Independently Compile rdtscemu

[DavidBerdik]

Would you be willing to give some guidance on how to compile rdtscemu independently so that it can be installed on a VM outside the context of idastealth? I would like to use it to intercept rdtsc calls in a Windows 7 x64 VM.

[martencassel]

If anyone interested i can try to build one for windows 7. Got one working for XP SP3.

[DavidBerdik]

@martencassel I am interested! Although I would also appreciate an explanation of how you got it working. I experimented but I was unable to pull it off and ended up giving up. I would like to revisit it at some point though. Did you use the 32 or 64 bit version of XP for your experimenting?

[martencassel]

See this https://github.com/nihilus/idastealth/pull/5

I tested it on Windows XP 32-bit SP3.

[martencassel]

Nice to hear from you ! See the pull request for details on my setup. I'm unsure if the original author used WDK for Windows 7 to build parts of this solution, perhaps its WDK is compatible with Windows XP. I would like to test building it on Windows the intended WDK.

Also, the HideDebugger DR* feature didn't work as expected and it couldn't handle Debug Registers for me when i tested it, it could hook Nt..GetThreadContext but when calling to original function it responded with an error code.

[DavidBerdik]

Hello @martencassel,

Thanks for the useful information! For my use case, I need it to work on 64 bit systems, so I'm going to try following through with your instructions using 64 bit Windows XP. I imagine I'll hit snags along the way, and if/when I do, I'm probably going to ask so I can compare to your experience with doing it on 32 bit XP. Needless to say, I ultimately want to use it on a modern version of Windows, but for testing purposes, I'll start off with XP since that's what it was originally built for.

[DavidBerdik]

@martencassel As promised, I would appreciate some assistance!

The only issue that I have seen so far with your instructions is that I don't seem to have an NMake entry in the configuration properties panel. Maybe I'm looking in the wrong place or missed a step?

Anyway, since I didn't see it, I skipped it for now and hit this error when trying to compile:

1>------ Build started: Project: HideDebugger, Configuration: Debug Win32 ------
1>  HideDebugger.cpp
1>  HookHelper.cpp
1>  IniFileAccess.cpp
1>  HideDebuggerConfig.cpp
1>  NCodeHookItem.cpp
1>  NCodeHook.cpp
1>  IPCConfigExchangeCommon.cpp
1>  IPCConfigExchangeReader.cpp
1>  RemoteEventCommon.cpp
1>  RemoteEventWriter.cpp
1>  Please define _WIN32_WINNT or _WIN32_WINDOWS appropriately. For example:
1>  - add -D_WIN32_WINNT=0x0501 to the compiler command line; or
1>  - add _WIN32_WINNT=0x0501 to your project's Preprocessor Definitions.
1>  Assuming _WIN32_WINNT=0x0501 (i.e. Windows XP target).
1>HideDebugger.rc(10): fatal error RC1015: cannot open include file 'afxres.h'.
1>  
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

I will keep experimenting, but I hope you will have some advice. Thank you!

[martencassel]

Only RDTSCEmu.WLHand and StealthDriver.W7 have nmake settings, because they are drivers, HideDebugger is a DLL, that hooks ntdll functions, so no driver. It uses injection technique from the main ida plugin (IDAStealth).

[DavidBerdik]

Hmm alright. Perhaps it would be worth pointing that out in your instructions?

I will also revisit the error message since I now know that it's not related.

[martencassel]

Check this out @DavidBerdik https://github.com/nihilus/idastealth/pull/6 I redid the configuration today.. and i think this one is simpler... Its also available here: https://docs.google.com/document/d/1MYm3xa6eidObWjTh4J2OH8X5Oe9HGhSiBrqQ8NLXpUU/edit?usp=sharing

[DavidBerdik]

@martencassel Thank you! The instructions were very helpful! I managed to compile the driver, but testing it with OSR Driver Loader is proving to be a challenge. When I click on "Register Service", I get a popup indicating that the registration was successful, but when I then try to "Start Service", I get an error message stating "This driver has been blocked from loading." Perhaps this is a side effect of attempting to run the driver on the 64 bit version of XP? Anyway, I am planning to try on the 32 bit version as well later. If you have any advice, please do let me know.

[martencassel]

Great that the guide helped Only 64-bit drivers are supported on XP 64 edition, https://en.wikipedia.org/wiki/Windows_XP_Professional_x64_Edition#Known_limitations Windows XP 64bit is based on Windows 2003 source tree, so they seem to differ a lot.

[DavidBerdik]

Only 64-bit drivers are supported on XP 64 edition, https://en.wikipedia.org/wiki/Windows_XP_Professional_x64_Edition#Known_limitations

Interesting! I had not even bothered to check on that since, to my knowledge, other 64 bit versions support 32 bit drivers. I did try testing the driver on 32 bit XP, and it loaded properly, but unfortunately, this driver doesn't seem to make it possible to pass the pafish test, which is what I was hoping to achieve with this.

Windows XP 64bit is based on Windows 2003 source tree, so they seem to differ a lot.

Very interesting. The Wikipedia article makes it sound like Microsoft slapped together the x64 edition as quickly as possible without really taking it seriously. I suppose I could try it out on 64 bit Vista or 7, but considering that the driver doesn't seem to do what I was trying to do, I am not sure if it's worth the effort.