Wednesday, February 15, 2012

Debuggers Anti-Attaching Techniques - Part 6

In this post i will discuss a simple anti-attaching trick, which i forgot to document in previous posts. This trick is so simple that all it requires is erasing the PE header of the main executable at Run-time.

Erasing the PE header works as an effective anti-attaching technique as it prevents the system from creating new threads, a critical step of attaching to active processes since a successful call to the "RtlCreateUserThread" function is required for the "DebugActiveProcess" function call to succeed. See Debuggers Anti-Attaching Techniques - Part 1.

This trick is implemented with only few lines of C code. See the image below.
Trying to attach to this process, you will get the following message box.

This trick does not necessarily require erasing the whole PE header. Erasing the MZ signature is enough.

This trick works under Windows 7 and not under Windows XP due to a dramatic change introduced in later version of Windows in the way threads are created. In windows 7, the kernel has to extract the value of SizeOfStackReserve and SizeOfStackCommit from the PE header of the target process image, unlike  XP which extracts those values from the PE header of the process that is creating the thread.

So, erasing the PE header as shown above, we can cause the "RtlImageNtHeader" function called from the "RtlCreateUserStack" function to fail returning 0xC000007B which is quivaluent to
ERROR_BAD_EXE_FORMAT.


 
The source code of the example above can be found here.

N.B. This has only been tested on Windows 7.
N.B. This can also be used as an anti-dumping trick.

You can follow me on Twitter @waleedassar 

4 comments:

  1. problem here is that loading resources or using GetProcAddress on the exe to get an export will fail and probably some other things too

    ReplyDelete
    Replies
    1. If you plan to use that trick in your process, then you should take care of that in advance e.g. do that stuff before erasing the PE header. I agree with you, it is not the best way to prevent attaching, but it should still be considered (malware).

      Delete
  2. Hi Walied

    Check this paper :

    https://forum.tuts4you.com/topic/36603-uncovering-larp64pro/

    one of your discoveries was mentioned there.

    ReplyDelete