Using Thread Local Storage (tls) in Olly
 

[EDIT JMI]: These Posts were originally part of the "Olly Invisible Plugin" Thread in the Software Release Forum. In that Thread, nikola posted the following comment in one of the Posts:

"@Others: Lemme see you leetors hide Olly from this one
http://www.maniactools.com/soft/mp3tag.exe
I tried for 30 minuts to hide this and gave up. I'm not even sure what this packer is. PEiD says Neolite but this is definantly not Neolite. Markus suggested elsewhere that this is Execryptor and i agree. I cant even start Olly after program is started becouse it shuts it down like RegMon. I changed ollys path, caption, most things i could. Tried this plugin but nothing. Someone made it on this one?"

JuneMouse made this very interesting reply about that software, discussing how to access the Thread Local Storage (tls) in Olly. nikola then suggested that that information be split off into a separate thread, and here it is for all to consider. Those further interested in system hooking and API hooking, review the "codeproject" reference listed by bgrimm and the API reference mentioned at the bottom of bgrimm's reference. All very interesting information. ;) ]

hehe i was reading through (the Olly Invisible Plugin Thread) and i saw the post by nikola and mp3tag.exe has no need to hide olly from anything. it uses tls callbacks so tls gets the first chance to execute before reaching the ep

so here it decrypts and runs a check
and one can dump almost all memory well for me thats enough coz i dont want running exe :)
here is a strings before and after for this manic :)

if you know how to break back from zwContinue (simple follow in dump the context struct add b8 press ctrl+g in cpu window and type the address that you see in dump and when you are ther press f2 and f9 :) (hope you can decipher this :)

have fun the point being you need to know the ways and means will follow
just having plugins wont work :) as you may notice i have no plugions installed except for the default commanline that comes along :)
yeah fresh download and alien computer and no tools (not even hexeditor )
and about an hour time pass (any way had to pass time waiting for some one, sitting in cafe ) :)

Nice post :) Well, i didnt even know what tls is and whats its used for, so you just opened a new horizont for me :) I dont wont to spoil new instalation of windows. I'll have to activate other partition later and try there...

hehe corrupting new installation :) i said i used an alien computer in cafe
with the non admin account with least previlages let you corrupt system :)

anyway here is how i enable debug strings

options--->debugging options-->events-->change radio button to system breakpoint
checkmark the event break on debug strings
f9 the app
olly will stop on system break which is a retn statement
f7 once and you will see it is accessing the NtGlobalFlag aka peb-->NtGlobalFlag aka fs:[30h]+68h

if you had enabled options-->debuggingoptions-->register-->decode registers for any ip
you will see this in the information pane
select the ds: and right click --> modify data
make it 72
that is all :)
and if you now f9
olly will automatically stop on the next debug string

viz
and so on btw since this topic deals with antidebugging tricks i would broach on one more undocumented antidebugging trick
i ve not seen it being used anywhere
take a look at the html page in attachment it comes with app in a zip

for those who just prefer code

Great post Junemouse, thanks for the info.

Anyone interested in more tls callback info could also benifit from this article:
http://www.codeproject.com/threads/tls.asp

I would ask perhaps of the admins to move your posts to a new thread?
As much as it pertains to the build of the invisible plugin, it is such great info it should stand on it's own.

thx,

-bg

Great information, JuneMouse. Thank you very much !
Hope Teerayoot will update his Olly Invisible plugin with this information.
This detecting way will return wrong information if the GlobalFlag of exe was set (by using Gflags.exe or by editting registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TheEXE).
Creating a empty key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe] (no GlobalFlag value) in the registry will fool the detecting.
Best regards,
TQN

to JMI thanks for moving it to a seperate thread :)
TQN so you read the page fully and commented on its antidote
btw you need the value set to some thing just plain key wont work
as you show in the .txt
yes if you set imagefile option it will get detected during LdrpInitialize
btw windbg rocks a lot actually for this kind of work :) you cant get olly to display
the disassembly shown below live :) coz olly breaks far lower in chain
at LdrInitializeProcess-->DbgPrint whereas windbg break long long before

btw take a look in elicz site he coded a tls enabled application in asm long ago viz
i think its named tlsinasm
or take a look at roy g bivs article in netlux or search symantec or other av articles
(he coded the first tls enabled virus rugrat long back for 32 bit and recently did it again for 64 bit viz shrug :)

there are also some further details about this method on Cerven's book..

Thank JuneMouse !
I have followed your way to turn on Debug string output to Log Window (0x70 -> 0x72), but not successed. The Log window show nothing. After a short investigating, I found the HideDebugger plugin causes this problem. Turn off IsDebuggerPresent option will help. But why ? Hope the author of HideDebugger plugin will give me answer !.
Regards,

??
HideDebugger with options "IsDebuggerPresent" enabled only throws flag Peb.BeingDebugged
and checks it on each EXCEPTION_DEBUG_EVENT

The notion of using TLS callbacks is interesting as a means of attaching a stub without disrupting the EP, but be aware that they are ignored by the loader on 9x platforms. If you only care about NT, then they work.

It's also interesting the Microsoft claims (in the PE spec) that they can be used to call global constructors, though this is a bad idea because the CRT has not been initialized yet. I suspect this is why their own compilers don't use them.

TQN
i havent used hideDebugger Plugin i once tried it on xp having seen in ollydbg forum (a link to wasm..ru) it did not work then (some initialization problems
error code 1) after that i never tried it but at that time i saw it was using WaitForDebugEvent and ContinueDebug event which means it kinda runs a debugger within debugger :)

try loading ollydbg on ollydbg and open some xyz debuggee on child ollydbg and locate this hidedebugger on parent ollydbg view names and put a bp on
wait for debug event
then start single stepping on the xyz you will see the parent ollydbg break for every step :) kinda slows down run traces appreciably on some big projects no offence its kinda slow so i never tried to use it again and also
i use w2k mostly

anyway as to the problem in hand a dbgprint is passed out to a debugger :)
so the function naturally checks for is debugger present and if you puportedly decieve the actual status that check also fails and it doesnt pass out the debug string :) its not a problem of hidedebugger plugin
or svs isdebuggerpresent plugin or any other feature plugins that may decieve isDebuggerPresent api
so if you want to recieve out put you should not hide your debugger :)

its like the game rootkits play to defeat sysinternals ,f-secures, blah blah revealers they were checking for hidden process and these were
not hiding to them but hiding to every other thing :)

bythe way if there is no debugger the system still sends the debug out put to dbgservice using int 2d functionality :) look at sysinternals debug view or osronlines debugmon they kinda hook int 2d to get all those debug out put generates :)
there are some environment variable like _NT_DEBUG_BLAH_BLAH
and such along with kdbgctrl.exts !dbgprint in windbg which uses these
functionalities

so have fun poking around :)

and as far as tls is concerned yes there are certain factors like dynamic loading of dlls also cannot use tls w9x loader ignores it etc etc
but is any one still using 286 and wordstar and lotus ??

hehe no post count scam :)
but i thought a seperate post would emphasis it more so here it is

i downloaded the hidedebuggerplugin v 1.22 from here and tried it to see what happens as i anticipated it fails as i stated

to illustrate the point that is having the cake and eating it too :)
get one of the above debugviewers (i would prefer debugmon from osronline )
run it first
then open ollydbg along with hidedebugplugin and load a debuggee
when you hit systembreakpoint modify NtGlobalFlag to 72
and run the app
you will see ollydbg wont catch any debug strings but debug mon will catch all debug string that are passed

"Post count spam" applies only to people who appear to be posting to be trying to get to Junior Member status to gain FTP access. Once a user has reached that level, their posts are not viewed as seeking post count, because they no longer need to increase their count, except possibly to get to VIP status. ;)

Regards,

JMI,
:) you never sleep or do you have robots to check every post and secretly tell you to reply when appropriate :)
any way thanks for formatting the out put i didnt know how to do it :)

oops just 50 odd posts to vip staus i should post more posts like this :)
also i should spend some time exploring the cache i ve not even logged in once though i recieved the email with details :)

That post was actually made a little after 9:00 a.m. my time. It was the one around 3:30 a.m. that was more problematic. :eek:

All I did to improve the format of your "code" section was hit the Edit Button (I can edit anyone's posts, but you can edit your own). It showed the "code" section as a set of text characters with the word "code" (with [ ] around the word) at the start and the word "/code" (again with [ ] around the word) at the end. I then observed where the text should break, put the cursor there and hit the "Enter" key. Sometimes it took two hits of the "Enter" key to make the text move to the next line.

Check it out. Go to your Post with the "Code" and hit the Edit Button and look at what it shows you. ;) You will then see what I saw after the changes.

Regards,

I'll try to answer but in russian, sorry, maybe someone translate it to English

������� �ӧ�� ��ݧѧԧڧߧ� �ڧ���ݧ�٧��� ���ߧܧ�ڧ� ODBG_Pluginmainloop, �ܧ����ѧ� �ӧ��٧��ӧѧ֧���
���� �ܧѧاէ�� ���ݧѧէ��ߧ�� ���ҧ���ڧ� �� ���� �է֧ۧ��ӧڧ�֧ݧ�ߧ� �ާ֧էݧ֧ߧߧ�, �ԧ��ѧ٧է� �ާ֧էݧ֧ߧߧ֧�
��֧� �� HideDebugger.

���ѧ� ��� ��֧ҧ� ��ݧѧԧڧ� �٧է֧�� �ߧ� ���ڧ�֧�. ����ݧ� �� ����� �ާ֧��� �ӧ���ߧ�� ��ҧ���ڧ�� �ҧѧۧ�(��ݧѧ�)
Peb.BeingDebugged ��� �ާ�اߧ� �ߧѧҧݧ�էѧ�� ���� �ا� ����֧ܧ�.

hehe asterix you could have used some online translator
translated by this link
http://translation.paralink.com/ (russian --> english online)
yes yes i know many plugins use mainloop and i said no offence in my post just because of it :)

well i have written a prototype code in asm and detten is helping me to convert it into c and make it a plugin to ollydbg will release it soon in biw
so wait :)

After online translator nobody will understand me,
now at least it is understandable for russian members ;-)

JuneMouse...
Why convert into C first?
just use the masm SDK for OllyDbg plugins

OllyDbg Plugin SDK 1.08 for MASM32
http://ollydbg.win32asmcommunity.net/stuph/

Looking forward to it either way :)

first eviloid hasnt updated it for 1.10 so it misses all those nifty new plugin functions like odbg_plugincmd(),odbg_paused,pausedex etc :)

second he uses macros but hasnt defined them or prototyped them
when i first tried his inc i had hardtime finding what m2m or ctext
macro means there are infinite versions and flavours floating around
of those macros and i instead of concentrating on my coding
has to proof read and debug macros which i feel is kinda absurd

third his sample doesnt assemble throws thousands of errors mainly because of those macros and some other problems


he probably assumes dummies wont need his sdk :)

but also i would learn to code in c btw and understand how porting works in the process :) anyway first beta worked well in w2k and xp without problems but since this hidedebugger plugin decieves the status now i need
have the cake and eat it too :) so i recoded some hacks which works in w2k
need to test it on winxp and also find some reliable way to prevent user intervention :)

JuneMouse

HideDebugger coded on masm ;)

In this "OllyDbg Plugin SDK 1.08 for MASM32" I found some errors.

also it seems xp has suppressed a lot of dbgstring providing them only to checked builds and not to free builds

thier own gflags.exe doesnt let LDR_SHOW_SHOWSNAPS show anything usefull in pre initailaization stage only some debug strings could be shown post initialization stage

the following output is the max that is got by having both imagefile execution options and session manager Globalflag :( in xp ( nosign of LDR messages anywhere

it w2k this output is voluminous for the same exe

can any one having checked build could verify and tell me if +sls stays enabled and if it outputs a lot of debug strings or not in xp ??

[code]


C:\Program Files\SUPPOR~1>gflags -k +sls
Current Running Kernel Settings are: 00000002
sls - Show Loader Snaps

C:\Program Files\SUPPOR~1>gflags -k
Current Running Kernel Settings are: 00000000 <--- it doesnt stay as it is :(

C:\Program Files\SUPPOR~1>gflags -r
Current Boot Registry Settings are: 00000002
sls - Show Loader Snaps

C:\Program Files\SUPPOR~1>gflags -i msgbox.exe
Current Registry Settings for msgbox.exe executable are: 00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking

C:\Program Files\SUPPOR~1>

Hi asterix !
Sorry for my mistake when I assumed your plugin caused LDR_SNAPS string turn off in OllyDbg. I have found problem. When system loader loading EXE, if Loader Snap turn on, it will use ntdll.DbgPrint to print loader snap strings. The ntdll.DbgPrint will call ntdll.vDbgPrintExWithPrefix function, and in this function, it will check the PEB.BeingDebugged flag. If the flag turn on, it will call ntdll.RtlRaiseException with OUTPUT_DEBUG_STRING_EVENT, and if flag turn of, it will return.
Continue with your great work !
Best regards,
TQN

the plugin along with source and some sample exes have been released

please post comments bug reports to the story

http://www.reversing.be/article.php?story=20050527190528983

thnaks and regards

the plugin has been updated
it is now capable of breaking on TlsCallbacks as well as DllInit Routine on requests

story here
http://www.reversing.be/article.php?story=20050603193932184

thanks andd regards