Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-09-2007, 17:31
niom niom is offline
Friend
 
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
how to handle this super annoying anti trace trick

hi,

code like

Code:
mov     [esp-4],  8b5f26aa
add     [esp-4],  3ace657b
add     [esp-4],  3ace6533
jmp     [esp-4]
dies when executed while singlestepping for obvious reasons
does anyone has an idea how to make it singlestep proof?
Reply With Quote
  #2  
Old 04-11-2007, 03:31
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
that should be fine when single stepping
and its not for 'obvious' reasons
it'll just morph the dword at esp-4
and eventually jump to the address
single stepping through it shouldn't do
anything different, theres nothing pushed
or popped in the snippet...
Reply With Quote
  #3  
Old 04-11-2007, 05:47
niom niom is offline
Friend
 
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
we write values below esp

any exception uses stack -> previously written values are overwritten -> crash
Reply With Quote
  #4  
Old 04-11-2007, 07:36
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
securom IAT protection?
and this will anoy you only with nointrusive tracer, but with r3 or r0 debugger there should be no problem. Trick why seh tracing fails is because KiDispatchException writes context and error code at esp and your data at esp-X is overwriten.
__________________
http://accessroot.com
Reply With Quote
  #5  
Old 04-13-2007, 02:38
niom niom is offline
Friend
 
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
seems you are right deroko

i thought the cpu overwrites the stack in the same second the exception occurs
but the stack is overwritten later

do you know how exceptions are dispatched when a debugger is around?

till now i thought everything starts at KiUserExceptionDispatcher, but it seems its not the very first one that is informed by windows when a debugger was used

maybe the best solution is to write a small driver that hooks int1 and handles the exception stack-safe

hmmmhm
Reply With Quote
  #6  
Old 04-13-2007, 23:17
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
the exception is first sent to the debugger if there is one attached and in case it doesnt handle it, it is dispatched to the app.

I dont see why sending the exception to a debugger would overwrite the usermode stack of the debugged process :O
Reply With Quote
  #7  
Old 04-14-2007, 04:32
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
Well answer is very simple, we are using 2 rings -> when exception is generated some of IDT entries is called but at this moment we are switching to r0 stack and all data is writen there -> if there is attached debugger data is passed to it and no modification is performed on r3 stack, on other hand, when there is no debugger, context is saved at r3 stack + exception code and execution is transfered to KiUserExceptionDispatcher. Code above would be impossible to trace iwth debugger if it is executed in r0 or if there were no rings (eg. only one ring used).
__________________
http://accessroot.com
Reply With Quote
  #8  
Old 04-14-2007, 05:24
niom niom is offline
Friend
 
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
my last question was, *where* windows decides to inform the debugger instead of giving control to the application's KiUserExceptionDispatcher

its done in the int handler itself or what?

then the only way to handle this is indeed an own driver (?)
Reply With Quote
  #9  
Old 04-14-2007, 05:45
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
simply use r3 debugger and everything will be fine. You may safely trace that code with olly or sice but not with nointrusive tracer, If you want full control from your loader, then yes, driver is good choice or oraculums.

And yes windows deceides in int handlers if exception is delivered to debugger or if there is no debugger then kiuserexception is called.
__________________
http://accessroot.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Handle Hijacking TechLord General Discussion 2 05-15-2017 20:11
Release file lock handle baatazu General Discussion 7 06-30-2005 00:22
Softice: hwnd -> invalid window handle dreamershl General Discussion 2 04-19-2004 09:58


All times are GMT +8. The time now is 09:55.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )