NSudo Devil Mode - One of NSudo implementations for developers

Discussion in 'Windows 10' started by Mouri_Naruto, Jan 15, 2020.

  1. Mouri_Naruto

    Mouri_Naruto MDL Senior Member

    Jul 10, 2014
    337
    1,151
    10
    #1 Mouri_Naruto, Jan 15, 2020
    Last edited: Jan 16, 2020
    NSudo is a tool for Windows enthusiasts and script developers. But NSudo Devil Mode is a library for Windows developers. So I want to create a new My Digital Life Forums thread and I hope I can get your understanding.

    Introduction of NSudo Devil Mode

    NSudo Devil Mode is a elegant solution for developers who want to bypass the file and registry access checks. It hooks some file and registry Windows NT kernel system calls via Microsoft Detours, so developers only need to load NSudoDevilMode.dll into their apps before enjoy it.

    NSudo Devil Mode only needs Administrator privilege. So developers need to run their apps as Administrator if they want to use it.

    As the creator of NSudo project, I think NSudo Devil Mode may replace tools similar as NSudo in the most cases. NSudo 8.0 will support run apps as NSudo Devil Mode, and Dism++ God Mode will be refactored with NSudo Devil Mode. So NSudo will be more professional in the future because I don't want to make NSudo is replaced by NSudo Devil Mode, lol.

    Why I create the NSudo Devil Mode

    NSudo Shared Library is hard for developers to integrate it because it expose a lot of details about Windows security model and looks like a low level library. I don't think only providing NSudo Shared Library is good for developers who want to bypass the file and registry access checks. So I have created the NSudo Devil Mode.

    Origin of NSudo Devil Mode

    NSudo Devil Mode is based on the Dism++ God Mode or call it "Dism++ 春哥附体" via Chinese. I have refactored the implementations of Dism++ God Mode, add some new features and make its source code available in NSudo's GitHub repository.

    The list of hooked Windows NT kernel system calls

    • NtCreateKey (Introduced in Dism++ God Mode.)
    • NtCreateKeyTransacted (Introduced in NSudo Devil Mode.)
    • NtOpenKey (Introduced in Dism++ God Mode and extended in NSudo Devil Mode.)
    • NtOpenKeyTransacted (Introduced in NSudo Devil Mode.)
    • NtOpenKeyEx (Introduced in Dism++ God Mode.)
    • NtOpenKeyTransactedEx (Introduced in NSudo Devil Mode.)
    • NtCreateFile (Introduced in Dism++ God Mode.)
    • NtOpenFile (Introduced in Dism++ God Mode.)

    How to use NSudo Devil Mode

    You can enable it via LoadLibrary and disable it via FreeLibrary. Here is a demo code.

    Code:
    using System;
    using System.IO;
    using System.Runtime.InteropServices;
    
    namespace Demo
    {
        class Program
        {
            [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
            static extern IntPtr LoadLibrary(string lpLibFileName);
    
            [DllImport("kernel32.dll", SetLastError = true)]
            [return: MarshalAs(UnmanagedType.Bool)]
            static extern bool FreeLibrary(IntPtr hLibModule);
    
            static void Main(string[] args)
            {
                IntPtr NSudoDevilModeModuleHandle = LoadLibrary(
                    @"E:\GitHub\M2Team\NSudo\Output\Release\x64\NSudoDevilMode.dll");
    
                {
                    DirectoryInfo Folder = new DirectoryInfo(
                    @"C:\System Volume Information");
    
                    foreach (FileInfo File in Folder.GetFiles())
                    {
                        Console.WriteLine(File.FullName);
                    }
                }
    
                FreeLibrary(NSudoDevilModeModuleHandle);
    
                {
                    DirectoryInfo Folder = new DirectoryInfo(
                    @"C:\System Volume Information");
    
                    foreach (FileInfo File in Folder.GetFiles())
                    {
                        Console.WriteLine(File.FullName);
                    }
                }
    
                Console.ReadKey();
            }
        }
    }
    
    Screenshots

    When I want to rename regedit.png
    Without NSudo Devil Mode

    When I using NSudo Devil Mode.png
    With NSudo Devil Mode

    Changelog

    The version of NSudo Devil Mode is same as NSudo's.

    Code:
    ## NSudo Devil Mode 8.0 PreAlpha 3 V2 
    - Use more NT APIs and streamline the Detours source code for reducing the binary size.
    
    ## NSudo Devil Mode 8.0 PreAlpha 3
    - Initial Version
    



    M2-Team
     

    Attached Files:

  2. Mouri_Naruto

    Mouri_Naruto MDL Senior Member

    Jul 10, 2014
    337
    1,151
    10
    @MSMG I think it's a good solution for you. What do you think about that?
     
  3. MSMG

    MSMG MDL Developer

    Jul 15, 2011
    3,725
    8,404
    120
    Yes, Will checkout the new version.

     
  4. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    4,843
    5,747
    150
    wow, thanks a lot Mouri for your contribution here
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,072
    1,874
    210
    Does AV go bonkers when encountering this?
     
  6. Mouri_Naruto

    Mouri_Naruto MDL Senior Member

    Jul 10, 2014
    337
    1,151
    10
  7. nodnar

    nodnar MDL Expert

    Oct 15, 2011
    1,106
    850
    60
    basically, i suppose it is a calculated risk, if you play with that stuff, and mouri uses open source and has been around since 2014 here, @sebus; and you know how fast the esteemed members start screaming, when they get a false positive somewhere.i downloaded it, unpacked, and scanned it.[mse and malwarebytes.] no screams; it is safe enough,lol.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Mouri_Naruto

    Mouri_Naruto MDL Senior Member

    Jul 10, 2014
    337
    1,151
    10
    Updated: NSudo Devil Mode 8.0 PreAlpha 3 V2

    Attachment at #1.
     
  9. Mouri_Naruto

    Mouri_Naruto MDL Senior Member

    Jul 10, 2014
    337
    1,151
    10
    Also, I provide the complete PDB file and everyone can analyze NSudoDevilMode.dll via IDA Pro, OllyDbg and other reverse engineering tools, lol. (Get trust from others makes me fulfilled.)