Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-26-2005, 12:35
Peter[Pan]
 
Posts: n/a
Unseen Debugger Detection (Ollydbg)

Maybe somebody came across this before, but i just came across it in a program, it kept catching me, and i couldnt for the life find where, finally after a while i came across the following, and emulated it here, any discussion if you saw it, would be nice.

The program calls ZwQueryObject, with a null handle and fills the OBJECT_ALL_TYPES_INFORMATION structure, it checks if the current object type is "DebugObject", if it is, it then checks if pObject->TotalNumberOfHandles, and pObject->TotalNumberOfObjects are greater than 0, if they then the program is being debugged, i didnt try it with softice, as i didnt get it installed yet, but it detects ollydbg just fine.

Heres the emulated code i wrote, and the compiled exe:
Attached Files
File Type: zip Detect.zip (14.4 KB, 88 views)
Reply With Quote
  #2  
Old 09-26-2005, 13:47
peleon peleon is offline
Friend
 
Join Date: Sep 2003
Posts: 174
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
peleon Reputation: 7
Hello Peter[Pan],

It looks good idea...though I have executed it in my WinXP SP2 withouth any debugger and it detects debugger

I'll have a deeper look as soon as I can.
Reply With Quote
  #3  
Old 09-26-2005, 13:52
Peter[Pan]
 
Posts: n/a
Weird, try uncommenting the printf's and comparing when you have no debugger active etc, should see some differnces, maybe only 1 of the two i saw is affected, also iam running winxp sp2, and both were changed.

No Debugger:
TypeName: DebugObject
DefaultNonPagedPoolCharge: 30
DefaultPagedPoolCharge: 0
GenericMapping: 20001
HighWaterNumberOfHandles: 5
HighWaterNumberOfObjects: 6
InvalidAttributes: 0
MaintainHandleCount: 0
PoolType: 0
SecurityRequired: 1
TotalNumberOfHandles: 0
TotalNumberOfObjects: 0

Debugger:
TypeName: DebugObject
DefaultNonPagedPoolCharge: 30
DefaultPagedPoolCharge: 0
GenericMapping: 20001
HighWaterNumberOfHandles: 5
HighWaterNumberOfObjects: 6
InvalidAttributes: 0
MaintainHandleCount: 0
PoolType: 0
SecurityRequired: 1
TotalNumberOfHandles: 1
TotalNumberOfObjects: 1
Reply With Quote
  #4  
Old 09-26-2005, 16:56
suddenLy suddenLy is offline
Friend
 
Join Date: Jan 2005
Posts: 60
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 7 Posts
suddenLy Reputation: 3
winXP+SP1

ollydbg 1.10, not patched, with olly invisible plugin
-- it detects debugger

softice in DS3.2, without any plugin
-- it didn't detect debugger

Reply With Quote
  #5  
Old 09-26-2005, 20:11
Opc0de
 
Posts: n/a
When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.

SoftICE don't use the Debug API, that is the reason that this trick don't detect it.

Regards,
Opc0de
Reply With Quote
  #6  
Old 09-26-2005, 21:06
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
I tried to write a debugger loader (createprocess in debug mode) which calls the ZwSetInformationObject just after having se to 0 those two values, just before resuming detect.exe, and I still get the detection message..

humm interesting..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com

Last edited by Shub-Nigurrath; 09-26-2005 at 21:38.
Reply With Quote
  #7  
Old 09-26-2005, 23:05
pluscontrol
 
Posts: n/a
in win98 everything goes ok, there is no message..... any explanation?
Reply With Quote
  #8  
Old 09-27-2005, 00:54
Peter[Pan]
 
Posts: n/a
Quote:
Originally Posted by Opc0de
When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.

SoftICE don't use the Debug API, that is the reason that this trick don't detect it.

Regards,
Opc0de
Thanks for the tech info, thats what i was looking for
Reply With Quote
  #9  
Old 09-28-2005, 04:22
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
I can add some info too. (Source code/Executable)
(When you run it, Olly crash)
Attached Files
File Type: rar debug2.rar (31.1 KB, 55 views)
Reply With Quote
  #10  
Old 09-28-2005, 06:16
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
to me it doesn't crash, Olly it's still alive after debugging of this..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #11  
Old 09-28-2005, 10:49
Viasek
 
Posts: n/a
Taos, what exactly is the difference between system and process debugger (as shown in your example?) I dont have SI installed to test but is that what it's referring to?

Shub: I think he was referring to his version that crashes in olly. Although when I run it, it detects a process debugger (same w/ msvs it detects process debugger). I think by crash he means it keeps running and doesn't stop. But it's definitately detected.

very interesting pan
Reply With Quote
  #12  
Old 09-28-2005, 12:57
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
Quote:
Originally Posted by Shub-Nigurrath
to me it doesn't crash, Olly it's still alive after debugging of this..
Yeah, but can you restart app? can you terminate app inside Olly?
can you pause and continue?. You can not use Olly to debug another app, you must exit.
App crash when you run it with Olly too.

Quote:
Originally Posted by Viasek
what exactly is the difference between system and process debugger (as shown in your example?)
System debugger is a SO internal installed debug (it runs at boot), like WinDbg from M$. Procees debugger is like Olly.
Reply With Quote
  #13  
Old 09-29-2005, 04:44
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
taos, effectively deepeer look revealed those strange things..any glue why?

I were also thinking a way to overcome the problem raised by the first post of this thread: how can I access that structure in a given process so as to proper values?

I mean, it's easily possible to patch the ZwQueryObject to return a null buffer and a null lenght, but it's not elegant. For example to avoid IsDebuggerPresent and similar checks, the most elegant way was to access the PEB block and change some values instead of patching the API.
Is such approach still doable with the OBJECT_ALL_TYPES_INFORMATION structure, where it is stored in a process?
I did some tests but were not able to find it or to find some specifications around.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #14  
Old 09-29-2005, 05:03
Peter[Pan]
 
Posts: n/a
Shub-Nigurrath, the information is actually gathered from kernel memory, at least its the case for DebugPort, only way to reset this is, by writing to kernel memory, which in some cases could be bad, take a look at:

http://illhostit.com/files/1787442368222872/Winject%201.5c%20(exe).rar

Last time i checked it was able to reset DebugPort from user mode, the way i think they are doing it is by getting the _EPROCESS struct for that particular process id, then doing some hacking to read/write to the memory of ->DebugPort and resetting it, which would be in kernel memory.

Atm iam solving with a kmd the DebugObject problem, but a usermode solution would be preferable.

Last edited by Peter[Pan]; 09-29-2005 at 05:13.
Reply With Quote
  #15  
Old 09-29-2005, 10:46
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
yo

LPVOID AddrZwQueryInformationProcess = (LPVOID)-1;
BYTE SavedByteZwQueryInformationProcess = 0;

bool DisableZwQueryInformationProcessDebugPort(void)
{
DWORD numread;
BYTE bFE = 0xFE;
HMODULE ntdll = GetModuleHandle("ntdll.dll");
AddrZwQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess");
ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);
return true;
}

bool ZwQueryInformationProcessTracer(DEBUG_EVENT evt)
{
DWORD numread;
BYTE bFE = 0xFE;

ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);

return false; // end trace
}


in debug loop:
if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION &&
evt.u.Exception.ExceptionRecord.ExceptionAddress == AddrZwQueryInformationProcess)
{
hthread = ThreadIdToHandle(evt.dwThreadId);

DWORD stack[6];
DWORD numread;
ReadProcessMemory(hproc, (LPVOID)ctx.Esp, &stack, sizeof(DWORD) * 6, &numread);
MsgBoxF("ZwQueryInformationProcess trapped >%08X (%08X, %08X, %08X)", stack[0], stack[1], stack[2], stack[3]);
if (stack[2] == 7)
{
DWORD d0 = 0;
WriteProcessMemory(hproc, (LPVOID)stack[3], &d0, 1, &numread);
d0 = ctx.Esp - 4 * 3;
WriteProcessMemory(hproc, (LPVOID)(ctx.Esp + 3 * 4), &d0, sizeof(DWORD), &numread);
}
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
StartTrace(hthread, ZwQueryInformationProcessTracer);
ContinueStatus = DBG_CONTINUE;
} else

// note: plz do not rip this code 1:1 into any pulumbium tutorials
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New OllyDbg detection by Armadillo? Maltese General Discussion 1 07-05-2005 11:14
Another way to detect OllyDbg and another debugger TQN General Discussion 2 08-03-2004 09:12


All times are GMT +8. The time now is 08:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )