#1
|
|||
|
|||
Unseen Debugger Detection (Ollydbg)
Maybe somebody came across this before, but i just came across it in a program, it kept catching me, and i couldnt for the life find where, finally after a while i came across the following, and emulated it here, any discussion if you saw it, would be nice.
The program calls ZwQueryObject, with a null handle and fills the OBJECT_ALL_TYPES_INFORMATION structure, it checks if the current object type is "DebugObject", if it is, it then checks if pObject->TotalNumberOfHandles, and pObject->TotalNumberOfObjects are greater than 0, if they then the program is being debugged, i didnt try it with softice, as i didnt get it installed yet, but it detects ollydbg just fine. Heres the emulated code i wrote, and the compiled exe: |
#2
|
|||
|
|||
Hello Peter[Pan],
It looks good idea...though I have executed it in my WinXP SP2 withouth any debugger and it detects debugger I'll have a deeper look as soon as I can. |
#3
|
|||
|
|||
Weird, try uncommenting the printf's and comparing when you have no debugger active etc, should see some differnces, maybe only 1 of the two i saw is affected, also iam running winxp sp2, and both were changed.
No Debugger: TypeName: DebugObject DefaultNonPagedPoolCharge: 30 DefaultPagedPoolCharge: 0 GenericMapping: 20001 HighWaterNumberOfHandles: 5 HighWaterNumberOfObjects: 6 InvalidAttributes: 0 MaintainHandleCount: 0 PoolType: 0 SecurityRequired: 1 TotalNumberOfHandles: 0 TotalNumberOfObjects: 0 Debugger: TypeName: DebugObject DefaultNonPagedPoolCharge: 30 DefaultPagedPoolCharge: 0 GenericMapping: 20001 HighWaterNumberOfHandles: 5 HighWaterNumberOfObjects: 6 InvalidAttributes: 0 MaintainHandleCount: 0 PoolType: 0 SecurityRequired: 1 TotalNumberOfHandles: 1 TotalNumberOfObjects: 1 |
#4
|
|||
|
|||
winXP+SP1
ollydbg 1.10, not patched, with olly invisible plugin -- it detects debugger softice in DS3.2, without any plugin -- it didn't detect debugger |
#5
|
|||
|
|||
When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.
SoftICE don't use the Debug API, that is the reason that this trick don't detect it. Regards, Opc0de |
#6
|
||||
|
||||
I tried to write a debugger loader (createprocess in debug mode) which calls the ZwSetInformationObject just after having se to 0 those two values, just before resuming detect.exe, and I still get the detection message..
humm interesting..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com Last edited by Shub-Nigurrath; 09-26-2005 at 21:38. |
#7
|
|||
|
|||
in win98 everything goes ok, there is no message..... any explanation?
|
#8
|
|||
|
|||
Quote:
|
#9
|
||||
|
||||
I can add some info too. (Source code/Executable)
(When you run it, Olly crash) |
#10
|
||||
|
||||
to me it doesn't crash, Olly it's still alive after debugging of this..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#11
|
|||
|
|||
Taos, what exactly is the difference between system and process debugger (as shown in your example?) I dont have SI installed to test but is that what it's referring to?
Shub: I think he was referring to his version that crashes in olly. Although when I run it, it detects a process debugger (same w/ msvs it detects process debugger). I think by crash he means it keeps running and doesn't stop. But it's definitately detected. very interesting pan |
#12
|
||||
|
||||
Quote:
can you pause and continue?. You can not use Olly to debug another app, you must exit. App crash when you run it with Olly too. Quote:
|
#13
|
||||
|
||||
taos, effectively deepeer look revealed those strange things..any glue why?
I were also thinking a way to overcome the problem raised by the first post of this thread: how can I access that structure in a given process so as to proper values? I mean, it's easily possible to patch the ZwQueryObject to return a null buffer and a null lenght, but it's not elegant. For example to avoid IsDebuggerPresent and similar checks, the most elegant way was to access the PEB block and change some values instead of patching the API. Is such approach still doable with the OBJECT_ALL_TYPES_INFORMATION structure, where it is stored in a process? I did some tests but were not able to find it or to find some specifications around.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#14
|
|||
|
|||
Shub-Nigurrath, the information is actually gathered from kernel memory, at least its the case for DebugPort, only way to reset this is, by writing to kernel memory, which in some cases could be bad, take a look at:
http://illhostit.com/files/1787442368222872/Winject%201.5c%20(exe).rar Last time i checked it was able to reset DebugPort from user mode, the way i think they are doing it is by getting the _EPROCESS struct for that particular process id, then doing some hacking to read/write to the memory of ->DebugPort and resetting it, which would be in kernel memory. Atm iam solving with a kmd the DebugObject problem, but a usermode solution would be preferable. Last edited by Peter[Pan]; 09-29-2005 at 05:13. |
#15
|
||||
|
||||
yo
LPVOID AddrZwQueryInformationProcess = (LPVOID)-1;
BYTE SavedByteZwQueryInformationProcess = 0; bool DisableZwQueryInformationProcessDebugPort(void) { DWORD numread; BYTE bFE = 0xFE; HMODULE ntdll = GetModuleHandle("ntdll.dll"); AddrZwQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess"); ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread); WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread); return true; } bool ZwQueryInformationProcessTracer(DEBUG_EVENT evt) { DWORD numread; BYTE bFE = 0xFE; ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread); WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread); return false; // end trace } in debug loop: if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION && evt.u.Exception.ExceptionRecord.ExceptionAddress == AddrZwQueryInformationProcess) { hthread = ThreadIdToHandle(evt.dwThreadId); DWORD stack[6]; DWORD numread; ReadProcessMemory(hproc, (LPVOID)ctx.Esp, &stack, sizeof(DWORD) * 6, &numread); MsgBoxF("ZwQueryInformationProcess trapped >%08X (%08X, %08X, %08X)", stack[0], stack[1], stack[2], stack[3]); if (stack[2] == 7) { DWORD d0 = 0; WriteProcessMemory(hproc, (LPVOID)stack[3], &d0, 1, &numread); d0 = ctx.Esp - 4 * 3; WriteProcessMemory(hproc, (LPVOID)(ctx.Esp + 3 * 4), &d0, sizeof(DWORD), &numread); } WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread); StartTrace(hthread, ZwQueryInformationProcessTracer); ContinueStatus = DBG_CONTINUE; } else // note: plz do not rip this code 1:1 into any pulumbium tutorials |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
New OllyDbg detection by Armadillo? | Maltese | General Discussion | 1 | 07-05-2005 11:14 |
Another way to detect OllyDbg and another debugger | TQN | General Discussion | 2 | 08-03-2004 09:12 |