About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
grzonu
's Blog
Created: Tuesday, August 17 2010 10:16.14 CDT
Modified: Tuesday, August 17 2010 13:06.12 CDT
Printer Friendly ...
Bypassing OllyAdvanced
Author:
grzonu
# Views:
3293
I`m currently doing research on some method to detect & disconnect a debugger.
For example, I use NtQuerySystemInformation with SystemHandleInformation parameter to search for Handles to my process (Handle type = 0x07) and the Debug Handles (type == 0x0B).
If a process has both handles, then it's probably a debugger that is debugging our process.
We can then remove the debugger using ZwRemoveProcessDebug.
But...
If the debugger is using the OllyAdvance plugin, then if we use NtQuerySystemInformation we get an empty list of debugger-owned handles. Also, if we use NtQueryProcessInformation to get parent process ID, we get the ID of our own process and so, we can`t open the debugger`s (parents) process, nor duplicate handles.
It seems that if we use SYSCALL to call these functions, OllyAdvance is modyfing the results of calls. However, If we use INT 2E to perform this call to the functions, OllyAdvanced doesn't "work" and we get the proper, unmodified, results ;)
It seems that OllyAdvance uses a hook on the function that sysexit return to (ntdll.KiFastSystemCallRet), so it can modify the results. On the other hand, INT 2E don`t use sysexit to return to User Mode, so OllyAdvance cant`t hook this.
We can now both easily detect the debugger and disconnect it ;)
Blog Comments
PeterFerrie
Posted: Tuesday, August 17 2010 15:50.08 CDT
OllyAdvanced patches the "call dword ptr [edx]" inside the API. Syscall or int 2e shouldn't matter, if you don't call through the API.
grzonu
Posted: Tuesday, August 17 2010 16:21.53 CDT
I use my own function to call syscall not KiFastSystemCall, and OllyAdvanced modyfing results of call but if i use INT 2E results is good
PeterFerrie
Posted: Thursday, August 19 2010 12:23.07 CDT
Weird, because when I enable every anti-debugging option in OllyAdvanced 1.27, and use this code:
push 0
push 18h
mov ebp, offset l1
push ebp
push 0
push -1
push eax
mov eax, dword ptr [offset NtQueryInformationProcess+1]
mov edx, 7ffe0300h
call [edx]
mov eax, dword ptr [ebp+14h]
...
l1 db 18h dup (?)
I still see OllyDbg.exe as the parent PID.
Add New Comment
Comment:
There are
28,229
total registered users.
Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17
Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr
Recent Blog Entries
cmathieu
Feb/07
Hacker Carnival
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...
waleedassar
Jan/31
Yet Another Anti-Debug Trick
RolfRolles
Jan/22
Finding Bugs in VMs with a ...
waleedassar
Jan/13
An OllyDbg Bug Disables Sof...
More ...
Recent Blog Comments
waleedassar
on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr
on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr
on:
Feb/05
Yet Another Anti-Debug Trick
trolotou
on:
Feb/05
Doudoune Moncler -Pennies F...
waleedassar
on:
Feb/01
Yet Another Anti-Debug Trick
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}