{"id":1389,"date":"2016-12-15T07:39:52","date_gmt":"2016-12-15T07:39:52","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1389"},"modified":"2016-12-15T07:39:52","modified_gmt":"2016-12-15T07:39:52","slug":"intel-pin-cheatz-hax-and-detection-part-1","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2016\/12\/intel-pin-cheatz-hax-and-detection-part-1\/","title":{"rendered":"Intel PIN, Cheatz, Hax, And Detection Part 1"},"content":{"rendered":"

\"4711061214222e668c836f\"<\/a>
\nHerro!<\/p>\n

It’s been a while, but I’m still kicking. I got some new stuff to talk about. Specifically the binary instrumentation utility ‘PIN’ from Intel. We’re going to go over taking full advantage of this tool to cheat at games, unpack malwarez, and how to detect if your app is being run via PIN. <\/p>\n

Part 1 of this series will be on detection of PIN. <\/p>\n

For those who don’t know, the egg heads over at Intel have invented a binary instrumentation framework that allows for the manipulation of programs without source code. Remember detours? Same thing sort of, just cheaper (free), more documentation, and cross platform (Linux, Windows, ARM, android, etc). <\/p>\n

PIN allows me to monitor programs, break them, fix them without having source. I will cover more about this in my next sections. As I was playing with PIN, I was wondering to myself, “how could software detect the presence of PIN?”. After all, shared objects \/ dll’s import from something called ‘pinvm’.
\n\"mods-again\"<\/a>.<\/p>\n

You run programs within PIN which then seems to launch as a child process.
\n\"pin1\"<\/a><\/p>\n

Then it hit me – Enumerate the loaded modules for the pin module. Sounds simple enough right? Easy as hell with code:<\/p>\n

<\/p>\n

\n
        private<\/span> void<\/span> Form1_Load<\/span>(object<\/span> sender, EventArgs e)\r\n        {\r\n            Process Proc = Process.GetCurrentProcess();\r\n            ProcessModuleCollection col = Proc.Modules;\r\n            foreach<\/span> (ProcessModule fuck in<\/span> col)\r\n            {\r\n                tbf.Text += "Process Mod: "<\/span> + fuck.ModuleName + "\\r\\n"<\/span>;\r\n                if<\/span>(fuck.ModuleName.Contains("pinvm"<\/span>))\r\n                {\r\n                    MessageBox.Show("I see PIN!"<\/span>);\r\n                }\r\n            }\r\n\r\n        }\r\n<\/pre>\n<\/div>\n
Unfortunately, life is never simple. As we can see, we don’t get anything back when running PIN in tandem with our .net app:
\n\"modules_dotnet\"<\/a><\/p>\n
It’s missing the pinvm.dll module. Seems like it frees this module after loading. <\/p>\n
I thought at first, maybe it’s a .net thing. Maybe I should try another way of enumerating process modules via the use of EnumProcessModules<\/a>. Then I tried again with Module32First \/ Next<\/a>. After that I said fuck it and enumerated the Process Environment Block’s LDR list<\/a>. Again, no dice.  Rather than clutter this blog post, I’ll just link the code here<\/a>.<\/p>\n
After some searching \/ head banging, I found exactly what I needed – a list of unloaded modules. Windows keeps track of all modules loaded and unloaded. It does this via the use of the API RtlGetUnloadEventTraceEx<\/a> which is kind enough to store an array of structures that contain the modules we want. ProcessHacker has my back on this for example code<\/a>, but it takes some serious hacking to get to work.<\/p>\n
This is what i came up with (works with Visual Studio) for viewing unloaded modules. <\/p>\n
<\/p>\n
\n
#include <cstdio><\/span>\r\n#include <vector><\/span>\r\n#include <Windows.h><\/span>\r\n#define \tPTR_ADD_OFFSET(Pointer, Offset)   ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset)))<\/span>\r\n\r\nusing<\/span> pRtlGetUnloadEventTraceEx =<\/span> void<\/span>(NTAPI *<\/span>)(_Out_ PULONG *<\/span>ElementSize, _Out_ \r\nPULONG *<\/span>ElementCount, _Out_ PVOID *<\/span>EventTrace);\r\npRtlGetUnloadEventTraceEx RtlGetUnloadEventTraceEx =<\/span> nullptr;\r\n\r\ntypedef<\/span> struct<\/span> _RTL_UNLOAD_EVENT_TRACE {\r\n\tPVOID BaseAddress;   \/\/ Base address of dll<\/span>\r\n\tSIZE_T SizeOfImage;  \/\/ Size of image<\/span>\r\n\tULONG Sequence;      \/\/ Sequence number for this event<\/span>\r\n\tULONG TimeDateStamp; \/\/ Time and date of image<\/span>\r\n\tULONG CheckSum;      \/\/ Image checksum<\/span>\r\n\tWCHAR ImageName[32<\/span>]; \/\/ Image name<\/span>\r\n} RTL_UNLOAD_EVENT_TRACE, *<\/span>PRTL_UNLOAD_EVENT_TRACE;\r\n\r\nint<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[])\r\n{\r\n\tHMODULE hModule =<\/span> GetModuleHandle(L"ntdll.dll"<\/span>);\r\n\tRtlGetUnloadEventTraceEx =<\/span>\r\n\t\t(pRtlGetUnloadEventTraceEx)GetProcAddress(hModule, "RtlGetUnloadEventTraceEx"<\/span>);\r\n\tif<\/span> (RtlGetUnloadEventTraceEx ==<\/span> nullptr)\r\n\t{\r\n\t\tfprintf(stderr, "Could not retrieve RtlGetUnloadEventTraceEx. Error = %X<\/span>\\n<\/span>"<\/span>,\r\n\t\t\tGetLastError());\r\n\t\texit(-1<\/span>);\r\n\t}\r\n\tNTSTATUS status;\r\n\tPULONG elementSize;\r\n\tPULONG elementCount;\r\n\tPVOID eventTrace;\r\n\tHANDLE processHandle =<\/span> NULL<\/span>;\r\n\tULONG eventTraceSize;\r\n\tULONG capturedElementSize;\r\n\tULONG capturedElementCount;\r\n\tPVOID capturedEventTracePointer;\r\n\tPVOID capturedEventTrace =<\/span> NULL<\/span>;\r\n\tULONG i;\r\n\tPVOID currentEvent;\r\n\tHWND lvHandle;\r\n\t\t\tRtlGetUnloadEventTraceEx(&<\/span>elementSize, &<\/span>elementCount, &<\/span>eventTrace);\r\n\tOpenProcess((DWORD)&<\/span>processHandle, PROCESS_VM_READ, GetCurrentProcessId());\r\n\tReadProcessMemory(\r\n\t\tprocessHandle,\r\n\t\telementSize,\r\n\t\t&<\/span>capturedElementSize,\r\n\t\tsizeof<\/span>(ULONG),\r\n\t\tNULL<\/span>\r\n\t\t);\r\n\tReadProcessMemory(\r\n\t\tprocessHandle,\r\n\t\telementCount,\r\n\t\t&<\/span>capturedElementCount,\r\n\t\tsizeof<\/span>(ULONG),\r\n\t\tNULL<\/span>\r\n\t\t);\r\n\tReadProcessMemory(\r\n\t\tprocessHandle,\r\n\t\teventTrace,\r\n\t\t&<\/span>capturedEventTracePointer,\r\n\t\tsizeof<\/span>(PVOID),\r\n\t\tNULL<\/span>\r\n\t\t);\r\n\tif<\/span> (!<\/span>capturedEventTracePointer)\r\n\t{\r\n\t\tMessageBox(NULL<\/span>, L"oops, no events"<\/span>, L""<\/span>, 0<\/span>);\r\n\t}\r\n\tif<\/span> (capturedElementCount ><\/span> 0x4000<\/span>)\r\n\t\tcapturedElementCount =<\/span> 0x4000<\/span>;\r\n\r\n\teventTraceSize =<\/span> capturedElementSize *<\/span> capturedElementCount;\r\n\tcapturedEventTrace =<\/span> malloc(eventTraceSize);\r\n\tif<\/span> (!<\/span>capturedEventTrace)\r\n\t{\r\n\t\tMessageBox(NULL<\/span>, L"oops, no events in trace"<\/span>, L""<\/span>, 0<\/span>);\r\n\t}\r\n\tReadProcessMemory(\r\n\t\tprocessHandle,\r\n\t\tcapturedEventTracePointer,\r\n\t\tcapturedEventTrace,\r\n\t\teventTraceSize,\r\n\t\tNULL<\/span>\r\n\t\t);\r\n\tcurrentEvent =<\/span> capturedEventTrace;\r\n\r\n\tfor<\/span> (i =<\/span> 0<\/span>; i <<\/span> capturedElementCount; i++<\/span>)\r\n\t{\r\n\t\tPRTL_UNLOAD_EVENT_TRACE rtlEvent =<\/span> (PRTL_UNLOAD_EVENT_TRACE)currentEvent;\r\n\t\tINT lvItemIndex;\r\n\t\tWCHAR buffer[128<\/span>];\r\n\t\tchar<\/span> *<\/span> string;\r\n\t\tLARGE_INTEGER time;\r\n\t\tSYSTEMTIME systemTime;\r\n\r\n\t\tif<\/span> (!<\/span>rtlEvent-><\/span>BaseAddress)\r\n\t\t\tbreak<\/span>;\r\n\r\n\t\tfprintf(stdout, "Sequence: %u<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>Sequence);\r\n\t\tfprintf(stdout, "Image Name: %s<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>ImageName);\r\n\t\tfprintf(stdout, "Pointer: %x<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>BaseAddress);\r\n\t\tfprintf(stdout, "Size of Image: %u<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>SizeOfImage);\r\n\t\tfprintf(stdout, "Time stamp: %u<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>TimeDateStamp);\r\n\t\tfprintf(stdout, "Checksum: %u<\/span>\\r\\n<\/span>"<\/span>, rtlEvent-><\/span>CheckSum);\r\n\t\t\r\n\t\tcurrentEvent =<\/span> PTR_ADD_OFFSET(currentEvent, capturedElementSize);\r\n\t}\r\n\tsystem("pause"<\/span>);\r\n\treturn<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Process Hacker uses this code already when you look at loaded modules for applications running via PIN.
\n\"pin_process_hacker\"<\/a><\/p>\n
Now that we know how to detect PIN, we can prevent its use.
\n<\/p>\n
\n
for<\/span> (i =<\/span> 0<\/span>; i <<\/span> capturedElementCount; i++<\/span>)\r\n\t{\r\n\t\tPRTL_UNLOAD_EVENT_TRACE rtlEvent =<\/span> (PRTL_UNLOAD_EVENT_TRACE)currentEvent;\r\n\t\tINT lvItemIndex;\r\n\t\tWCHAR buffer[128<\/span>];\r\n\t\tchar<\/span> *<\/span> string;\r\n\t\tLARGE_INTEGER time;\r\n\t\tSYSTEMTIME systemTime;\r\n\r\n\t\tif<\/span> (!<\/span>rtlEvent-><\/span>BaseAddress)\r\n\t\t\tbreak<\/span>;\r\n\t\tif<\/span>(strcmp(rtlEvent-><\/span>ImageName,"pinvm.dll"<\/span>))\r\n\t\t{\r\n\t\tExitProcess(1<\/span>);\r\n\t\t}\r\n\t\t\r\n\t\tcurrentEvent =<\/span> PTR_ADD_OFFSET(currentEvent, capturedElementSize);\r\n\t}\r\n<\/pre>\n<\/div>\n
PIN is an awesome tool with a variety of uses, but for this first blog I thought I’d see how we could detect its usage. presently I have never seen malware or legitimate software check for the use of PIN, but we’ll see. <\/p>\n
Stay tuned for part 2 when we dive into using PIN to watch memory, access function calls and arguments, and generally be really good for debugging. We’ll do some malware, I swear.<\/p>\n
Until then, happy hacking!<\/p>\n
\"1477940576724\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Herro! It’s been a while, but I’m still kicking. I got some new stuff to talk about. Specifically the binary instrumentation utility ‘PIN’ from Intel. We’re going to go over taking full advantage of this tool to cheat at games, unpack malwarez, and how to detect if your app is being run via PIN. Part […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[113],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1389"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1389"}],"version-history":[{"count":7,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1389\/revisions"}],"predecessor-version":[{"id":1407,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1389\/revisions\/1407"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}