Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Sentinel SHK Virtual Machine (https://forum.exetools.com/showthread.php?t=19635)

phroyt 08-27-2020 03:56

Sentinel SHK Virtual Machine
 
Hi all,

Anyone knows what kind of detection Sentinel SHK uses to detect Virtual Machines? :)

I can run it fine into Oracle VirtualBox.
But it refuses to run into VMWare ou Terminal Services.

I just ask, to avoid reinvent the wheel.

But, after I find the solution, I will post here!

Thanks

Gladiyator 08-27-2020 09:03

provide some sample to analyze

user1 08-28-2020 00:31

like all soft do

see C++ examples in net.

phroyt 08-30-2020 09:21

Quote:

Originally Posted by Gladiyator (Post 121061)
provide some sample to analyze

You need to install the whole software and run it on a Terminal Services machine.
BTW thanks for interest.

If you really want to help, here go:
Code:

http://download.softwell.com.br/makerstudiobootstrap/Instaladores/Instalador_Maker_Studio_Bootstrap.zip
And the medicine:
Code:

https://mega.nz/file/coJ1CCiJ#NrMWTpHOTzf79cp3zdVJtKrZx6ziSEtV_AI8rOpRtsY
After install, replace SentinelKeyW.dll with DLL above.
It will ask for a activation code.
Send me and I give you back.

phroyt 07-05-2022 23:51

Hi all,

after some research, I found the solution.

First, SentinelSHK calls GetSystemMetrics to simply identify Remote Desktop.

PHP Code:

SM_REMOTESESSION = $1000//4096
GetSystemMetrics(SM_REMOTESESSION); 

If the result is true, the execution is aborted.

After that, SentinelSHK calls WTSQuerySessionInformationA to identify if the current session is running over Remote Desktop.

It doesn't check any further parameters, just compares if the WTSQuerySessionInformationA returns a valid value.
If it does, the execution is aborted.

The wtsApi32.dll is loaded on the fly, so the solution doesn't need to hook WTSQuerySessionInformationA.

The solution was Hooking GetSystemMetrics and catching when SM_REMOTESESSION is queried, returning zero (0).
And patch some byte from the calling address when its region resides on the main application.

PS.: Sometimes comctrls32.dll call GetSystemMetrics with SM_REMOTESESSION,
that's why you need to confirm the memory region.

Just patching one jump in the main application solves the problem.

PHP Code:

074C0581 8D4424 18                lea eax,dword ptr ss:[esp+18]                 
074C0585 8D5424 10                lea edx,dword ptr ss:[esp+10]                 
074C0589 50                       push eax                                      
074C058A 
52                       push edx                                      
074C058B 
6A 10                    push 10                                       
074C058D 
6A FF                    push FFFFFFFF                                 
074C058F 
57                       push edi                                      
074C0590 
897C24 24                mov dword ptr ss:[esp+24],edi                 
074C0594 
897C24 2C                mov dword ptr ss:[esp+2C],edi                 
074C0598 
FFD1                     call ecx                                <= WTSQuerySessionInformationA 
074C059A 
8B4424 10                mov eax,dword ptr ss:[esp+10]                 
074C059E 3BC7                     cmp eax,edi                                   
074C05A0 
74 27                    je app.74C05C9                             
074C05A2 
66:3938                  cmp word ptr ds:[eax],di                      
074C05A5 
EB 22                    jmp app.74C05C9                         <= PATCH        
074D55A7 
50                       push eax                                              
074D55A8 
FF15 70E94A07            call dword ptr ds:[<&WTSFreeMemory>]                  
074D55AE 55                       push ebp                                              
074D55AF 
897C24 14                mov dword ptr ss:[esp+14],edi                         
074D55B3 
FF15 98206C07            call dword ptr ds:[<&FreeLibrary>]                    
074D55B9 5F                       pop edi                                               
074D55BA 
5E                       pop esi                                               
074D55BB 
5D                       pop ebp                                               
074D55BC 
B8 CB000000              mov eax,CB                                            
074D55C1 
5B                       pop ebx                                               
074D55C2 
81C4 10010000            add esp,110                                           
074D55C8 
C3                       ret                                                   
074D55C9 
8B35 28206C07            mov esi,dword ptr ds:[<&GetVersionExA>]               
... 



All times are GMT +8. The time now is 22:18.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX