In the previous post, i talked about the trick of patching the "DbgUiRemoteBreakin" and "DbgBreakPoint" functions and how to circumvent it.
In this post, i am going to analyze another trick. This time, the trick is patching the "NtContinue" function.
We already know the remote thread starts with executing the "DbgUiRemoteBreakin" function.
Trying to find how execution is transferred to the "DbgUiRemoteBreakin" function in the new thread, i found that it is the "NtContinue" function.
Hooking the "NtContinue" function, we can prevent ollydbg from attaching to processes.
Here you can find an demo (Tested with Windows XP SP2 and Windows 7).
This trick is bypassed in the same way as that one in Part 1 and can similarly be implemented in an ollydbg plugin.
Update:
I updated the demo in response to a comment.
You can follow me on Twitter @waleedassar
In this post, i am going to analyze another trick. This time, the trick is patching the "NtContinue" function.
We already know the remote thread starts with executing the "DbgUiRemoteBreakin" function.
Trying to find how execution is transferred to the "DbgUiRemoteBreakin" function in the new thread, i found that it is the "NtContinue" function.
Hooking the "NtContinue" function, we can prevent ollydbg from attaching to processes.
Here you can find an demo (Tested with Windows XP SP2 and Windows 7).
This trick is bypassed in the same way as that one in Part 1 and can similarly be implemented in an ollydbg plugin.
Update:
I updated the demo in response to a comment.
You can follow me on Twitter @waleedassar
No sane person would hook NtContinue this way and call ExitProcess. It is used for much much more function than just "transferring execution to DbgUiRemoteBreakin".
ReplyDeleteFor example, Every time a SEH exception is handled, the NtContinue function is called to return execution to the main code.
The demo has been updated. Just try it.
DeleteYou missed the whole point of the post. It is only a demo.
ReplyDeleteYou can place your own checks to differentiate between NtContinue called due to a handled exception and NtContinue called upon attaching.
For example, checking the EIP in the "CONTEXT" structure passed to NtContinue. Got it?
Thanks for leaving me polite comments.
Great stuff!!
ReplyDelete