Showing posts with label anti-attaching. Show all posts
Showing posts with label anti-attaching. Show all posts

Wednesday, February 15, 2012

Debuggers Anti-Attaching Techniques - Part 6

In this post i will discuss a simple anti-attaching trick, which i forgot to document in previous posts. This trick is so simple that all it requires is erasing the PE header of the main executable at Run-time.

Erasing the PE header works as an effective anti-attaching technique as it prevents the system from creating new threads, a critical step of attaching to active processes since a successful call to the "RtlCreateUserThread" function is required for the "DebugActiveProcess" function call to succeed. See Debuggers Anti-Attaching Techniques - Part 1.

This trick is implemented with only few lines of C code. See the image below.
Trying to attach to this process, you will get the following message box.

This trick does not necessarily require erasing the whole PE header. Erasing the MZ signature is enough.

This trick works under Windows 7 and not under Windows XP due to a dramatic change introduced in later version of Windows in the way threads are created. In windows 7, the kernel has to extract the value of SizeOfStackReserve and SizeOfStackCommit from the PE header of the target process image, unlike  XP which extracts those values from the PE header of the process that is creating the thread.

So, erasing the PE header as shown above, we can cause the "RtlImageNtHeader" function called from the "RtlCreateUserStack" function to fail returning 0xC000007B which is quivaluent to
ERROR_BAD_EXE_FORMAT.


 
The source code of the example above can be found here.

N.B. This has only been tested on Windows 7.
N.B. This can also be used as an anti-dumping trick.

You can follow me on Twitter @waleedassar 

Sunday, December 18, 2011

Debuggers Anti-Attaching Techniques - Part 5

In this post, i will explain another anti-attaching trick. The trick is that if we manipulate the _PEB_LDR_DATA structure pointed to by PEB.LoaderData, we can cause functions like EnumProcessModules and GetModuleFileNameExA to fail.


Consequently, ollydbg would not be able to see the process in the "Select process to attach" dialog box.


You can play with this demo.

N.B. This trick can't be reliably used unless you carefully choose APIs in your application. Try to avoid APIs which read or write to the _PEB_LDR_DATA structure.

Update:
I have made a tiny plugin for OllyDbg v1.10. The plugin enables debugging those applications, which don't show in the "Select process to attach" dialog box. The plugin first checks the integrity of the target process's _PEB_LDR_DATA structure. If a manipulated structure is detected, a new typical one will be created.

The plugin can be downloaded from here and its source code from here.

Update:
Variants of this trick manipulate PEB.LoaderData so that an infinite loop occurs in OllyDbg or any other application which tries to use the "EnumProcessModules" function or the likes. See the image below.
The demo can be found here.

You can follow me on Twitter @waleedassar 

Thursday, December 15, 2011

Debuggers Anti-Attaching Techniques - Part 4

In this post i will take you through an anti-attach trick i have recently come up with.

Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such. We can alternatively ask the TLS callback routine to query the entrypoint of the thread it is running under and if the entrypoint is the address of the "DbgUiRemoteBreakin" function, we should kill the process.

This is a simple demonstrating example.
Abit more complicated example can be found here and its source code from here.

N.B. Both examples have been tested on XP SP3 only.

To make things harder, we would use dynamic TLS callbacks instead.

To implement a dynamic TLS callback, follow these 2 steps:
1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

Source code can be found here. It works on Win XPSP3 only. You can edit the source code to include other OSes.

N.B. This trick is still in progress and i am waiting for any feedback.

You can follow me on Twitter @waleedassar