to JMI thanks for moving it to a seperate thread
TQN so you read the page fully and commented on its antidote
btw you need the value set to some thing just plain key wont work
as you show in the .txt
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe]
"GlobalFlag"=" some value here"
yes if you set imagefile option it will get detected during LdrpInitialize
btw windbg rocks a lot actually for this kind of work
you cant get olly to display
the disassembly shown below live
coz olly breaks far lower in chain
at LdrInitializeProcess-->DbgPrint whereas windbg break long long before
Code:
ntdll!LdrpInitialize+0x58:
77f92b69 894de4 mov [ebp-0x1c],ecx
77f92b6c 8b4610 mov eax,[esi+0x10]
77f92b6f 668b4038 mov ax,[eax+0x38]
77f92b73 668945e0 mov [ebp-0x20],ax
77f92b77 668945e2 mov [ebp-0x1e],ax
77f92b7b 53 push ebx
77f92b7c 6a04 push 0x4
77f92b7e 6884e6fc77 push 0x77fce684
77f92b83 6a04 push 0x4
77f92b85 687c31f977 push 0xntdll!LdrpInitialize+0x58:
77f92b69 894de4 mov [ebp-0x1c],ecx
77f92b6c 8b4610 mov eax,[esi+0x10]
77f92b6f 668b4038 mov ax,[eax+0x38]
77f92b73 668945e0 mov [ebp-0x20],ax
77f92b77 668945e2 mov [ebp-0x1e],ax
77f92b7b 53 push ebx
77f92b7c 6a04 push 0x4
77f92b7e 6884e6fc77 push 0x77fce684
77f92b83 6a04 push 0x4
77f92b85 687c31f977 push 0x77f9317c
0:000> du 77f9317c
77f9317c "DisableHeapLookaside"
77f92b8a 8d45e0 lea eax,[ebp-0x20]
77f92b8d 50 push eax
77f92b8e e8f6daffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92b93 8d7e68 lea edi,[esi+0x68]
77f92b96 53 push ebx
77f92b97 6a04 push 0x4
77f92b99 57 push edi
77f92b9a 6a04 push 0x4
77f92b9c 68a831f977 push 0x77f931a8
0:000> du 77f931a8
77f931a8 "GlobalFlag"
77f92ba1 8d45e0 lea eax,[ebp-0x20]
77f92ba4 50 push eax
77f92ba5 e8dfdaffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92baa 3bc3 cmp eax,ebx
77f92bac 7d09 jge ntdll!LdrpInitialize+0xa5 (77f92bb7)
ntdll!LdrpInitialize+0x9d:
77f92bae 385e02 cmp [esi+0x2],bl
77f92bb1 0f85fd620000 jne ntdll!LdrpInitialize+0xa2 (77f98eb4)
ntdll!LdrpInitialize+0xa2:
77f98eb4 830f70 or dword ptr [edi],0x70 <--- look
77f98eb7 e9fb9cffff jmp ntdll!LdrpInitialize+0xa5 (77f92bb7)
ntdll!LdrpInitialize+0xa5:
77f92bb7 f6470302 test byte ptr [edi+0x3],0x2
77f92bbb 0f85fb620000 jne ntdll!LdrpInitialize+0xab (77f98ebc)
ntdll!LdrpInitialize+0xab:
77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1
77f92b8a 8d45e0 lea eax,[ebp-0x20]
77f92b8d 50 push eax
77f92b8e e8f6daffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92b93 8d7e68 lea edi,[esi+0x68]
77f92b96 53 push ebx
77f92b97 6a04 push 0x4
77f92b99 57 push edi
77f92b9a 6a04 push 0x4
77f92b9c 68a831f977 push 0x77f931a8
77f92ba1 8d45e0 lea eax,[ebp-0x20]
77f92ba4 50 push eax
77f92ba5 e8dfdaffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92baa 3bc3 cmp eax,ebx
77f92bac 7d09 jge ntdll!LdrpInitialize+0xa5 (77f92bb7)
ntdll!LdrpInitialize+0x9d:
77f92bae 385e02 cmp [esi+0x2],bl
77f92bb1 0f85fd620000 jne ntdll!LdrpInitialize+0xa2 (77f98eb4)
ntdll!LdrpInitialize+0xa2:
77f98eb4 830f70 or dword ptr [edi],0x70
77f98eb7 e9fb9cffff jmp ntdll!LdrpInitialize+0xa5 (77f92bb7)
ntdll!LdrpInitialize+0xa5:
77f92bb7 f6470302 test byte ptr [edi+0x3],0x2
77f92bbb 0f85fb620000 jne ntdll!LdrpInitialize+0xab (77f98ebc)
ntdll!LdrpInitialize+0xab:
77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1
btw take a look in elicz site he coded a tls enabled application in asm long ago viz
i think its named tlsinasm
or take a look at roy g bivs article in netlux or search symantec or other av articles
(he coded the first tls enabled virus rugrat long back for 32 bit and recently did it again for 64 bit viz shrug