OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: December 17, 2011 09:23 CST by waleedassar .

I need to present a new anti-attach trick that i have recently come up with.

Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such.

This is a simple demonstrating example.
http://ollytlscatch.googlecode.com/files/example1.rar

To make things harder, we would use dynamic TLS callbacks instead.

To implement a dynamic TLS callback, follow these 2 steps:
1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

Source code can be found here.
http://ollytlscatch.googlecode.com/files/example2.rar

It works on Win XPSP3 only. You can edit the source code to include other OSes.

N.B. This trick is still in progress and i am waiting for any feedback.

PeterFerrie		December 17, 2011 10:01.51 CST
I described a variation of the technique in 2009. :-) http://pferrie.host22.com/papers/unpackers22.pdf Any thread that is created can be queried for its start address. If it's not in an address range that you expect, then it's also injected. Counting the threads isn't safe, because if you use networking or RPC or DirectX, etc, then threads are created by the system that you might think are injected. Or if you set the number too high, then you won't notice some injected threads.

waleedassar		December 17, 2011 12:43.16 CST
Nice paper, Peter. Counting threads is definitely not the best option. It has only been used in that example for demonstration.

Bass		January 14, 2012 07:14.33 CST
Hello, thank you for sharing your results. I have tried to start your example ddd.exe in sandboxie and I got the message "Are you trying to attach a debugger to me?" after this I have compile your code by myself with RAD Studios 2007. Then I tried to run my executable in sandboxie and it works fine. But why? Is your example source code maybe not complete? Otherwise I should try to compile the file maybe in Visual Studios but it�s not installed on my pc at the moment.

waleedassar		January 14, 2012 07:48.20 CST
This is because Sandboxie tries to create a new thread inside ddd.exe. ddd.exe mistakenly thinks it is a debugger thread. As i noted above, this is for demonstration only. To optimize the code, you should query the new thread for its entrypoint and then compare it vs your whitelist/blacklist of Entrypoints. I guess RAD does not understand "_tls_used" and subsequently no TLS structure is emitted in the result PE file. Anyway, Visual C++ 6.0 does this job for me.

Bass		January 14, 2012 13:22.11 CST
Can it be that you have re-upload the files? Because at the first time where I have download your files, I have test the program in sandboxie for fun and I have got your debugger attach message. After this I have take a short look in the source code and then I have delete the files (sry but my desktop was full I was working on a other thing so i needed a little bit space ^^). A few hours later, I have visit your forum thread again and download the files a second time. I have test your program again in sandboxie but then I saw this message: "This demo works on windows XPSP3 only.". A few hours before I havent got this message so I think that you have change a few things (I had just take a very short look in the source code, because I was busy with a other task, so I dont know if you have change something) . Oh, and I havent use WinXP I used Win7 Pro x64. But now I have also test it on WinXP SP3 (on XP it works really good [Win XP3 in VMWare).

waleedassar		January 14, 2012 16:20.33 CST
I have uploaded two files, example1.rar and example2.rar. example1.rar is the one you tested in Sandboxie and example2.rar is the one that works only in XP SP3.

Bass		January 14, 2012 17:32.27 CST
Ah ok now I see it, my mistake sry.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit