Hackshield Reverse Engineers

[hack4me]

I would like to hear from good Hackshield reverse engineers. I have extracted the AnhLab Hackshield driver from the EHsvc.dll. Looking for a few good people with kernel level driver hacking or custom bypass experience. If you feel you have the skills PM me.

[freedompeace]

You could have, alternatively, copy-pasted the driver from your drivers directory under Windows. Windows requires that it there in order to execute it

[hack4me]

You could have, alternatively, copy-pasted the driver from your drivers directory under Windows. Windows requires that it there in order to execute it

Freedompeace... It is not that simple. The driver is extracted from the memory resident EHsvc.dll and then copied to windows system 32, executed and then deleted. This happens so fast normally that you cannot get a copy of the driver.....

[flameswor10]

Freedompeace... It is not that simple. The driver is extracted from the memory resident EHsvc.dll and then copied to windows system 32, executed and then deleted. This happens so fast normally that you cannot get a copy of the driver.....

Why not Pause hackshield using a debugger.
Also, Please post in the correct section next time @hack4me

[freedompeace]

Freedompeace... It is not that simple. The driver is extracted from the memory resident EHsvc.dll and then copied to windows system 32, executed and then deleted. This happens so fast normally that you cannot get a copy of the driver.....

Uhm, a little question: why are we doing this manually?

It's common to find many people use monitors, especially around the security industry. Download or make one so you can get the updated driver rather than spend 5 minutes each update getting the driver and diffing it to see if its changed.

Also, I was under the impression that you're not able to delete drivers that are in use, just as you aren't able to with executables, modules and files that are in use. I'll check up on this tomorrow.

Why not Pause hackshield using a debugger.
Also, Please post in the correct section next time @hack4me

HackShield won't let you do that, iirc, unless you magically pause it at the right time (before its loaded its anti-debug things but not before HackShield has loaded), which can have a timespan of mere nanoseconds.

[hack4me]

Why not Pause hackshield using a debugger.
Also, Please post in the correct section next time @hack4me

Flameswor10,

I did pause the EHsvc.dll in the debugger to be able to extract the EagleNT.sys hackshield kernel driver. But in order to step through and debug the code you have to Unpack the EHsvc.dll (themida) and defeat the Winlicense macro tricks otherwise the debugger freaks!

Sorry about posting in the wrong section. I defeat Hackshield for Combat Arms so I thought it was appropriate.

Uhm, a little question: why are we doing this manually?

It's common to find many people use monitors, especially around the security industry. Download or make one so you can get the updated driver rather than spend 5 minutes each update getting the driver and diffing it to see if its changed.

Also, I was under the impression that you're not able to delete drivers that are in use, just as you aren't able to with executables, modules and files that are in use. I'll check up on this tomorrow.



HackShield won't let you do that, iirc, unless you magically pause it at the right time (before its loaded its anti-debug things but not before HackShield has loaded), which can have a timespan of mere nanoseconds.

Freedompeace,

I am doing this manually because that is the only way to do it at this time. I do not know of anyone else who has done this? You can see the Eagle kernel driver loaded using a
rootkit detector etc.

A kernel mode driver can be launched and deleted from disk if you do it correctly. This is what the hackshield coders did. Try and stop the service or find it while the game is running.....you will find it difficult as the windows OS does not know where it is.

Exactly right....I have magically pause it at the right time...when Hackshield inits the
Kernel mode driver...