XProfan

- Page 1 -

Andre
Rohland

@Peter (woodpecker):

question 1.) about such a thing How Mach Please none Mist...
question 2.) the are The sogenanten Terms of Use of Microsoft
question 3.)No !!!, what You presumably mean are The sogen. Terminate and Stay Resistent programs, this here survive with safety none Reset... .
question 4.) have I IF weitergeleitet, knows neither as accurate, what it so means... .
question 5.) integrally trivial: if you what Böses with the code make... .

Greeting André

03/05/09 ▲

Andre Rohland

@Peter (woodpecker):

question 5.) integrally trivial: if you what Böses with the code make...

go still simply time of it from, that it already now already plenty bösere Codes write could, as You you Perhaps against present can.

there's no safety (secure Betriebssysteme) and resolution harm seldom.

03/05/09 ▲

@Andre: Perhaps make we the first of all in a klaren Anwendungsbeispiel solid which useful his can.

have You to a idea?

03/05/09 ▲

- Page 2 -

Matthias
Arlt

Andre Rohland

...that one and diesselbe programmiertechnische Verfahrensweise To good Zwecken ( = Spezialfälle ), as well as To wicked Zwecken ( = injizieren of Malwarecode z.B. in explorer.exe, svchost.exe etc.) uses go can...

the lying now time in the creature the thing on itself...and this in all reaches too ulterior the Programming. an leidige, but unabänderbare fact.

Andre Rohland

be you Please too above in the Klaren, that not only our Community this Posting reading can, separate eachone, the somewhere in the network this Posting finds...

i see thoroughly your Intention and diesbzgl. reticence. only, all the could one potentieller Interessent but andernorts too experienced. and it would vmtl. yet far sooner fündig, as here. because yet moving itself (X)Profan (m.M.n. ungerechtfertigt) sooner in the Randbereich the allg. perception. The didaktische benefit of/ one Offenlegung might therefore a befürchteten negative-effect (sofern this at all entering) with Weitem überwiegen...

The possible alternative...I know what, sags but not, had we already. and she has itself solely only as destruktiv erwiesen...

Greeting
Matthias

WinXP SP2, Win7 - XProfan 10/11/FreeProfan32 - Xpia

03/06/09 ▲

E.T.

@Andre: Perhaps make we the first of all in a klaren Anwendungsbeispiel solid which useful his can.

so one Anwendungsbeispiel would Yes ggf. neither badly, in order to testing, How div. Sicherheits-software so bypassing, if one current Program injiziert becomes (mere Test-mäßig

Grüße aus Sachsen... Mario
WinXP, Win7 (64 Bit),Win8(.1),Win10, Win 11, Profan 6 - X4, XPSE, und 'nen schwarzes, blinkendes Dingens, wo ich das alles reinschütte...

03/06/09 ▲

Andre
Rohland

the would then well my derzeitiges proposition,
I have but unfortunately not yet ready...

1.) The background...

is a teenagers with the trouble school versus Computergaming.
one meets itself even so with MMORPGs ( a.k.a Onlinegaming ) and goes then properly early To bed ( sometimes even already circa 01.00 watch).
thereby ignoring one largely whom Umstand, that you deal 06.00 watch aufzustehen and a Schulweg of ca. 7 km To bewältigen has. The schulischen Results übernächtigter Teenies need I sure not to execute...

( Please but now no good suggestions to Erziehung one 18-jährigen Teenagers... )

2.) Spezialfall and Legitimität the Projektes...

there's haufenweise sogen. Kindersicherungsprogramme, The The Computerzeit divide up and the computer to a designed Time Shutdown, The any as legitim classed go.
tappt im dunkeln share itself in two Hauptgruppen:
- the überwiegende part operates with Zugriffsbeschränkungen ( Systemeinstellungen, Uhrzeiteinstellung, Taskmanager prohibit etc.) mostly via Registry-Hacks or Policies.
- the smaller ones part clutching deeper into system one, The Restriktionen are not always nachvollziehbar and in the Fehlerfall too as Admin not always rückgängig To make.

These situation feel I as unbefriedigend.
the Lock the Taskmanagers stops I z.B. for More as gravely, because the User The Possibility deprived becomes, a fehlerhaften Process To terminate and the Systemstabilität to obtain. instead remaining under Umständen only one Neustart spare.
what to that example, if I straight 13 pages for a housework mühevoll zusammengeschrieben have and the Abgabetermin gravely near lying...

Spezialfall ?

i think already, from subesquent Found:
- my son should any rights as Admin on seinem computer keep and to Belieben in its system chid and walten can, except for whom Umstand, that The box on Vorabenden of Schultagen even 21.50 watch herunterfährt.
- moreover becomes only these a function used, the Funktionsumfang üblicher programs is superfluously and bremst the system u.u. only from, what the slaughter the consecrate cow one each Gamefreaks gleichkommt...
- i want on the system none Kernel-fashion-code stranger suppliers perform let, whom I do not really to check on can
- the program serves solely private Zwecken, a commercial usage isn't vorgesehen.

3.) One Anwendungsbeispiel

lying really already to. The prozess2.exe should later The task take, whom computer on Schultagen circa 21.50 watch herunterzufahren. she'll by the injizierten code monitors and possibly new launched.

The einzubauende(n) function(en):
- Uhrzeit from the internet fetch ( therefore have I The Daytime Protocol Unit written )
- verbleibende Time To 21.50 watch in sec converting
- GetTickCount + verbleibende Time in Variable Save and any 30s with GetTickCount vergleichen
- Countdown ca. 1 mins to the Shutdown einleiten (z.B Piep over Systemlautsprecher)
- Shutdown

here's the actually View source of Process2.exe
Compile Mark Separation

windowstyle 24
Window 600,100
WindowTitle Back to Live Prozess ( prozess2.exe )
cls ($00FF00)
color 0,10
Font 2

if %Parcount

    color 4,10
    print Du hast versucht mich zu killen, pfui Teufel !
    print
    print Zum Schließen bitte zuerst Muttertier.exe beenden... .

else

    color 0,10
    print Programm wurde ordnungsgemäß zum ersten Mal gestartet.

endif

waitkey
end

Please mind, that The request the Parameteranzahl voraussetzt, that Process2 to Exe compiled becomes.

so have your now one Anwendungsbeispiel, which yourselves change, ausbauen and testing can.

Fortsetzung today afternoon...
André

03/07/09 ▲

Andre
Rohland

Fortsetzung...

The Headline the Beitrages said it of course already, but I would like it rather once more explain:
- Direct code Injection means, that weder Hooks uses go, yet functions from DLLs somewhere gemappt go, separate
- it'll ausführbarer code directly in whom Speicherbereich one Prozesses written and carryed out.

The method to direct Injizierung the Codes is (for itself taken) right simply, the trouble is the code self.
it must on itself independent and executable his, it can means no Exe-File his ( separate nativer Bytecode ).
there falls us all really only Assembler one... .

with the MASM32 has Assembler-Programming already almost to a Hochsprache develops, it's located means near, this Assembler To use.

If I integrally sincere his should, I will for eigenständige XProfan-programs, from Perfomancegründen on Assembler-routines grab too furthermore whom XPIA of Frank use.

the functions unfortunately in unserem entrapment not, we need überwiegend The Low Level- Syntax the Assemblers, because it go not any items the High Level-Syntax supported.

who means correctly. pushen and poppen can is integrally clear in the benefit. (tschuldigung).

in the Klartext is the then well: it'll one small Tutorial give must, which The of you geäußerten Opportunities on The Nachvollziehbarkeit erfüllen becomes... . there Have I me Yes what eingeproggt !

@IF:
was the so vaguely your Intention ?

@E.T. (Mario):
I set time nochne Exe rauf, with the You, the Behavior of AV-Programs try can To testing, though first tommorrow... .

so much for today, were on Your Answer.

Greeting
André

03/07/09 ▲

E.T.

Have the time with the example from mail1( [...]

) tested:
FreeAV (Avira) scheind the not at all To interested (gravely ??

). at least could I in keinem log what find. FreeAV controlled m.E. hold only, whether in the (whom) File(n) one Schadcode drinn is. becomes one schädlicher code first at Injizieren prepares (as many Trojaner, viruses etc: indeed make), would the Avira ggf. none remember (therefore of me go ahead Test-Zwecken using

).

Scanner with Überwachung the Program-activities remember already, the there what happens, too the injizieren becomes registered and monitors:
Kaspersky z.B. registered nice säuberlich The activities, screen The Files and the code, and if nothing verdächtiges made or in the code found becomes, then can it granting. on the log can very beautiful see, that here everything gecheckt becomes :

(The long time-outs between whom Program-starts result from deem Deep-Scann...)
the injizieren one ongoing Prozesses with something can means already integrally beautiful abused go (too from Profan-Progs out), one guter Scanner would the but In any drop remember and the process the Codes prevent (hope I, yet wars by me so).
but the can Yes integrally slight testing, because one the good code at injizieren simply time a Testvirus beifügt (would me still saponaceous interested, Andre, building You the time in your example for me one??

injector-test.png	8 kB

Hochgeladen:	03/08/09

Downloadcounter:
		Download

Grüße aus Sachsen... Mario
WinXP, Win7 (64 Bit),Win8(.1),Win10, Win 11, Profan 6 - X4, XPSE, und 'nen schwarzes, blinkendes Dingens, wo ich das alles reinschütte...

Andre
Rohland

Nochmal one Program to that testing...

I point particularly on the following there:

- the Program serves solely moreover, To detect, How itself programs behaviour, into code injiziert becomes, or. How Antiviren-software on such code Injections reacted !
- the aufmerksame reading all Posts To this Topic, particularly but the of IF given Notes in its first response about ( concerning Injizierung of code in M$-programs ) is absolute duty !!!
- Perhaps superfluously, because already erwähnt, but over again: I overdo no blame, The ( hopefully not blindwütige ) Benutzung the program results on Own menace !

Description the program:

the Program can The selection one ongoing Prozesses To and injiziert a Assembler-routine, a Messagebox aufruft. at that Anklicken of OK appear The Messagebox to ca. 2 sec anew, at Anklicken of discontinue becomes the Thread with the Assembler-routine exits.

there the aufrufende Program to Start the routine in another Process terminates, so these eigenständig weiterläuft, results no Speicherfreigabe with termination the RemoteThreads ! one ought to therefore Perhaps not straight 1000-time into same Process injizieren, if this not in between time closed and new launched becomes, otherwise power one a mosquito a elephants...

XProfan-part

- Vervollständigung of/ one already as Include vorliegenden Assembler-routine ( Memory-Variable )with the Adressen the functions( Messagebox ), ( ExitThread ) and ( Sleep ), as well as further Parameters for
- Opening a Prozesshandles with PROCESS_ALL_ACCESS - Rechten ( OpenProcess )
- reservation virtual Speichers, 1000 Bytes ( VirtualAllocEx )
- Startadresse the reserved memory into ASM-routine ( Memory-Variable ) write
- 200 Bytes the Memory-Variable ( ASM-routine ) into reserved memory ex Startadresse with ( WriteProcessMemory ) write
- RemoteThread Start with Startadresse the routine ( CreateRemoteThread )
- self terminate

Assembler-part

label:
- Messagebox moreover ?
- OK --> sleep 2000 ---> spring To label:
- discontinue ExitThread,0 self terminate

an ausführlichere Description goes well only in a suitable Tutorial with konkretem View source as example. Proposals for Examples and Tutorial ???

Greeting
André

InjectCodeTest.rar	356 kB

Hochgeladen:	03/08/09

Downloadcounter:
		Download

Andre
Rohland

Hoppla, Mario

you were with your Posting a little faster as i.

same time To your question: Definitiv NEIN !

1.) have I do not really Idea, How one a Testvirus writes...
2.) there at all Testviren ??? for me is virus = virus. Testvirus hears itself for me sooner on How: a morsel of pregnant or a morsel of dead...
3.) presupposed, it were a Testvirus, so might it ( because it still only one Testvirus is ) none damage on Your system arrange... ? in this entrapment would however your Kaspersky moreover pennen and itself on a Protokollierung this acivity limit, because it no known Schadroutinen finds ?
4.) Offenlegung, Statement the concrete Mechanismen and well Yes, now even too yet Tutorial have I do not umsonst on a moralische blame geknüppert and Diskussionsbeiträge/ opinions moreover demand...
5.) be I solid of it convincing, that You one Guter are and your question on me because of same deliberating erfolgte, The I initially to Discussion set have

One guter Scanner ??? HÄ ???

means: of my Wissens hang any AV-programs the actually development new viruses a Tick to and one name this too The Produktivkraft the Verbrechens. finally must the new virus investigating, analysiert and letztlich must Erkennungsroutinen written go. Reine viruses are incidentally in the scene relatively out, one concentrate itself neuderdings stronger on The Programming of Würmern, which self get around and vestecken can. whom actual Malware-code loading tappt im dunkeln mostly first from the network down ( keylogger, Password-Spione...).

only relatively little AV-Scanner try itself ( in the sogen. ON ACCESS - mode = Zugriffe/ Dateistarts, etc... ) on the recognition of Malware-code. this is namely none so simply, because where catches because really the SchadCode on ???

One example for you, Why your Kaspersky with well geproggter Malware (virus) failure could:
( I versuchs also briefly To make...)

my Program, one winziger, unscheinbarer Kernel-fashion-driver changed with the sogen. DKOM-method ( = Direct Kernel Object manipulation ) The chain of Systemstrukturen, z.B. with the Result, that for the system one whole Ordner incl. all Files none existent is.

FRAGE 1: How should Kasper these Files ( with his ON ACCESS or first right with the ON DEMAND- method investigating can ?

even if:
in this Ordner is simply time quite no virus, separate one simple Proggi, which any Festplatten format... ( = guter code ? ).

FRAGE 2: jumping Kasper about on, if you The Festplatte or a Partion format want ???
(I faith not...)

but moreover: my small böser driver is with great probability of Kaspersky none investigating go can, because it in the untersten Ausführungsschicht the Systems runs ( = ring 0 ), d.h. he'll carryed out, before it at all to a Login of Windoof comes.

and again the even if:

it go Yes only a couple Zeigeroperationen carryed out... . If Kasper the everything prohibit would, then good night..., because indeed legitime driver such a thing perform, z.B. with direct I/O-Port-Operationen ( mouse-Kontrollprogramme etc. ).

and again moreover:
my small böser driver hockt now too to the Login in the system rum and wait hereon, I it time something question... .
to that example thereafter, How I The stature.exe in the ausgeblendeten Ordner Call can... !!!!!!!!

Diese could be My Way ???:
How could the functions ???
means: I starte z.B. Explorer.exe over The system.ini as Shell, with a Parameter.
this is naturally The Injector.exe. so User X I do not dazwischenpfuscht, forbid I it same time whom Access to The system.ini...

FRAGE 3:
Muckt Kasper about on, if you with the commands cacls.exe in the Eingabeaufforderung whom Access to a Ordner/ File block ?
(well hardly...)

and again a step back:
The Kasper position now of course solid, that one Process (z.B. in Explorer.exe ) eingeschleust been is, can but so nothing begin, there each operation just as of others ( loves ) Prozessen carryed out go could and protokolliert the first time to safety - hahaha.

well then the absolute gavel:
for the investigation the Opportunities to that started of stature.exe needed the eingeschleußte Process ( ASM-code )only Millisekunden.
yet before You too only to that reading the Protokolls of Kaspersky-AV at all come, is stature.exe but already launched... .

Sorry for Horrorversion, but I go in the meantime of it from, that AV-programs More a manner of Selbstberuhigung are...

FRAGE 4: yet further ask ?

be not sorry, because I you here so a left erteilen must... .

should we here together to this Problematik verständigen can, so it is a Tutorial give, with the You deeper into whole Problems penetrate and Perhaps even your own Testvirus write can, wovon I you but as always urgently dissuade would... .

over again @ALLE:
Perhaps understand Yes to this example now too eachone, why I a such Discussion demand have, The unfortunately partly not integrally so serious taken watts, How I expects had.

around the too over again klarzustellen:
- who reading can, is sure in the site, my last Posts To entnehmen, I fundamentally ready be, my know To provide ( I not white, on welchem programmiertechnischen Level the reader this Topic moving, have I even one Tutorial in consideration pulled...)
- want your the really ???
- One, if too yet so small, Tutorial To write means correctly. work, especially since I not always short grasp can...

- without suggestions, imaginations over one demonstration-proposition runs therefore nothing... .

P.s.: @Mario:
If I under 1.) written have, I no idea have, so means not, I me of these trouble not auseinandergesetzt have ( be self time quite angry chopped been...)

I have ready. Puuuhhh !

Greeting
André

E.T.

Huch, for such long Posts is still Dietmar zuständig

@Andre: You should me naturally none Testvirus write, something like Gibts integrally official (of many large even released): [...]

this Link shows on The Erklärungs-Page, not a virus !!! Nutze I integrally gladly, in order to show, the the protection too really there's

...but moreover: my small böser driver is with great probability of Kaspersky none investigating go can, because it in the untersten Ausführungsschicht the Systems runs ( = ring 0 ), d.h. he'll carryed out, before it at all to a Login of Windoof comes....

> the power m.E. too a good Scanner from, the is to WIN there !!! and Changes z.B. on the Systemstart go nachgefragt before these registered go (How even the loading one unidentified Treibers), if I it then naturally (from Unwissenheit or nonsense or whatever) zulasse, then naturally good night.

but we want Yes not over good and code Scanner diskutieren, and not above,

when which AV-Prog currently is, is becomes it well never 100-Prozentig give.

be not sorry, because I you here so a left erteilen must... .

Och, the be I dwelt....

circa time again to that beginning back To come:
Why should because the, what You to have (whom computer To bestimmter Time turn off or so) at all by the injizieren of/ one others application erfolgen ??
would be it there not genügen, (D)one Program simply (to the Taskmanager) To hide ??

Grüße aus Sachsen... Mario
WinXP, Win7 (64 Bit),Win8(.1),Win10, Win 11, Profan 6 - X4, XPSE, und 'nen schwarzes, blinkendes Dingens, wo ich das alles reinschütte...

Andre
Rohland

@Mario:

... unfortunately even not simply...
a Process under WinXP To hide goes of my Wissens only through API-Hooking ( via IAT-Patching ) or DKOM ( Direct Kernel Object manipulation ) by the Verbiegen of Zeigern in the double chain the EPROCESS-Structures, means through Rootkittechnologie, what mostly through Treiberprogrammierung Done becomes. The probability, that Antiviren-software Alarm proposes, is means very high...

others Reasons are:
1.) Systemweite Hooks can itself too quite negative on The Systemleistung work out.
2.) my Kontrollprogramm has a ( naturally passwortgeschützte ) Benutzeroberfläche, so I Zeitvorgaben Change can, or. into holiday the program entire deaktivieren can. it should means visible his ( only even not The routine, The it monitors )!
yet More Reasons have I already moreover supra Spezialfall ? called.

If you The InjectCodeTest.exe launched have and wait, until itself exits has, become You The ongoing ASM-routine not under Prozessen in the XP-Taskmanager find, tappt im dunkeln is Yes in a the already indicated ongoing processes.

solely for Time the display the Messagebox becomes The routine under Applications in the XP-Taskmanager as Caption displayed, what on it lying, that one Window unzipped becomes.

my ASM-Kontrollroutine ( exakt The same, How in Injektion.rarely ) uses indessen no Window...

with the Injizierung into at Systemstart ausgeführtes Program ( in example one Chatprogramm ) is My routine right well aufgehoben and as such neither visible.

Greeting
André

03/09/09 ▲