#16
|
|||
|
|||
I tried with a more polite solution, but I had no success...
I closed the DebugObject handle remotely (WinXP), using a CreateRemoteThread and CloseThread as thread address, and, as soon as I did so, I lost the debuggee control from the debugger... Regards, bilbo |
#17
|
||||
|
||||
well doh, the debug port exists for a purpose...
guess what is used for |
#18
|
|||
|
|||
thx for the explanation, upb...
I would never have been able to find it myself ;-) bilbo |
#19
|
|||
|
|||
I wonder if it would be possible to open \Device\PhysicalMemory and map it, and search for the DebugObject structure, and then physically decrement the counts prior to run?
I think it'd be a cute plug-in for Olly, no? Granted, there are some memory regions to stay away from while searching, but it'd be all Ring 3... |
#20
|
|||
|
|||
Peter[Pan] for me your dectection works fine..
Xp +sp2 bye NeO |
#21
|
|||
|
|||
Peter[Pan],
On my W2K+SP4+Rollup update your trick doesn't work. I can't download your example (i haven't permissions for this) and i've wrote my own. After ZwQueryObject structure ObjectAllTypesInformation fills with 17h OBJECT_TYPE_INFORMATION structures. But there is no "DebugObject" name within. Did you mean "OBJECT_TYPE_INFORMATION.name" member ? |
#22
|
|||
|
|||
Peter[Pan]
The protection you've done is quite cool. My original idea was to modify the structures that the Query would return, and while finding them in physical memory is easy, it appears to create a race condition on program termination (ie. debugger tries to release debug object that REALLY has a zero reference count). Yuch! It might be possible to hook Query without detection, but I'm begining to think ring-0 might be the only fool-proof way to do this. Definitely a brain-teaser. |
#23
|
|||
|
|||
I don't think it would need to be ring-0. Just hook ZwQuery and watch for the NULL input and then BPX on the return and modify the buffer that gets returned. Regardless of how "elegant" the solution is, nonetheless it is the solution. Remember, if you code your own debugger, you do not have to use int3's for breakpoints. You can use other things too, and I suggest you research into it some more. (how about using privileged exceptions, eh?). It makes your debugger even more undetectable. In fact, I think a worthy addition to Olly would be to allow for custom breakpoints (using a exception instruction of your own rather than INT3)
For example, all Olly has to do is allow you to set a memory read error breakpoint. Overwrite the code with "mov eax,[eax]" or something. Then Olly keeps an internal list of where that exception should occur. When the exception happens, it recognizes it from its internal list (if not found in the list it passes it back to the debugee). Then restores the original instructions. I've built all my unpackers this way which makes them pretty much zero-detectable unless you know what type of "breakpoint" I'm using. Searching for 0xCC won't detect them. So just remember after you get Olly to work by hand (you can always just set a breakpoint on the RET of the function rather than the beginning of the function you know!) then you can go on to write you own tool, loader or unpacker, but make it better in those respects (by avoiding the use of INT3 breakpoints for example). -Lunar |
#24
|
|||
|
|||
Peter[Pan], I've just test your ZwQueryObject detection under W2K - it doesn't work too. There is no DebugObject yet!
|
#25
|
||||
|
||||
At the end of all my tests the most reliable way I found to ovecome this test and other similars too (all which are based on a system API generally) is to patch the API to always return a friendly result (friendly fo us ^_^).
For example when writing a debug loader I added some operations to essentialy find the ntdll loading base addressof the victim, get the export I want to patch and patch its ealy bytes. For ZwQueryObject I patched it as following Code:
7C91E0D8 > 83FF 00 CMP EDI,0 7C91E0DB 74 06 JE SHORT ntdll.7C91E0E3 7C91E0DD C707 00000000 MOV DWORD PTR DS:[EDI],0 7C91E0E3 B8 00000000 MOV EAX,0 7C91E0E8 C2 1400 RETN 14
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com Last edited by Shub-Nigurrath; 10-15-2005 at 07:33. |
#26
|
|||
|
|||
> I've built all my unpackers this way which makes them pretty much zero-detectable
Respect LD, You make enough for lame peoples. Much better do not even launch target program - if you _realy_ understand how protection work, you can _always_ write static unpacker. Lame old bonus inside attachment. |
#27
|
|||
|
|||
Very interesting piece of code, Dr.Golova, thanks for sharing.
|
#28
|
|||
|
|||
hmm nice code ...thx ..for sharing ..really nice :P
bye NeOXOeN |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
New OllyDbg detection by Armadillo? | Maltese | General Discussion | 1 | 07-05-2005 11:14 |
Another way to detect OllyDbg and another debugger | TQN | General Discussion | 2 | 08-03-2004 09:12 |