Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 09-29-2005, 21:20
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
I tried with a more polite solution, but I had no success...

I closed the DebugObject handle remotely (WinXP), using a CreateRemoteThread and CloseThread as thread address, and, as soon as I did so, I lost the debuggee control from the debugger...

Regards, bilbo
Reply With Quote
  #17  
Old 09-30-2005, 07:02
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
well doh, the debug port exists for a purpose...
guess what is used for
Reply With Quote
  #18  
Old 09-30-2005, 20:21
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
thx for the explanation, upb...
I would never have been able to find it myself ;-)
bilbo
Reply With Quote
  #19  
Old 10-01-2005, 05:05
sgdt
 
Posts: n/a
I wonder if it would be possible to open \Device\PhysicalMemory and map it, and search for the DebugObject structure, and then physically decrement the counts prior to run?

I think it'd be a cute plug-in for Olly, no?

Granted, there are some memory regions to stay away from while searching, but it'd be all Ring 3...
Reply With Quote
  #20  
Old 10-01-2005, 09:26
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
Peter[Pan] for me your dectection works fine..

Xp +sp2

bye NeO
Reply With Quote
  #21  
Old 10-03-2005, 03:02
Robert
 
Posts: n/a
Peter[Pan],
On my W2K+SP4+Rollup update your trick doesn't work. I can't download your example (i haven't permissions for this) and i've wrote my own. After ZwQueryObject structure ObjectAllTypesInformation fills with 17h OBJECT_TYPE_INFORMATION structures. But there is no "DebugObject" name within. Did you mean "OBJECT_TYPE_INFORMATION.name" member ?
Reply With Quote
  #22  
Old 10-04-2005, 00:24
sgdt
 
Posts: n/a
Peter[Pan]

The protection you've done is quite cool. My original idea was to modify the structures that the Query would return, and while finding them in physical memory is easy, it appears to create a race condition on program termination (ie. debugger tries to release debug object that REALLY has a zero reference count). Yuch!

It might be possible to hook Query without detection, but I'm begining to think ring-0 might be the only fool-proof way to do this.

Definitely a brain-teaser.
Reply With Quote
  #23  
Old 10-08-2005, 23:42
Lunar_Dust
 
Posts: n/a
I don't think it would need to be ring-0. Just hook ZwQuery and watch for the NULL input and then BPX on the return and modify the buffer that gets returned. Regardless of how "elegant" the solution is, nonetheless it is the solution. Remember, if you code your own debugger, you do not have to use int3's for breakpoints. You can use other things too, and I suggest you research into it some more. (how about using privileged exceptions, eh?). It makes your debugger even more undetectable. In fact, I think a worthy addition to Olly would be to allow for custom breakpoints (using a exception instruction of your own rather than INT3)

For example, all Olly has to do is allow you to set a memory read error breakpoint. Overwrite the code with "mov eax,[eax]" or something. Then Olly keeps an internal list of where that exception should occur. When the exception happens, it recognizes it from its internal list (if not found in the list it passes it back to the debugee). Then restores the original instructions.

I've built all my unpackers this way which makes them pretty much zero-detectable unless you know what type of "breakpoint" I'm using. Searching for 0xCC won't detect them. So just remember after you get Olly to work by hand (you can always just set a breakpoint on the RET of the function rather than the beginning of the function you know!) then you can go on to write you own tool, loader or unpacker, but make it better in those respects (by avoiding the use of INT3 breakpoints for example).

-Lunar
Reply With Quote
  #24  
Old 10-11-2005, 18:11
Robert
 
Posts: n/a
Peter[Pan], I've just test your ZwQueryObject detection under W2K - it doesn't work too. There is no DebugObject yet!
Reply With Quote
  #25  
Old 10-15-2005, 07:28
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
At the end of all my tests the most reliable way I found to ovecome this test and other similars too (all which are based on a system API generally) is to patch the API to always return a friendly result (friendly fo us ^_^).
For example when writing a debug loader I added some operations to essentialy find the ntdll loading base addressof the victim, get the export I want to patch and patch its ealy bytes.

For ZwQueryObject I patched it as following

Code:
7C91E0D8 >    83FF 00                     CMP EDI,0
7C91E0DB      74 06                       JE SHORT ntdll.7C91E0E3
7C91E0DD      C707 00000000               MOV DWORD PTR DS:[EDI],0
7C91E0E3      B8 00000000                 MOV EAX,0
7C91E0E8      C2 1400                     RETN 14
when EDI is not NULL the patch set to zero the address pointed by EDI and set EAX to 0, otherwhise only returns EAX=0.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com

Last edited by Shub-Nigurrath; 10-15-2005 at 07:33.
Reply With Quote
  #26  
Old 10-17-2005, 06:50
Dr.Golova
 
Posts: n/a
> I've built all my unpackers this way which makes them pretty much zero-detectable
Respect LD, You make enough for lame peoples.
Much better do not even launch target program - if you _realy_ understand how protection work, you can _always_ write static unpacker. Lame old bonus inside attachment.
Attached Files
File Type: rar undbpe.rar (26.3 KB, 74 views)
Reply With Quote
  #27  
Old 10-17-2005, 07:00
doug
 
Posts: n/a
Very interesting piece of code, Dr.Golova, thanks for sharing.
Reply With Quote
  #28  
Old 10-17-2005, 09:34
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
hmm nice code ...thx ..for sharing ..really nice :P

bye NeOXOeN
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New OllyDbg detection by Armadillo? Maltese General Discussion 1 07-05-2005 11:14
Another way to detect OllyDbg and another debugger TQN General Discussion 2 08-03-2004 09:12


All times are GMT +8. The time now is 22:02.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )