Sunday, December 11, 2011

Debuggers Anti-Attaching Techniques - Part 2

In the previous post, i talked about the trick of patching the "DbgUiRemoteBreakin" and "DbgBreakPoint" functions and how to circumvent it.

In this post, i am going to analyze another trick. This time, the trick is patching the "NtContinue" function.

We already know the remote thread starts with executing the "DbgUiRemoteBreakin" function.

Trying to find how execution is transferred to the "DbgUiRemoteBreakin" function in the new thread, i found that it is the "NtContinue" function.

Hooking the "NtContinue" function, we can prevent ollydbg from attaching to processes.

Here you can find an demo (Tested with Windows XP SP2 and Windows 7).
 
This trick is bypassed in the same way as that one in Part 1 and can similarly be implemented in an ollydbg plugin.

Update:
I updated the demo in response to a comment. 

You can follow me on Twitter @waleedassar 

3 comments:

  1. No sane person would hook NtContinue this way and call ExitProcess. It is used for much much more function than just "transferring execution to DbgUiRemoteBreakin".

    For example, Every time a SEH exception is handled, the NtContinue function is called to return execution to the main code.

    ReplyDelete
    Replies
    1. The demo has been updated. Just try it.

      Delete
  2. You missed the whole point of the post. It is only a demo.

    You can place your own checks to differentiate between NtContinue called due to a handled exception and NtContinue called upon attaching.

    For example, checking the EIP in the "CONTEXT" structure passed to NtContinue. Got it?

    Thanks for leaving me polite comments.

    ReplyDelete