Thursday, December 15, 2011

Debuggers Anti-Attaching Techniques - Part 4

In this post i will take you through an anti-attach trick i have recently come up with.

Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such. We can alternatively ask the TLS callback routine to query the entrypoint of the thread it is running under and if the entrypoint is the address of the "DbgUiRemoteBreakin" function, we should kill the process.

This is a simple demonstrating example.
Abit more complicated example can be found here and its source code from here.

N.B. Both examples have been tested on XP SP3 only.

To make things harder, we would use dynamic TLS callbacks instead.

To implement a dynamic TLS callback, follow these 2 steps:
1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

Source code can be found here. It works on Win XPSP3 only. You can edit the source code to include other OSes.

N.B. This trick is still in progress and i am waiting for any feedback.

You can follow me on Twitter @waleedassar 

1 comment:

  1. Nice trick. I haven't heard of it before.

    ReplyDelete