help patching apis

[Shub-Nigurrath]

Hi all,
to write a tool of mine, I'm searching for infos on how to patch these apis/structures..

-Hide NtGlobalFlag
-Hide ProcessHeapFlag
-Patch ZwQueryInformationProcess (==patch UnhandledExceptionFilter)
-Patch ZwSetInformationThread
-Patch CheckRemoteDebuggerPresent
-Patch OutputDebugStringA

Detailed infos (how to patch, when, what where) are welcome! If some info is not good for public tell me and send it to me by PM, I will guarantee to not spread it!

At least these are almost all I have knowledge should be patched, I already don't know how to do.

10x in advance for anwers..

you can look in pnluck tutorial for
-Hide NtGlobalFlag
-Hide ProcessHeapFlag
also isdebug
due its peb and teb patching
but in my oepfind when i just patch isdebpresent peb+2 then also it patches 2 others,dunno know how with olly, maybe they are necessery

Control of Beingdebug
004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address
...
004XXXXX ADD EAX,2 ; PEB+2 is beingdebug memory address
004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; AL maybe 0(not debug) or 1(debug present)
...
004XXXXX OR AL,AL
004XXXXX JE UnPackMe.004F2C67

Control of ProcessHeap
004XXXXX MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address
... after some operation
004XXXXX MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address
.... after some operation
004XXXXX MOV EAX, DWORD PTR[EAX+18] ;PEB+0x18 return the ProcessHeap address
004XXXXX CMP DWORD PTR DS:[EAX+10],0 ;EAX+10 maybe 0(not debug) or other values (debug present)

Controll of NtGlobalFlag
004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address
004XXXXX ADD EAX,8E4180C9
004XXXXX ADD EAX,71BE7F9F ;EAX = PEB+0X68 : address of NtGlobalFlag
004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; NtGlobalFlag maybe 0x70(debug present) or 0

for zwquery you can look inside my oepfind

for processheap, what i encountred when tried to apply it to oepfind, well on create_process you cant do it, due it yet doesnt exist, only when you are at EP

also another problems you will encounter is on create_process there is only exe and ntdll.dll loaded, then later loads kernel32,and user32 so you have make plugin or patch to learn to wait when its loaded and then patch

[adaptor]

-Hide NtGlobalFlag, -Hide ProcessHeapFlag
On XP+ simply add _NO_DEBUG_HEAP=1 to sytem enviroment

-Patch ZwQueryInformationProcess
If second parameter is ProcessDebugPort (7), execute original API, then simply put zero at adress, extracted from thrid parameter.

-ZwSetInformationThread
If second parameter is HideFromDebugger (11h) simply return with stack correction and zero in eax

-Patch CheckRemoteDebuggerPresen
No need to patch coz it uses ZwQueryInformationProcess do detect debugger

[NeOXOeN]

For "Hide NtGlobalFlag" you have NtGlobalFlag v 1.0 OllyDbgPlugin by stingduk(on BiW Reversing) comes with source..

bye

If you want to destroy OutputDebugString -> Just patch a retn 4 at the begining of this API.

Else follow Param1 and put 0x00 there. Then just execute OutputDebugString.

Both Methods should fix vulnerability of Olly.

You better just patch if the machine is Win2k/2k3/XP. On Win 9x/ME every application shares its system-dlls with every other process afaik.

When to patch: I think it's the best to patch at EP.
Where to patch: Kernel32.dll and other System-DLLs on runtime.
How to patch: Maybe just put a JMP <to your code> in every API that needs to get modified. You may use VirtualAlloc to get some free space to put your code somewhere. Just execute it on EP, put your code to handle APIs to new allocated space, put your JMPs in the APIs and then restore EP and jump back.

[deroko]

Quote:

Originally Posted by Messer

When to patch: I think it's the best to patch at EP.

better is when primary thread is suspended =) So some protectors like execryptor cann't use OutputDebugStringA from TLS callback =) I'm still wondering why don't protection developers create a shellcode instead of %s%s%s, shellcode that will redirect eip to ExitProcess in olly so it will take a while for someone that didn't patch OutputDebugStringA to figure what is going on =) just rewrite ret address with offset of: push 0, call ExitProcess witihin olly.

[upb]

maybe its for the same reason they use three %s's when one %n would be enough or smth

[Shub-Nigurrath]

10x a lot to any1, time to read all the suggestion..I'm writing a tutorial using them also, greetings will be inside of course.