|
#1
|
|||
|
|||
Using Thread Local Storage (tls) in Olly
[EDIT JMI]: These Posts were originally part of the "Olly Invisible Plugin" Thread in the Software Release Forum. In that Thread, nikola posted the following comment in one of the Posts:
"@Others: Lemme see you leetors hide Olly from this one http://www.maniactools.com/soft/mp3tag.exe I tried for 30 minuts to hide this and gave up. I'm not even sure what this packer is. PEiD says Neolite but this is definantly not Neolite. Markus suggested elsewhere that this is Execryptor and i agree. I cant even start Olly after program is started becouse it shuts it down like RegMon. I changed ollys path, caption, most things i could. Tried this plugin but nothing. Someone made it on this one?" JuneMouse made this very interesting reply about that software, discussing how to access the Thread Local Storage (tls) in Olly. nikola then suggested that that information be split off into a separate thread, and here it is for all to consider. Those further interested in system hooking and API hooking, review the "codeproject" reference listed by bgrimm and the API reference mentioned at the bottom of bgrimm's reference. All very interesting information. ] hehe i was reading through (the Olly Invisible Plugin Thread) and i saw the post by nikola and mp3tag.exe has no need to hide olly from anything. it uses tls callbacks so tls gets the first chance to execute before reaching the ep Code:
Log data Address Message OllyDbg v1.10 Bookmarks sample plugin v1.06 (plugin demo) Copyright (C) 2001, 2002 Oleh Yuschuk Command line plugin v1.10 Written by Oleh Yuschuk File '***********\mp3tag.exe' New process with ID 00000220 created 00840938 Main thread with ID 00000370 created 00400000 Module *****************\mp3tag.exe 77E10000 Module C:\WINNT\system32\user32.dll 77F40000 Module C:\WINNT\system32\GDI32.dll 77F80000 Module C:\WINNT\system32\ntdll.dll 7C570000 Module C:\WINNT\system32\kernel32.dll 77F813B1 System startup breakpoint 77F9FE4A Debug string: LDR: Real INIT LIST 77F9FE4A Debug string: C:\WINNT\system32\kernel32.dll init routine 7c577a40 77F9FE4A Debug string: C:\WINNT\system32\user32.dll init routine 77e1df34 77F9FE4A Debug string: LDR: kernel32.dll loaded. 77F9FE4A Debug string: - Calling init routine at 7c577a40 77F9FE4A Debug string: LDR: user32.dll loaded. 77F9FE4A Debug string: - Calling init routine at 77e1df34 77F9FE4A Debug string: LDR: Tls Callbacks Found. Imagebase 400000 Tls 6f90e0 CallBacks 6f910c 77F9FE4A Debug string: LDR: Calling Tls Callback Imagebase 400000 Function 842d46 and one can dump almost all memory well for me thats enough coz i dont want running exe here is a strings before and after for this manic if you know how to break back from zwContinue (simple follow in dump the context struct add b8 press ctrl+g in cpu window and type the address that you see in dump and when you are ther press f2 and f9 (hope you can decipher this have fun the point being you need to know the ways and means will follow just having plugins wont work as you may notice i have no plugions installed except for the default commanline that comes along yeah fresh download and alien computer and no tools (not even hexeditor ) and about an hour time pass (any way had to pass time waiting for some one, sitting in cafe ) |
#2
|
|||
|
|||
Nice post Well, i didnt even know what tls is and whats its used for, so you just opened a new horizont for me I dont wont to spoil new instalation of windows. I'll have to activate other partition later and try there...
|
#3
|
|||
|
|||
hehe corrupting new installation i said i used an alien computer in cafe
with the non admin account with least previlages let you corrupt system anyway here is how i enable debug strings options--->debugging options-->events-->change radio button to system breakpoint checkmark the event break on debug strings f9 the app olly will stop on system break which is a retn statement Code:
77F9F9DF > CC INT3 77F9F9E0 C3 RETN <---- here Code:
77F992CF MOV AL,BYTE PTR DS:[ESI+68] ; esi = fs:[30] 77F992D2 AND AL,2 ; check for LDR_SHOW_SNAPS 77F992D4 MOV BYTE PTR DS:[77FCE6F0],AL ; save flag you will see this in the information pane Code:
DS:[7FFDF068]=70 ('p') AL=02 make it 72 that is all and if you now f9 olly will automatically stop on the next debug string viz Code:
Log data, item 0 Address=77F9FA77 Message=Debug string: LDR: Real INIT LIST Log data, item 0 Address=77F9FA77 Message=Debug string: C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8 i ve not seen it being used anywhere take a look at the html page in attachment it comes with app in a zip for those who just prefer code Code:
.386 .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\user32.inc includelib \masm32\lib\user32.lib include \masm32\include\advapi32.inc includelib \masm32\lib\advapi32.lib .data forma db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0 forma1 db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0 tite db "goodguy you are not running inside debugger",0 tite1 db "badguy you are running this under debugger",0 subkeyname db "SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER",0 valuename db "GLOBALFLAG",0 .DATA? buffer db 120h dup (?) buffer1 db 120h dup (?) buffer2 db 120h dup (?) buffer3 db 120h dup (?) buffer4 dd ? .CODE start: mov buffer4,45h invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,ADDR subkeyname,NULL,KEY_ALL_ACCESS,addr buffer1 invoke RegQueryValueEx,dword ptr ds:[buffer1],addr valuename,NULL,addr buffer2,addr buffer3,addr buffer4 assume fs:nothing mov eax,fs:[30h] mov eax,[eax+68h] .if dword ptr ds:[buffer3]==eax invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3] invoke MessageBox,NULL,offset buffer,offset tite,NULL .elseif invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3] invoke MessageBox,NULL,offset buffer,offset tite1,NULL .endif invoke RegCloseKey,dword ptr ds:[buffer1] invoke ExitProcess,NULL end start |
#4
|
|||
|
|||
Great post Junemouse, thanks for the info.
Anyone interested in more tls callback info could also benifit from this article: http://www.codeproject.com/threads/tls.asp I would ask perhaps of the admins to move your posts to a new thread? As much as it pertains to the build of the invisible plugin, it is such great info it should stand on it's own. thx, -bg |
#5
|
|||
|
|||
Great information, JuneMouse. Thank you very much !
Hope Teerayoot will update his Olly Invisible plugin with this information. This detecting way will return wrong information if the GlobalFlag of exe was set (by using Gflags.exe or by editting registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TheEXE). Creating a empty key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe] (no GlobalFlag value) in the registry will fool the detecting. Best regards, TQN Last edited by TQN; 05-03-2005 at 12:43. |
#6
|
|||
|
|||
to JMI thanks for moving it to a seperate thread
TQN so you read the page fully and commented on its antidote btw you need the value set to some thing just plain key wont work as you show in the .txt Code:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugcrap.exe] "GlobalFlag"=" some value here" btw windbg rocks a lot actually for this kind of work you cant get olly to display the disassembly shown below live coz olly breaks far lower in chain at LdrInitializeProcess-->DbgPrint whereas windbg break long long before Code:
ntdll!LdrpInitialize+0x58: 77f92b69 894de4 mov [ebp-0x1c],ecx 77f92b6c 8b4610 mov eax,[esi+0x10] 77f92b6f 668b4038 mov ax,[eax+0x38] 77f92b73 668945e0 mov [ebp-0x20],ax 77f92b77 668945e2 mov [ebp-0x1e],ax 77f92b7b 53 push ebx 77f92b7c 6a04 push 0x4 77f92b7e 6884e6fc77 push 0x77fce684 77f92b83 6a04 push 0x4 77f92b85 687c31f977 push 0xntdll!LdrpInitialize+0x58: 77f92b69 894de4 mov [ebp-0x1c],ecx 77f92b6c 8b4610 mov eax,[esi+0x10] 77f92b6f 668b4038 mov ax,[eax+0x38] 77f92b73 668945e0 mov [ebp-0x20],ax 77f92b77 668945e2 mov [ebp-0x1e],ax 77f92b7b 53 push ebx 77f92b7c 6a04 push 0x4 77f92b7e 6884e6fc77 push 0x77fce684 77f92b83 6a04 push 0x4 77f92b85 687c31f977 push 0x77f9317c 0:000> du 77f9317c 77f9317c "DisableHeapLookaside" 77f92b8a 8d45e0 lea eax,[ebp-0x20] 77f92b8d 50 push eax 77f92b8e e8f6daffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689) 77f92b93 8d7e68 lea edi,[esi+0x68] 77f92b96 53 push ebx 77f92b97 6a04 push 0x4 77f92b99 57 push edi 77f92b9a 6a04 push 0x4 77f92b9c 68a831f977 push 0x77f931a8 0:000> du 77f931a8 77f931a8 "GlobalFlag" 77f92ba1 8d45e0 lea eax,[ebp-0x20] 77f92ba4 50 push eax 77f92ba5 e8dfdaffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689) 77f92baa 3bc3 cmp eax,ebx 77f92bac 7d09 jge ntdll!LdrpInitialize+0xa5 (77f92bb7) ntdll!LdrpInitialize+0x9d: 77f92bae 385e02 cmp [esi+0x2],bl 77f92bb1 0f85fd620000 jne ntdll!LdrpInitialize+0xa2 (77f98eb4) ntdll!LdrpInitialize+0xa2: 77f98eb4 830f70 or dword ptr [edi],0x70 <--- look 77f98eb7 e9fb9cffff jmp ntdll!LdrpInitialize+0xa5 (77f92bb7) ntdll!LdrpInitialize+0xa5: 77f92bb7 f6470302 test byte ptr [edi+0x3],0x2 77f92bbb 0f85fb620000 jne ntdll!LdrpInitialize+0xab (77f98ebc) ntdll!LdrpInitialize+0xab: 77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1 77f92b8a 8d45e0 lea eax,[ebp-0x20] 77f92b8d 50 push eax 77f92b8e e8f6daffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689) 77f92b93 8d7e68 lea edi,[esi+0x68] 77f92b96 53 push ebx 77f92b97 6a04 push 0x4 77f92b99 57 push edi 77f92b9a 6a04 push 0x4 77f92b9c 68a831f977 push 0x77f931a8 77f92ba1 8d45e0 lea eax,[ebp-0x20] 77f92ba4 50 push eax 77f92ba5 e8dfdaffff call ntdll!LdrQueryImageFileExecutionOptions (77f90689) 77f92baa 3bc3 cmp eax,ebx 77f92bac 7d09 jge ntdll!LdrpInitialize+0xa5 (77f92bb7) ntdll!LdrpInitialize+0x9d: 77f92bae 385e02 cmp [esi+0x2],bl 77f92bb1 0f85fd620000 jne ntdll!LdrpInitialize+0xa2 (77f98eb4) ntdll!LdrpInitialize+0xa2: 77f98eb4 830f70 or dword ptr [edi],0x70 77f98eb7 e9fb9cffff jmp ntdll!LdrpInitialize+0xa5 (77f92bb7) ntdll!LdrpInitialize+0xa5: 77f92bb7 f6470302 test byte ptr [edi+0x3],0x2 77f92bbb 0f85fb620000 jne ntdll!LdrpInitialize+0xab (77f98ebc) ntdll!LdrpInitialize+0xab: 77f98ebc c6052ce1fc7701 mov byte ptr [ntdll!RtlpDebugPageHeap (77fce12c)],0x1 btw take a look in elicz site he coded a tls enabled application in asm long ago viz i think its named tlsinasm or take a look at roy g bivs article in netlux or search symantec or other av articles (he coded the first tls enabled virus rugrat long back for 32 bit and recently did it again for 64 bit viz shrug Last edited by JuneMouse; 05-03-2005 at 14:26. |
#7
|
||||
|
||||
there are also some further details about this method on Cerven's book..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#8
|
|||
|
|||
Thank JuneMouse !
I have followed your way to turn on Debug string output to Log Window (0x70 -> 0x72), but not successed. The Log window show nothing. After a short investigating, I found the HideDebugger plugin causes this problem. Turn off IsDebuggerPresent option will help. But why ? Hope the author of HideDebugger plugin will give me answer !. Regards, |
#9
|
|||
|
|||
Quote:
HideDebugger with options "IsDebuggerPresent" enabled only throws flag Peb.BeingDebugged and checks it on each EXCEPTION_DEBUG_EVENT |
#10
|
|||
|
|||
The notion of using TLS callbacks is interesting as a means of attaching a stub without disrupting the EP, but be aware that they are ignored by the loader on 9x platforms. If you only care about NT, then they work.
It's also interesting the Microsoft claims (in the PE spec) that they can be used to call global constructors, though this is a bad idea because the CRT has not been initialized yet. I suspect this is why their own compilers don't use them. |
#11
|
|||
|
|||
TQN
i havent used hideDebugger Plugin i once tried it on xp having seen in ollydbg forum (a link to wasm..ru) it did not work then (some initialization problems error code 1) after that i never tried it but at that time i saw it was using WaitForDebugEvent and ContinueDebug event which means it kinda runs a debugger within debugger try loading ollydbg on ollydbg and open some xyz debuggee on child ollydbg and locate this hidedebugger on parent ollydbg view names and put a bp on wait for debug event then start single stepping on the xyz you will see the parent ollydbg break for every step kinda slows down run traces appreciably on some big projects no offence its kinda slow so i never tried to use it again and also i use w2k mostly anyway as to the problem in hand a dbgprint is passed out to a debugger so the function naturally checks for is debugger present and if you puportedly decieve the actual status that check also fails and it doesnt pass out the debug string its not a problem of hidedebugger plugin or svs isdebuggerpresent plugin or any other feature plugins that may decieve isDebuggerPresent api so if you want to recieve out put you should not hide your debugger its like the game rootkits play to defeat sysinternals ,f-secures, blah blah revealers they were checking for hidden process and these were not hiding to them but hiding to every other thing bythe way if there is no debugger the system still sends the debug out put to dbgservice using int 2d functionality look at sysinternals debug view or osronlines debugmon they kinda hook int 2d to get all those debug out put generates there are some environment variable like _NT_DEBUG_BLAH_BLAH and such along with kdbgctrl.exts !dbgprint in windbg which uses these functionalities so have fun poking around and as far as tls is concerned yes there are certain factors like dynamic loading of dlls also cannot use tls w9x loader ignores it etc etc but is any one still using 286 and wordstar and lotus ?? Last edited by JuneMouse; 05-04-2005 at 22:59. |
#12
|
|||
|
|||
hehe no post count scam
but i thought a seperate post would emphasis it more so here it is i downloaded the hidedebuggerplugin v 1.22 from here and tried it to see what happens as i anticipated it fails as i stated to illustrate the point that is having the cake and eating it too get one of the above debugviewers (i would prefer debugmon from osronline ) run it first then open ollydbg along with hidedebugplugin and load a debuggee when you hit systembreakpoint modify NtGlobalFlag to 72 and run the app you will see ollydbg wont catch any debug strings but debug mon will catch all debug string that are passed Code:
021:37:02.480LDR: Real INIT LIST 121:37:02.5009 C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8 221:37:02.5007 C:\WINNT\system32\USER32.dll init routine 77e33bb4 321:37:02.5007 C:\WINNT\system32\RPCRT4.DLL init routine 77d43958 421:37:02.5009 C:\WINNT\system32\ADVAPI32.dll init routine 77db87c7 521:37:02.500<LDR: KERNEL32.dll loaded. - Calling init routine at 77e8c3d8 621:37:02.500:LDR: USER32.dll loaded. - Calling init routine at |
#13
|
|||
|
|||
"Post count spam" applies only to people who appear to be posting to be trying to get to Junior Member status to gain FTP access. Once a user has reached that level, their posts are not viewed as seeking post count, because they no longer need to increase their count, except possibly to get to VIP status.
Regards,
__________________
JMI |
#14
|
|||
|
|||
JMI,
you never sleep or do you have robots to check every post and secretly tell you to reply when appropriate any way thanks for formatting the out put i didnt know how to do it oops just 50 odd posts to vip staus i should post more posts like this also i should spend some time exploring the cache i ve not even logged in once though i recieved the email with details |
#15
|
|||
|
|||
That post was actually made a little after 9:00 a.m. my time. It was the one around 3:30 a.m. that was more problematic.
All I did to improve the format of your "code" section was hit the Edit Button (I can edit anyone's posts, but you can edit your own). It showed the "code" section as a set of text characters with the word "code" (with [ ] around the word) at the start and the word "/code" (again with [ ] around the word) at the end. I then observed where the text should break, put the cursor there and hit the "Enter" key. Sometimes it took two hits of the "Enter" key to make the text move to the next line. Check it out. Go to your Post with the "Code" and hit the Edit Button and look at what it shows you. You will then see what I saw after the changes. Regards,
__________________
JMI |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
struct as local var in ida | upb | General Discussion | 3 | 03-03-2005 17:29 |
Olly thread patching... help | SvensK | General Discussion | 5 | 10-11-2003 11:52 |