I've never seen one of these packets received, but, based on the code in the handler, I believe the packet can result in different types of scans being performed. Possible scan types seem to be for specific module or process names, window class names, child window names, and possibly byte checks on module or process memory. Thus, the packet will likely contain the type of scan to perform and the specifics of what to look for, such as a module or window class name to detect. This means, for example, the server can arbitrarily initiate a check for any known 'bad' module at any time. After the scan, the client will send a 32 byte response to the server, though I don't know exactly what it contains. Below is a closer look at some of the code involved in the bot scan.
This is the top part of the main scan procedure. I believe the switch function at the top determines what type of scan to perform based on a setting in the packet. It appears to have registry, pipe, and event access, though I'm not sure when or what these are used for. Note towards the bottom we can see two main sub calls which are used to check remote process and modules and the current process and modules.
Inside the ScanRemoteProcesses function looks something like this:
FunctionTop / FunctionBottom
ScanRemoteProcesses { EnumProcesses for ( processes ) { OpenProcess EnumProcessModules GetModuleBaseName scan_type = Switch() // Maybe looking up scan type from setting // Unknown string check, maybe module name if (scan_type == type) wcsicmp // Maybe memory byte check or CRC check if (scan_type == type) ReadProcessMemory UnknownAlgo // Another unknown string check if (scan_type == type) wcsicmp // Maybe memory or size check if (scan_type == type) GetModuleFileNameEx fopen fseek ftell } }
ScanCurrentProcess { EnumProcessModules for ( modules ) { GetModuleBaseName scan_type = Switch() // Unknown string check, maybe module name if (scan_type == type) wcsicmp // Maybe memory byte check or CRC check if (scan_type == type) ReadProcessMemory UnknownAlgo // Another unknown string check if (scan_type == type) wcsicmp // Maybe memory or size check if (scan_type == type) GetModuleFileNameEx fopen fseek ftell } }
Overall this protection is very easy to detect and bypass, though it's efficient enough to bite you if you're not prepared for it
Credits Beau, (clockwork) Joel (Guffy) @ 0x33.org
mail: [email protected]