|
|
#2
01-24-2006, 21:52
|
|||
|
|||
|
you can look in pnluck tutorial for
-Hide NtGlobalFlag -Hide ProcessHeapFlag also isdebug due its peb and teb patching but in my oepfind when i just patch isdebpresent peb+2 then also it patches 2 others,dunno know how with olly, maybe they are necessery Control of Beingdebug 004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address ... 004XXXXX ADD EAX,2 ; PEB+2 is beingdebug memory address 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; AL maybe 0(not debug) or 1(debug present) ... 004XXXXX OR AL,AL 004XXXXX JE UnPackMe.004F2C67 Control of ProcessHeap 004XXXXX MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address ... after some operation 004XXXXX MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address .... after some operation 004XXXXX MOV EAX, DWORD PTR[EAX+18] ;PEB+0x18 return the ProcessHeap address 004XXXXX CMP DWORD PTR DS:[EAX+10],0 ;EAX+10 maybe 0(not debug) or other values (debug present) Controll of NtGlobalFlag 004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address 004XXXXX ADD EAX,8E4180C9 004XXXXX ADD EAX,71BE7F9F ;EAX = PEB+0X68 : address of NtGlobalFlag 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; NtGlobalFlag maybe 0x70(debug present) or 0 for zwquery you can look inside my oepfind for processheap, what i encountred when tried to apply it to oepfind, well on create_process you cant do it, due it yet doesnt exist, only when you are at EP also another problems you will encounter is on create_process there is only exe and ntdll.dll loaded, then later loads kernel32,and user32 so you have make plugin or patch to learn to wait when its loaded and then patch Last edited by Human; 01-24-2006 at 21:59. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| APIs in Olly | jump | General Discussion | 3 | 09-25-2013 19:03 |
| EXE files and apis | Warren | General Discussion | 9 | 09-02-2005 16:59 |
Threaded Mode