tag:blogger.com,1999:blog-5036198523690297182.post238890052288860752..comments2024-02-05T00:25:13.117-08:00Comments on waliedassar: PAGE_EXECUTE_WRITECOPY As Anti-Debug Trickwaliedhttp://www.blogger.com/profile/18278414703959705421noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-5036198523690297182.post-74302503918933715162014-08-09T12:56:02.118-07:002014-08-09T12:56:02.118-07:00While circumventing the PAGE_EXECUTE_WRITECOPY ant...While circumventing the PAGE_EXECUTE_WRITECOPY anti-debugging on Win7 (OllyDbg 2) worked, it failed on Win8. Even with hw breakpoints the debugger was detected.<br />Can someone confirm this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-71642620017601842562014-01-05T05:37:55.141-08:002014-01-05T05:37:55.141-08:00if you're not stepping into the main2() functi...if you're not stepping into the main2() function then you can pass it and still have you're PAGE_EXECUTE_WRITECOPY set.<br />I guess it's because the code isn't modified with single step interrupts.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-7931815480559583232013-01-15T12:09:27.156-08:002013-01-15T12:09:27.156-08:00can also use NtQueryVirtualMemory to see if the pf...can also use NtQueryVirtualMemory to see if the pfn is still shareable. can also use a similar method to prevent subsequent process creation if you wanted to limit people to one instance of your process. You can get a count of how many mapped pfn's or using your method you could include the mem_scn_shared flag then modify an important code path.everdoxhttps://www.blogger.com/profile/06025628791110660606noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-69665393170996154612012-10-30T19:06:13.335-07:002012-10-30T19:06:13.335-07:00Oh, yea, should have read the code, sorry.
Didn&#...Oh, yea, should have read the code, sorry.<br /><br />Didn't understand from the article that you had added a section, figured you just patch the existing code section.<br /><br />You could just populate a structure containing all absolute addresses from the default code section (with relocs) and pass it to the do_debugger_check(), and all issues are resolved. <br /><br />Good job sir.<br /><br />Pellssonhttps://www.blogger.com/profile/11107918213640648413noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-90284935099181583282012-10-23T20:34:40.325-07:002012-10-23T20:34:40.325-07:00Regarding the relocations and ASLR, it is just eas...Regarding the relocations and ASLR, it is just easy to have a section with no addresses to be relocated. For example, imagine you have a dummy function called MyGetProcAddress that wraps up kernel32.GetProcAddress and is located in .text section. You can always use MyGetProcAddress to retrieve all subsequent addresses of your API calls. Similar to this, you can use all the strings passed to MyGetProcAddress by their relative addresses to your Executable's ImageBase.waliedhttps://www.blogger.com/profile/18278414703959705421noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-23887172775846538142012-10-23T19:39:42.798-07:002012-10-23T19:39:42.798-07:00Okay, dude. You did not even bother looking at the...Okay, dude. You did not even bother looking at the source code of my demo. I isolated the trick into a new section.<br /><br />#pragma comment(linker,"/SECTION:xyz,ERW")<br />#pragma code_seg("xyz")<br /><br />Check this again:<br />http://pastebin.com/62De887Swaliedhttps://www.blogger.com/profile/18278414703959705421noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-63832492813410457772012-10-23T19:22:19.915-07:002012-10-23T19:22:19.915-07:00You fail to mention how relocations and IAT fetchi...You fail to mention how relocations and IAT fetching (assuming the IAT is in the code section, MS likes to do this), will break this check completely since the code section will already be written to long before you gain control.<br /><br />You could of course disable relocations, but that would in turn disable ASLR for your module, and that would hardly be worth it.Pellssonhttps://www.blogger.com/profile/11107918213640648413noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-13014621277656155822012-09-30T08:26:47.672-07:002012-09-30T08:26:47.672-07:00I think I've reached the conclusion now that w...I think I've reached the conclusion now that what it might do is mark the pages' protection as PAGE_EXECUTE_WRITECOPY while NOT marking the pages global, thus if another instance of the program is started, the OS will know if the pages have been tampered with - in which case it would reload them, or not - in which case it will mark them global.<br /><br /><br /><br />Znoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-80290296967942395992012-09-30T08:23:19.717-07:002012-09-30T08:23:19.717-07:00In which case they shouldn't have PAGE_EXECUTE...In which case they shouldn't have PAGE_EXECUTE_WRITECOPY as the default value, in my understanding.<br /><br />Anyway, I enjoy reading your interesting blog entries. please keep it up!Znoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-48057310627504054662012-09-30T08:16:59.798-07:002012-09-30T08:16:59.798-07:00Thanks for clarifying. another follow up question ...Thanks for clarifying. another follow up question which is a bit more in depth if you don't mind:<br />I assume shared libraries' pages are marked as "global" pages(which allows the sharability) in the paging structures once they are loaded more than once. <br /><br />But if I create a new process, would it immediately mark its pages as global? just for the slim chance that you might want to run another instance of it? it sounds very wasteful to me. Sounds to me it would make more sense to only do that when the same pages of the process are trying to be loaded up more than once (as in another instance of the program is started up).Znoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-7279437071485787162012-09-30T03:27:47.773-07:002012-09-30T03:27:47.773-07:00All instances of the same process e.g. you have th...All instances of the same process e.g. you have three notepad.exe processes.waliedhttps://www.blogger.com/profile/18278414703959705421noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-80805519771484344712012-09-30T03:08:55.541-07:002012-09-30T03:08:55.541-07:00Why would the OS want to share a process-specific ...Why would the OS want to share a process-specific page between all processes? this would make sense for shared libraries such as kernel32.dll which indeed are shared, but sharing a PROCESS-SPECIFIC page doesn't make sense for me. Could you please clarify this?Znoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-53876422304198540142012-09-28T21:22:14.981-07:002012-09-28T21:22:14.981-07:00The debugger behaviour is actually a bit different...The debugger behaviour is actually a bit different. If you call, for example, VirtualProtect() on a READWRITE data page to change to READWRITE (ie do nothing), then the previous attributes will come back as READWRITE the first time. If you do it again, it will come back as WRITECOPY, and then always WRITECOPY, no matter how many times you restart the file. If you rename the file, then you will get READWRITE again the first time, and then WRITECOPY forever after that.Peter Ferriehttp://pferrie.host22.comnoreply@blogger.com