Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-02-2005, 20:44
JuneMouse
 
Posts: n/a
Using Thread Local Storage (tls) in Olly

[EDIT JMI]: These Posts were originally part of the "Olly Invisible Plugin" Thread in the Software Release Forum. In that Thread, nikola posted the following comment in one of the Posts:

"@Others: Lemme see you leetors hide Olly from this one
http://www.maniactools.com/soft/mp3tag.exe
I tried for 30 minuts to hide this and gave up. I'm not even sure what this packer is. PEiD says Neolite but this is definantly not Neolite. Markus suggested elsewhere that this is Execryptor and i agree. I cant even start Olly after program is started becouse it shuts it down like RegMon. I changed ollys path, caption, most things i could. Tried this plugin but nothing. Someone made it on this one?"

JuneMouse made this very interesting reply about that software, discussing how to access the Thread Local Storage (tls) in Olly. nikola then suggested that that information be split off into a separate thread, and here it is for all to consider. Those further interested in system hooking and API hooking, review the "codeproject" reference listed by bgrimm and the API reference mentioned at the bottom of bgrimm's reference. All very interesting information. ]


hehe i was reading through (the Olly Invisible Plugin Thread) and i saw the post by nikola and mp3tag.exe has no need to hide olly from anything. it uses tls callbacks so tls gets the first chance to execute before reaching the ep

Code:
Log data
Address    Message
           OllyDbg v1.10
           Bookmarks sample plugin v1.06 (plugin demo)
             Copyright (C) 2001, 2002 Oleh Yuschuk
           Command line plugin v1.10
             Written by Oleh Yuschuk

           File '***********\mp3tag.exe'
           New process with ID 00000220 created
00840938   Main thread with ID 00000370 created
00400000   Module *****************\mp3tag.exe
77E10000   Module C:\WINNT\system32\user32.dll
77F40000   Module C:\WINNT\system32\GDI32.dll
77F80000   Module C:\WINNT\system32\ntdll.dll
7C570000   Module C:\WINNT\system32\kernel32.dll
77F813B1   System startup breakpoint
77F9FE4A   Debug string: LDR: Real INIT LIST
77F9FE4A   Debug string:      C:\WINNT\system32\kernel32.dll init routine 7c577a40
77F9FE4A   Debug string:      C:\WINNT\system32\user32.dll init routine 77e1df34
77F9FE4A   Debug string: LDR: kernel32.dll loaded.
77F9FE4A   Debug string:  - Calling init routine at 7c577a40
77F9FE4A   Debug string: LDR: user32.dll loaded.
77F9FE4A   Debug string:  - Calling init routine at 77e1df34
77F9FE4A   Debug string: LDR: Tls Callbacks Found. Imagebase 400000 Tls 6f90e0 CallBacks 6f910c
77F9FE4A   Debug string: LDR: Calling Tls Callback Imagebase 400000 Function 842d46
so here it decrypts and runs a check
and one can dump almost all memory well for me thats enough coz i dont want running exe
here is a strings before and after for this manic

if you know how to break back from zwContinue (simple follow in dump the context struct add b8 press ctrl+g in cpu window and type the address that you see in dump and when you are ther press f2 and f9 (hope you can decipher this

have fun the point being you need to know the ways and means will follow
just having plugins wont work as you may notice i have no plugions installed except for the default commanline that comes along
yeah fresh download and alien computer and no tools (not even hexeditor )
and about an hour time pass (any way had to pass time waiting for some one, sitting in cafe )
Attached Files
File Type: zip nuke.zip (57.7 KB, 50 views)
Reply With Quote
  #2  
Old 05-02-2005, 23:26
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Nice post Well, i didnt even know what tls is and whats its used for, so you just opened a new horizont for me I dont wont to spoil new instalation of windows. I'll have to activate other partition later and try there...
Reply With Quote
  #3  
Old 05-03-2005, 00:41
JuneMouse
 
Posts: n/a
hehe corrupting new installation i said i used an alien computer in cafe
with the non admin account with least previlages let you corrupt system

anyway here is how i enable debug strings

options--->debugging options-->events-->change radio button to system breakpoint
checkmark the event break on debug strings
f9 the app
olly will stop on system break which is a retn statement
Code:
77F9F9DF >  CC              INT3
77F9F9E0    C3              RETN <---- here
f7 once and you will see it is accessing the NtGlobalFlag aka peb-->NtGlobalFlag aka fs:[30h]+68h

Code:
77F992CF  MOV AL,BYTE PTR DS:[ESI+68]              ; esi = fs:[30]
77F992D2  AND AL,2                                 ; check for LDR_SHOW_SNAPS
77F992D4  MOV BYTE PTR DS:[77FCE6F0],AL            ; save flag
if you had enabled options-->debuggingoptions-->register-->decode registers for any ip
you will see this in the information pane
Code:
DS:[7FFDF068]=70 ('p')
AL=02
select the ds: and right click --> modify data
make it 72
that is all
and if you now f9
olly will automatically stop on the next debug string

viz
Code:
Log data, item 0
 Address=77F9FA77
 Message=Debug string: LDR: Real INIT LIST
Log data, item 0
 Address=77F9FA77
 Message=Debug string:      C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8
and so on btw since this topic deals with antidebugging tricks i would broach on one more undocumented antidebugging trick
i ve not seen it being used anywhere
take a look at the html page in attachment it comes with app in a zip

for those who just prefer code

Code:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib



.data
forma       db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0
forma1      db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0
tite        db "goodguy you are not running inside debugger",0
tite1       db "badguy  you are running this under debugger",0
subkeyname  db "SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER",0
valuename   db "GLOBALFLAG",0


.DATA?
buffer      db 120h dup (?)
buffer1     db 120h dup (?)
buffer2     db 120h dup (?)
buffer3     db 120h dup (?)
buffer4     dd ?


.CODE

start:
    mov buffer4,45h
    invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,ADDR subkeyname,NULL,KEY_ALL_ACCESS,addr buffer1
    invoke RegQueryValueEx,dword ptr ds:[buffer1],addr valuename,NULL,addr buffer2,addr buffer3,addr buffer4
    assume fs:nothing
    mov eax,fs:[30h]
    mov eax,[eax+68h]
        .if dword ptr ds:[buffer3]==eax
            invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3]
            invoke MessageBox,NULL,offset buffer,offset tite,NULL
        .elseif
            invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3]
            invoke MessageBox,NULL,offset buffer,offset tite1,NULL
        .endif
    invoke RegCloseKey,dword ptr ds:[buffer1]
    invoke ExitProcess,NULL
end start
Attached Files
File Type: zip antidbg.zip (10.0 KB, 51 views)
Reply With Quote
  #4  
Old 05-03-2005, 07:47
bgrimm bgrimm is offline
Friend
 
Join Date: Jan 2004
Location: South of The North Pole
Posts: 66
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
bgrimm Reputation: 0
Great post Junemouse, thanks for the info.

Anyone interested in more tls callback info could also benifit from this article:
http://www.codeproject.com/threads/tls.asp

I would ask perhaps of the admins to move your posts to a new thread?
As much as it pertains to the build of the invisible plugin, it is such great info it should stand on it's own.

thx,

-bg
Reply With Quote
  #5  
Old 05-03-2005, 10:55
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 281
Rept. Given: 122
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 39
Thanks Rcvd at 19 Times in 9 Posts
TQN Reputation: 10
Great information, JuneMouse. Thank you very much !
Hope Teerayoot will update his Olly Invisible plugin with this information.
This detecting way will return wrong information if the GlobalFlag of exe was set (by using Gflags.exe or by editting registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TheEXE).
Creating a empty key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe] (no GlobalFlag value) in the registry will fool the detecting.
Best regards,
TQN
Attached Files
File Type: txt fool_debugcrap.txt (124 Bytes, 27 views)

Last edited by TQN; 05-03-2005 at 12:43.
Reply With Quote
  #6  
Old 05-03-2005, 14:13
JuneMouse
 
Posts: n/a
to JMI thanks for moving it to a seperate thread
TQN so you read the page fully and commented on its antidote
btw you need the value set to some thing just plain key wont work
as you show in the .txt
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe]
"GlobalFlag"=" some value here"
yes if you set imagefile option it will get detected during LdrpInitialize
btw windbg rocks a lot actually for this kind of work you cant get olly to display
the disassembly shown below live coz olly breaks far lower in chain
at LdrInitializeProcess-->DbgPrint whereas windbg break long long before
Code:
ntdll!LdrpInitialize+0x58:
77f92b69 894de4           mov     [ebp-0x1c],ecx
77f92b6c 8b4610           mov     eax,[esi+0x10]
77f92b6f 668b4038         mov     ax,[eax+0x38]
77f92b73 668945e0         mov     [ebp-0x20],ax
77f92b77 668945e2         mov     [ebp-0x1e],ax
77f92b7b 53               push    ebx
77f92b7c 6a04             push    0x4
77f92b7e 6884e6fc77       push    0x77fce684
77f92b83 6a04             push    0x4
77f92b85 687c31f977       push    0xntdll!LdrpInitialize+0x58:
77f92b69 894de4           mov     [ebp-0x1c],ecx
77f92b6c 8b4610           mov     eax,[esi+0x10]
77f92b6f 668b4038         mov     ax,[eax+0x38]
77f92b73 668945e0         mov     [ebp-0x20],ax
77f92b77 668945e2         mov     [ebp-0x1e],ax
77f92b7b 53               push    ebx
77f92b7c 6a04             push    0x4
77f92b7e 6884e6fc77       push    0x77fce684
77f92b83 6a04             push    0x4
77f92b85 687c31f977       push    0x77f9317c
0:000> du 77f9317c
77f9317c  "DisableHeapLookaside"


77f92b8a 8d45e0           lea     eax,[ebp-0x20]
77f92b8d 50               push    eax
77f92b8e e8f6daffff   call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92b93 8d7e68           lea     edi,[esi+0x68]
77f92b96 53               push    ebx
77f92b97 6a04             push    0x4
77f92b99 57               push    edi
77f92b9a 6a04             push    0x4
77f92b9c 68a831f977       push    0x77f931a8

0:000> du 77f931a8
77f931a8  "GlobalFlag"

77f92ba1 8d45e0           lea     eax,[ebp-0x20]
77f92ba4 50               push    eax
77f92ba5 e8dfdaffff   call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92baa 3bc3             cmp     eax,ebx
77f92bac 7d09             jge     ntdll!LdrpInitialize+0xa5 (77f92bb7)

ntdll!LdrpInitialize+0x9d:
77f92bae 385e02           cmp     [esi+0x2],bl
77f92bb1 0f85fd620000     jne     ntdll!LdrpInitialize+0xa2 (77f98eb4)

ntdll!LdrpInitialize+0xa2:
77f98eb4 830f70           or      dword ptr [edi],0x70 <--- look
77f98eb7 e9fb9cffff       jmp     ntdll!LdrpInitialize+0xa5 (77f92bb7)

ntdll!LdrpInitialize+0xa5:
77f92bb7 f6470302         test    byte ptr [edi+0x3],0x2
77f92bbb 0f85fb620000     jne     ntdll!LdrpInitialize+0xab (77f98ebc)

ntdll!LdrpInitialize+0xab:
77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1

77f92b8a 8d45e0           lea     eax,[ebp-0x20]
77f92b8d 50               push    eax
77f92b8e e8f6daffff   call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92b93 8d7e68           lea     edi,[esi+0x68]
77f92b96 53               push    ebx
77f92b97 6a04             push    0x4
77f92b99 57               push    edi
77f92b9a 6a04             push    0x4
77f92b9c 68a831f977       push    0x77f931a8
77f92ba1 8d45e0           lea     eax,[ebp-0x20]
77f92ba4 50               push    eax
77f92ba5 e8dfdaffff   call ntdll!LdrQueryImageFileExecutionOptions (77f90689)
77f92baa 3bc3             cmp     eax,ebx
77f92bac 7d09             jge     ntdll!LdrpInitialize+0xa5 (77f92bb7)

ntdll!LdrpInitialize+0x9d:
77f92bae 385e02           cmp     [esi+0x2],bl
77f92bb1 0f85fd620000     jne     ntdll!LdrpInitialize+0xa2 (77f98eb4)

ntdll!LdrpInitialize+0xa2:
77f98eb4 830f70           or      dword ptr [edi],0x70
77f98eb7 e9fb9cffff       jmp     ntdll!LdrpInitialize+0xa5 (77f92bb7)

ntdll!LdrpInitialize+0xa5:
77f92bb7 f6470302         test    byte ptr [edi+0x3],0x2
77f92bbb 0f85fb620000     jne     ntdll!LdrpInitialize+0xab (77f98ebc)

ntdll!LdrpInitialize+0xab:
77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1

btw take a look in elicz site he coded a tls enabled application in asm long ago viz
i think its named tlsinasm
or take a look at roy g bivs article in netlux or search symantec or other av articles
(he coded the first tls enabled virus rugrat long back for 32 bit and recently did it again for 64 bit viz shrug

Last edited by JuneMouse; 05-03-2005 at 14:26.
Reply With Quote
  #7  
Old 05-03-2005, 15:38
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 809
Rept. Given: 47
Rept. Rcvd 391 Times in 86 Posts
Thanks Given: 21
Thanks Rcvd at 88 Times in 50 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
there are also some further details about this method on Cerven's book..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #8  
Old 05-03-2005, 18:13
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 281
Rept. Given: 122
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 39
Thanks Rcvd at 19 Times in 9 Posts
TQN Reputation: 10
Thank JuneMouse !
I have followed your way to turn on Debug string output to Log Window (0x70 -> 0x72), but not successed. The Log window show nothing. After a short investigating, I found the HideDebugger plugin causes this problem. Turn off IsDebuggerPresent option will help. But why ? Hope the author of HideDebugger plugin will give me answer !.
Regards,
Reply With Quote
  #9  
Old 05-03-2005, 19:15
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Quote:
After a short investigating, I found the HideDebugger plugin causes this problem. Turn off IsDebuggerPresent option will help. But why ? Hope the author of HideDebugger plugin will give me answer !
??
HideDebugger with options "IsDebuggerPresent" enabled only throws flag Peb.BeingDebugged
and checks it on each EXCEPTION_DEBUG_EVENT
Reply With Quote
  #10  
Old 05-03-2005, 21:25
NakedFool
 
Posts: n/a
The notion of using TLS callbacks is interesting as a means of attaching a stub without disrupting the EP, but be aware that they are ignored by the loader on 9x platforms. If you only care about NT, then they work.

It's also interesting the Microsoft claims (in the PE spec) that they can be used to call global constructors, though this is a bad idea because the CRT has not been initialized yet. I suspect this is why their own compilers don't use them.
Reply With Quote
  #11  
Old 05-04-2005, 22:36
JuneMouse
 
Posts: n/a
TQN
i havent used hideDebugger Plugin i once tried it on xp having seen in ollydbg forum (a link to wasm..ru) it did not work then (some initialization problems
error code 1) after that i never tried it but at that time i saw it was using WaitForDebugEvent and ContinueDebug event which means it kinda runs a debugger within debugger

try loading ollydbg on ollydbg and open some xyz debuggee on child ollydbg and locate this hidedebugger on parent ollydbg view names and put a bp on
wait for debug event
then start single stepping on the xyz you will see the parent ollydbg break for every step kinda slows down run traces appreciably on some big projects no offence its kinda slow so i never tried to use it again and also
i use w2k mostly

anyway as to the problem in hand a dbgprint is passed out to a debugger
so the function naturally checks for is debugger present and if you puportedly decieve the actual status that check also fails and it doesnt pass out the debug string its not a problem of hidedebugger plugin
or svs isdebuggerpresent plugin or any other feature plugins that may decieve isDebuggerPresent api
so if you want to recieve out put you should not hide your debugger

its like the game rootkits play to defeat sysinternals ,f-secures, blah blah revealers they were checking for hidden process and these were
not hiding to them but hiding to every other thing

bythe way if there is no debugger the system still sends the debug out put to dbgservice using int 2d functionality look at sysinternals debug view or osronlines debugmon they kinda hook int 2d to get all those debug out put generates
there are some environment variable like _NT_DEBUG_BLAH_BLAH
and such along with kdbgctrl.exts !dbgprint in windbg which uses these
functionalities

so have fun poking around

and as far as tls is concerned yes there are certain factors like dynamic loading of dlls also cannot use tls w9x loader ignores it etc etc
but is any one still using 286 and wordstar and lotus ??

Last edited by JuneMouse; 05-04-2005 at 22:59.
Reply With Quote
  #12  
Old 05-05-2005, 00:07
JuneMouse
 
Posts: n/a
hehe no post count scam
but i thought a seperate post would emphasis it more so here it is

i downloaded the hidedebuggerplugin v 1.22 from here and tried it to see what happens as i anticipated it fails as i stated

to illustrate the point that is having the cake and eating it too
get one of the above debugviewers (i would prefer debugmon from osronline )
run it first
then open ollydbg along with hidedebugplugin and load a debuggee
when you hit systembreakpoint modify NtGlobalFlag to 72
and run the app
you will see ollydbg wont catch any debug strings but debug mon will catch all debug string that are passed

Code:
021:37:02.480LDR: Real INIT LIST
121:37:02.5009     C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8
221:37:02.5007     C:\WINNT\system32\USER32.dll init routine 77e33bb4
321:37:02.5007     C:\WINNT\system32\RPCRT4.DLL init routine 77d43958
421:37:02.5009     C:\WINNT\system32\ADVAPI32.dll init routine 77db87c7
521:37:02.500<LDR: KERNEL32.dll loaded. - Calling init routine at 77e8c3d8
621:37:02.500:LDR: USER32.dll loaded. - Calling init routine at
Reply With Quote
  #13  
Old 05-05-2005, 00:12
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
"Post count spam" applies only to people who appear to be posting to be trying to get to Junior Member status to gain FTP access. Once a user has reached that level, their posts are not viewed as seeking post count, because they no longer need to increase their count, except possibly to get to VIP status.

Regards,
__________________
JMI
Reply With Quote
  #14  
Old 05-05-2005, 00:25
JuneMouse
 
Posts: n/a
JMI,
you never sleep or do you have robots to check every post and secretly tell you to reply when appropriate
any way thanks for formatting the out put i didnt know how to do it

oops just 50 odd posts to vip staus i should post more posts like this
also i should spend some time exploring the cache i ve not even logged in once though i recieved the email with details
Reply With Quote
  #15  
Old 05-05-2005, 03:45
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
That post was actually made a little after 9:00 a.m. my time. It was the one around 3:30 a.m. that was more problematic.

All I did to improve the format of your "code" section was hit the Edit Button (I can edit anyone's posts, but you can edit your own). It showed the "code" section as a set of text characters with the word "code" (with [ ] around the word) at the start and the word "/code" (again with [ ] around the word) at the end. I then observed where the text should break, put the cursor there and hit the "Enter" key. Sometimes it took two hits of the "Enter" key to make the text move to the next line.

Check it out. Go to your Post with the "Code" and hit the Edit Button and look at what it shows you. You will then see what I saw after the changes.

Regards,
__________________
JMI
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
struct as local var in ida upb General Discussion 3 03-03-2005 17:29
Olly thread patching... help SvensK General Discussion 5 10-11-2003 11:52


All times are GMT +8. The time now is 19:30.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )