My DerbyCon Talk - "Ownage From Userland: Process Puppeteering"

[DarkstaR]

Before linking the video, I'd like to share the shitty yet rather hilarious story of my intro.

So the video starts about 4 slides deep into the presentation because the first 15 minutes were spent troubleshooting AV issues. My laptop does not have the two screw holes for VGA plugs, and their plug was loose, so it kept slipping out as I was trying to present. After trying to leave the stage, set the laptop on the floor, and duct tape the connector to no avail, I pic up the mic and say "200 hackers in a room and we can't get the A/V working. Typical." The whole rooms laughs for a bit and I follow with "Does anyone just have a laptop I can borrow?" Some guy lends me his laptop (which has a wallpaper image of Twinkies?) and I try to login to Google drive. Little did I know, he had accidentally connected to the CTF WiFi (Google Hacker CTF if you're not familiar). As soon as this was realized, the whole room bursts into laughter. A random guy offers me a flash drive to move the file over instead of using Google Drive, and as I'm doing it, I comment "I bet this dude's drive is dropping a shell on my laptop right now." The guy retorts with "Well, you already gave your Google information to CTF, so you're fucked anyways." Laughter once again ensues. I get the file moved over and start my presentation, but not after losing my notes and having my 2 hours of preparation completely cleared from my head by the 15 minute troubleshooting comedy show. And then the recording started and I continued on about my presentation.

[Nevski]

Public speeches are always a bit stressful but you did a great job I've just started my IT studies (yeye I know I am old enough already but who cares) lets see how it goes... Lots of math so far...

[Farsa]

++
Thanks, that was great... I wish there were more tutorials around here explaining such a large variety of techniques like your presentation did. This is something everyone that wants to start digging deeper should watch.

[DarkstaR]

++
Thanks, that was great... I wish there were more tutorials around here explaining such a large variety of techniques like your presentation did. This is something everyone that wants to start digging deeper should watch.

Thanks!

As a direct result of this talk, I'm in talks with The No Starch Press to write a book on game hacking (The founder of the company suggested I should and gave me his card at the con). Nothing official yet, but they seem serious and we're currently working out contract details so I can sign it an make it official. Rest assured that if it does actually happen, there will be quite a few more tricks covered. The current outline puts a first section for basics, but the second and third sections will have four chapters dedicated to hooking, manipulating code, evading debuggers, and anti-reversing.

Also, for anyone who has read Practical Malware Analysis (amazing book), I'm hoping to follow that format. Each chapter and sub-chapter will have labs which have custom built games that have to be modified or manipulated based on the subject matter of the chapters.

[Blahhh]

Very good speech!
Also ironic how someone with your potential is developing a bot to one of the easiest (in terms of reversing) game of them all . But i'm guessing xenobot is more about the money than the challenge

[Blequi]

Indeed, good resource to learn from. I devote to you and XenoMC code my learning of the Handle Manipulation.

2 ~ 3 days after you published this video, I got bored and I went write a small mc app in the .NET framework using the library I had ported from xenomc to .NET some time ago using the Handle Manipulation technique, but this time I was checking (almost all P/Invoke calls, except the NtQuery... functions) if everything ran smooth by .NET P/Invoke error handling strategy (which is basically GetLastError followed by FormatMessage wrappers).

By this way, I remember that "ReleaseMutex" actually fails to close the mutex, setting the last error to something like "Invalid access to handle outside the current process" (remote access). Passing the DUPLICATE_CLOSE_SOURCE seems to be enough to release the mutex in the DuplicateObject function (personally, I call CloseHandle after DuplicateObject (no matter if true or false) to clean things up). Also, just querying the OBJECT_NAME_INFORMATION seems to be enough to grab the system handle's name without querying the OBJECT_TYPE_INFORMATION

For NtQuerySystemInformation and NtQueryObject, I liked a nice trick I read somewhere that instead of allocating some previous fixed number of bytes (0x1000) as example, I'm using "while STATUS_INFO_LENGTH_MISMATCH ... reevaluate the function allocating the last parameter returned (needed bytes)"

This snippet explains better than my shitty english

Code:

            int size = 0;
            int returnLength = 0;
            IntPtr handlePointer = Marshal.AllocHGlobal(size); // allocating 0 bytes

            try
            {
                uint NTSTATUS = NativeMethods.NtQuerySystemInformation(
                    NativeMethods.CNST_SYSTEM_HANDLE_INFORMATION,
                    handlePointer,
                    size,
                    out returnLength
                );

                while (NTSTATUS ==  NativeMethods.STATUS_INFO_LENGTH_MISMATCH) // in the first call, this  condition will occur, because we allocated 0 bytes
                {
                    size = returnLength;
                    Marshal.FreeHGlobal(handlePointer);
                    handlePointer = Marshal.AllocHGlobal(returnLength); // now, I'm allocating the correct amount of bytes

                    NTSTATUS = NativeMethods.NtQuerySystemInformation(
                        NativeMethods.CNST_SYSTEM_HANDLE_INFORMATION,
                        handlePointer,
                        size,
                        out returnLength
                    );
                }

                if (NTSTATUS != NativeMethods.STATUS_SUCCESS)
                    return;
           .
           .
           .
           }

[DarkstaR]

Very good speech!
Also ironic how someone with your potential is developing a bot to one of the easiest (in terms of reversing) game of them all . But i'm guessing xenobot is more about the money than the challenge

Tibia is a wonderful playground for education purposes. While it is very easy to reverse the basics, when you dig deep you get into nearly all of the important parts of reversing. GUI teaches you about reversing structures. Containers (now) teach you about linked lists and binary trees. The battlelist teaches you about flat arrays. The Graphics engine teaches you about reversing classes. Context menus hooks teach you about virtual function tables (and reversing abstractable classes, if you take it that far). And you get to play with a bit of encryption, ASLR, and memory encoding.

But yes, XenoBot started out as a challenge when I was still learning. Then it became a hobby to keep me and my friends ahead of others in OT servers. Then it became a business and has, since, been more of a money cow than a challenge, since most things are much easier. I moved on to non game related stuff for more challenging work. Malware analysis is a really fun topic with some challenging aspects, though much less coding. Also, trying to reverse League Of Legends is an amazing time, it's a much trickier environment than Tibia, and definitely a terrible place to start haha.

Indeed, good resource to learn from. I devote to you and XenoMC code my learning of the Handle Manipulation.

2 ~ 3 days after you published this video, I got bored and I went write a small mc app in the .NET framework using the library I had ported from xenomc to .NET some time ago using the Handle Manipulation technique, but this time I was checking (almost all P/Invoke calls, except the NtQuery... functions) if everything ran smooth by .NET P/Invoke error handling strategy (which is basically GetLastError followed by FormatMessage wrappers).

By this way, I remember that "ReleaseMutex" actually fails to close the mutex, setting the last error to something like "Invalid access to handle outside the current process" (remote access). Passing the DUPLICATE_CLOSE_SOURCE seems to be enough to release the mutex in the DuplicateObject function (personally, I call CloseHandle after DuplicateObject (no matter if true or false) to clean things up). Also, just querying the OBJECT_NAME_INFORMATION seems to be enough to grab the system handle's name without querying the OBJECT_TYPE_INFORMATION

For NtQuerySystemInformation and NtQueryObject, I liked a nice trick I read somewhere that instead of allocating some previous fixed number of bytes (0x1000) as example, I'm using "while STATUS_INFO_LENGTH_MISMATCH ... reevaluate the function allocating the last parameter returned (needed bytes)"

This snippet explains better than my shitty english

Yeah, I've realized that I had the type information query in there but it was unused, haha.

Code:

            int size = 0;
            int returnLength = 0;
            IntPtr handlePointer = Marshal.AllocHGlobal(size); // allocating 0 bytes

            try
            {
                uint NTSTATUS = NativeMethods.NtQuerySystemInformation(
                    NativeMethods.CNST_SYSTEM_HANDLE_INFORMATION,
                    handlePointer,
                    size,
                    out returnLength
                );

                while (NTSTATUS ==  NativeMethods.STATUS_INFO_LENGTH_MISMATCH) // in the first call, this  condition will occur, because we allocated 0 bytes
                {
                    size = returnLength;
                    Marshal.FreeHGlobal(handlePointer);
                    handlePointer = Marshal.AllocHGlobal(returnLength); // now, I'm allocating the correct amount of bytes

                    NTSTATUS = NativeMethods.NtQuerySystemInformation(
                        NativeMethods.CNST_SYSTEM_HANDLE_INFORMATION,
                        handlePointer,
                        size,
                        out returnLength
                    );
                }

                if (NTSTATUS != NativeMethods.STATUS_SUCCESS)
                    return;
           .
           .
           .
           }

I didn't realize that there was a length mismatch return code. Awesome. You can also shorten that buy using a do {} while(); instead of a while() {}

[Erra]

Very interesting to listen to!

[Nevski]

Wow Erra is still here! Can't believe it!

@sorry for the offtopic

[hans henrik]

did anyone ever tell you that you're a genius?