Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-18-2017, 17:59
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
Themida/WinLicence latest version information

Hi guys,

I'm trying to be able to debug an application that run only in Windows 10 and is packed by Themida. In fact, it's not the main exe file which is packed, it's a dll that after add a lot of new sections to the exe it seems. I can attach to it using ScyllaHide, but when running secure function inside the binary my debugger seems to get trapped and the application crash. I was trying to launch directly from the debugger the application, but even with all ScyllaHide antidebug activated, it seems that themida still find that I'm debugging it. I tried to hook using Frida the NtSetInformationThread in order to block the ThreadHideFromDebugger flag, without success. I've also tried using API Monitor, with the context switch attach. I'm searching for information about some of the protection that this protector can use. Or if you have idea how to detect of search which protection it is using. thanks
Reply With Quote
  #2  
Old 10-18-2017, 18:59
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
you have to handle this by sure :
KERNELBASE.dll NtSetInformationProcess
KERNELBASE.dll NtQueryInformationProcess
KERNELBASE.dll NtClose
that should work ....
windows 10 suck , handle API not that easy .
try on windows 8.1 or 7 SP2
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Says Thank You to ahmadmansoor For This Useful Post:
niculaita (10-18-2017)
  #3  
Old 10-18-2017, 19:39
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
the problem is that it didn't run on Windows 7. msvcr80.dll crash.
Those Api should be handled by ScyllaHide. I tested it with ScyllaTest and it's ok.
Do you think that themida is doing kernel hook as well ?
Reply With Quote
  #4  
Old 10-19-2017, 02:49
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 761
Rept. Given: 384
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 789
Thanks Rcvd at 2,021 Times in 570 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by ahmadmansoor View Post
you have to handle this by sure :
...
windows 10 suck , handle API not that easy .
try on windows 8.1 or 7 SP2
Yes, also it seems that in the Creators Update of Win 10 to be released soon, the hooking of system processes/modules will not be allowed ...

So we need to come up with newer methods to hook and hide our debugging efforts. Or just keep using the older versions of Windows ...
Reply With Quote
  #5  
Old 10-19-2017, 15:00
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
Jeez, that's crap... What you do when you have no choice on the platform for reversing ?

So I was able to see the ring3 hooks with PC_Hunter, it's only ntdll.DbgUiRemoteBreakin. There is no ring0 hook (oreans driver not loaded). When I restore the ring3 hooks and then attach my debugger it's working. But when starting a "secure" function, then debugee does nothing.

Last edited by dummys; 10-19-2017 at 17:02.
Reply With Quote
  #6  
Old 10-19-2017, 21:23
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
check if there are single step check , what the target is ?
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #7  
Old 10-20-2017, 14:51
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
yes, I get some exception for single stepping, I always pass it to the debugee.
I'ts a legit application. Do you think it's possible to totally remove the themida protector from the protected DLL ? The original software is not packed, it's only the "secure dll" that is packed/protected.

Last edited by dummys; 10-20-2017 at 15:04.
Reply With Quote
  #8  
Old 10-20-2017, 21:11
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
Hey there,

I made some progress. Was able to install the application (after a ton of hack) to a windows 7 x64VM. With x64dbg+ScyllaHide, i get trap and the debuggee closed. I get Exception with "Illegal_INSTRUCTION". This exception I need to pass it to the debuggee right ? I get another exception: "EXCEPTION_PRIV_INSTRUCTION". I also pass it to the application. After this it close.
Reply With Quote
  #9  
Old 10-21-2017, 01:19
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
mr Exodia recently fixed/udpated the hider - ScyllaHide_2017-10-19_18-54.7z
and yes - you need to pass each & every exception into the dbg engine,
think as if there is no debugger at all!
what would happen then?
Reply With Quote
  #10  
Old 10-23-2017, 16:13
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
Yes, that what I do. The problem is that when using shift+F9, my debugger get trapped and process exited. Even with ScyllaHide and profile Themida x86 on. How can I trace to find the tricks he is using to detect me ?
Reply With Quote
  #11  
Old 10-24-2017, 00:57
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
What OS are you on?
2) try using diff debugger (Olly/ISA)
Reply With Quote
  #12  
Old 10-26-2017, 16:04
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
x64dbg + ScyllaHide. Tried on windows 10x64 and windows 7
Reply With Quote
  #13  
Old 10-27-2017, 15:23
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Have you already seen the Tm Ultra Unpacker 1.4 script?
eg: https://tuts4you.com/download.php?view.3526
I recommend you to use W7 (if XP not possible) for R.E.
Reply With Quote
  #14  
Old 10-30-2017, 16:27
dummys dummys is offline
Friend
 
Join Date: Aug 2015
Posts: 16
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
dummys Reputation: 4
Yes I've already tried. My debugger get trapped...
Reply With Quote
  #15  
Old 10-30-2017, 23:00
SKiLLa SKiLLa is offline
Friend
 
Join Date: Jul 2016
Location: Europe
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 17
Thanks Rcvd at 16 Times in 15 Posts
SKiLLa Reputation: 0
Could be the Trap Flag in EFLAGS when you single-step the instruction instead of skipping it. Or the push ss; pop ss; pushf trick...

Another guess would be the SetUnhandledExceptionFilter detection trick. Probably not the best link, but still:

Quote:
_hxxps://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick/
All these require some manual skipping/continuing instead of blindly passing the exception to the debuggee ....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:07.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )