EB99C956              ; while compare  Process Object  ;;  not attention 
loc_EB99C967:

/////////////////////////////////////////////////////////////////////////////////////////////
                mov     esi, 0EB99C410h                 ; get  protect process information data  address
loc_EB99C96C:
                cmp     dword ptr [esi], 4E67EEF5h      ; constant 4E67EEF5h,address end marking        
                jz      short loc_EB99C997              ; jump of call system true function,can read or write process of memory
                cmp     [esi], eax
                jz      short loc_EB99C97D              ; attention ,is protect process object  goto loc_EB99C97D 
                add     esi, 4
                jmp     short loc_EB99C96C              ; while compare  protect Process Object  ;;  attention 
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB99C97D:
                mov     ecx, [ebp+0Ch]                  ; ebp+0Ch get read process of memory base address
                mov     edx, ecx
                add     edx, [ebp+14h]                  ; ebp+14h get read process of memory size
                cmp     edx, [esi+4] 
                jb      short loc_EB99C997              ; compare  protect area 
                cmp     ecx, [esi+8]
                ja      short loc_EB99C997              ; compare  protect area 
                popa
                pop     ebp
                push    804D66F6h                       ;ZwSetInformationObject
                retn
loc_EB99C997:
                cmp     edi, 1
                jz      short loc_EB99C9A0               
                popa
                pop     ebp
                jmp     short loc_EB99C9A8              ;
loc_EB99C9A0:
                popa
                pop     ebp
                push    804D2562h                       ; ZwReadVirtualMemory
                retn
loc_EB99C9A8:
                push    804D2678h
                retn


Themida_NtRequestWaitReplyPort:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 5676FCAh
                mov     eax, 0
                or      eax, eax
                jz      short loc_EB9391C0
                mov     eax, [ebp+0Ch]
                mov     eax, [eax]
                jmp     short loc_EB9391C6
loc_EB9391C0:
                mov     eax, [ebp+0Ch]
                mov     eax, [eax+20h]
loc_EB9391C6:
                or      eax, eax
                jz      short loc_EB9391EA
                lea     esi, [edx+567701Ch]
loc_EB9391D0:
//////////////////////////////////////////////////////////////////////////////////////////////
                cmp     dword ptr [esi], 8A87D3A3h  ; constant 8A87D3A3h,address end marking
                jz      short loc_EB9391EA              ; no, JMP loc_EB9391EA
                cmp     [esi], eax
                jz      short loc_EB9391F4              ; ok protect
                jmp     short loc_EB9391E5    ; while compare  attention 
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB9391DF:
                push    804C3080h        ;NtRequestWaitReplyPort
                retn
loc_EB9391E5:
                add     esi, 4
                jmp     short loc_EB9391D0
loc_EB9391EA:
                jmp     short loc_EB9391F0
loc_EB9391F0:
/////////////ret system function
                popa
                pop     ebp
                jmp     short loc_EB9391DF
loc_EB9391F4:
/////////////attention,not call system function  
                popa
                pop     ebp
                xor     eax, eax
                retn    0Ch

Themida_ZwTerminateProcess:

                push    ebp
                mov     ebp, esp
                pusha
                call    $+5
                pop     edx
                sub     edx, 56C24FAh
                push    edx             ; save Absolute Address

                push    0               ; NULL
                lea     eax, [edx+56C256Ah]
                push    eax                 ; edx+56C256Ah save Object
                push    0                               ; KernelMode
                mov     eax, 80481EA4h       ; PsProcessType,no use seem
                xor     eax, eax
                push    eax                             ; NULL
                push    10h                             ; ACCESS
                push    dword ptr [ebp+8]               ; process handle 
                mov     eax, 8044D57Ah
                call    eax
                ; call function ObReferenceObjectByHandle  get process's handle to object

                pop     edx                             ; renew Absolute Address    
                cmp     dword ptr [edx+56C256Ah], 0
                jz      short loc_EB938A3A               ; if process object==0 to goto true function address 
                mov     eax, [edx+56C256Ah]
                mov     ebx, eax
                and     ebx, 7FFFFFFFh
                mov     esi, 0EBAC8000h
loc_EB938A1D:
//////////////////////////////////////////////////////////////////////////////////////////////
                add     esi, 4
                cmp     dword ptr [esi], 47616420h  ; constant 47616420h,address end marking
                jz      short loc_EB938A3A
                cmp     [esi], eax
                jz      short loc_EB938A32
                cmp     [esi], ebx
                jz      short loc_EB938A32
                jmp     short loc_EB938A1D    ; while compare  protect Process Object  ;;  attention 
//////////////////////////////////////////////////////////////////////////////////////////////
loc_EB938A32:    ; if is protect Process, clean Process Object ,Process Object=0FFFFFFFF;
                mov     dword ptr [esi], 0FFFFFFFFh     ; [esi]  attention attention attention ;
                jmp     short loc_EB938A42
loc_EB938A3A:
/////////////system function
                popa
                pop     ebp
                push    0ECDEA7AEh
                retn
loc_EB938A42:
/////////////attention,not call system function    
                popa
                pop     ebp
                xor     eax, eax
                retn    8