Mimic – They did it again!

Posted by kynox at 12:48 AM

So, as per usual in Mimics “offence” on Warden, they achieved quite the spectacle. The resulting hilarity was the hooking of VirtualQueryEx. Sure, nothing wrong with that, right? Wrong. They’re also hooking VirtualQuery for good measure; lets take a look at VirtualQuery...

76126201 >  8BFF            mov edi,edi
76126203    55              push ebp
76126204    8BEC            mov ebp,esp
76126206    FF75 10         push dword ptr ss:[ebp+10]
76126209    FF75 0C         push dword ptr ss:[ebp+C]
7612620C    FF75 08         push dword ptr ss:[ebp+8]
7612620F    6A FF           push -1
76126211    E8 BAFFFFFF     call kernel32.VirtualQueryEx
76126216    5D              pop ebp
76126217    C2 0C00         retn 0C

So in summary, they’re hooking redundant API, including window finding API (which, might i add is pointless).

Attached are Hookshark images showing how easily detectable Mimic is. (Yes, you can see my WardenLogger; woopty doo!)

Image #1
Image #2

 

11 Comments:

  1. Merc said...
    May 21, 2009 at 2:41 AM  
    I'm a little userland hook, short and stout.
    Here is my handle and here is my spout.
    When I get all steamed up, hear me shout.
    Tip me over and maybe we should have just hooked the syscall to NtUserBuildHwndList instead of all that other shit, too.
    kynox said...
    May 21, 2009 at 4:36 AM  
    You know what? Mimic probably read this. I expect them to have that in the next version.
    Cypher said...
    May 21, 2009 at 10:02 AM  
    Merc: NtUserBuildHwndList isn't exported in usermode. You'd have to scan for it at runtime which wouldn't exactly be pretty.
    Merc said...
    May 21, 2009 at 12:34 PM  
    Cypher: that's exactly *why* you should hook that one, since it'll be a lot harder for Warden to find your hook. Pawing around by walking calls from EnumWindows or scanning for patterns is not something they want to do.

    You have the advantage of agility. It must be used to its full extent.
    Anonymous said...
    May 21, 2009 at 12:59 PM  
    Wow, is it the famous glider Mercury? Hey can i have an internet autograph in the comment field? :D pls it would mean a lot to me
    Cypher said...
    May 21, 2009 at 1:03 PM  
    Merc: True. But you run the same risk they do. Code like that is inherently 'less stable'.

    Besides, in usermode, manual syscall > any api hooks you have. :P
    Merc said...
    May 21, 2009 at 1:23 PM  
    Yeah, it's definitely a tradeoff on stability. But those tradeoffs usually favor the little guy with the more forgiving customer. ;)

    I'm not calling for mad crazy shit all the time at any cost, but I think the "right" spot for me, at least, is measured risk over safety.
    SIL said...
    May 21, 2009 at 11:05 PM  
    .46 is out
    Anonymous said...
    May 22, 2009 at 5:59 AM  
    SIL, i think cypher already dealt with the new 0.46

    http://www.cypherjb.com/blog/2009/05/21/presenting-wardenmimic/#comments
    Anonymous said...
    May 23, 2009 at 12:37 AM  
    Another blog to troll, weehoo. Well done. :P

    sku
    Anonymous said...
    May 23, 2009 at 11:05 PM  
    Thanks Merc... only thing I asked for was an internet autograph... guess you're too elitist for that...

Post a Comment



Newer Post Older Post Home

Subscribe to: Post Comments (Atom)