Didier Stevens

Wednesday 12 March 2008

bpmtk: DisableAMD

Filed under: Hacking,My Software,Reverse Engineering — Didier Stevens @ 0:43

Remember my DisableAMD post? In stead of patching the EXE file, you can also use my Basic Process Manipulation Tool Kit to patch the running process.

There is a small difficulty, however. The check for the DisableCMD key is done when CMD.EXE is started, so to be successful, we have to start the program and change the DisableCMD string in memory before the check is made. Sounds impossible? Not really, the CreateProcess function allows you to create a new process with its main thread in a suspended state (this means that the program is not running). This gives you the opportunity to change the string in memory before it is used.

Use the start statement to start a new process in suspended state:

start cmd.exe

Change the string in memory:

search-and-write module:. unicode:DisableCMD unicode:DisableAMD

The main thread will be resumed after the last statement was executed (search-and-write in our example):

start-cmd-w2k8.png

The cmd.exe window in the background was launched from the start menu (showing you that cmd.exe is disabled), while the cmd.exe window in the foreground was launched with the bpmtk (showing you the bypass of the GPO).

And did you notice that this screenshot is taken on a Windows 2008 server?

Next time, I’ll show some tricks to use the bpmtk in a restricted environment, like a Terminal Server.

4 Comments »

  1. What tool do you use to make the changes to memory

    Change the string in memory:

    search-and-write module:. unicode:DisableCMD unicode:DisableAMD

    Thanks
    G

    Comment by G — Thursday 13 March 2008 @ 22:42

  3. I’ve looked at this and can’t start a new process in suspended state on my XP Pro SP2 PC! If I type at Start > Run, I’m faced with an error:

    “Windows cannot find ‘start’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.”

    I can use the start command from a command prompt, but that defeats the object of your utility!

    Any ideas?

    Comment by Dave — Sunday 20 April 2008 @ 18:14

  4. I’m almost 100% sure that Start is a build-in command of cmd, like cd. You need to start cmd.

    Comment by Didier Stevens — Tuesday 22 April 2008 @ 18:29


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.