Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  NTDLL patching to disallow DR0-DR7 writes from ring3

Topic created on: August 31, 2005 14:23 CDT by 0xebfe .

Hi, from SOTM33, Nicolas Brulez mentioned there's a way to patch the ntdll.dll to disallow writting into the debug registers from the user space. I guess that sort of functionality is invaluable to me and I guess to lots of other reversers out there. However, there's no public info on this available. Any one know how to do this? Or better yet, have a patch for WinXP's ntdll.dll? I am just tired of working around polymorphic code that erases DRxs which makes both software and hardware breaks really hard to set.

Any info would be nice!

  anonymouse     September 1, 2005 12:54.52 CDT
well i dont remember reading so ill read it again :)
but probably you can hook NtContinue and change the DebugRegisters values during its return to user mode
i would say :)
the basic idea behind my thinking would be some thing like this the authour would need a seh to modify the debug registers and then
say i handled the error and return back to the system
which would use NtContinue or ZwContinue (now that has the context structure passed to it )
you could possibly modify it back again before having the int 2e or sysenter executed dont you think ?

well i have successfully broken on seh returns using the
[r32+0xb8] that is passed to NtContinue or ZwContinue
in ollydbg to continue analysis from repaired
or modified eip in seh handler

how could one hook ?? probably write a small plugin that
that used odbg_paused() or odbg_pausedEx() by having a
soft or hard breakpoints (may be use 0xcd03 insted of 0xcc)

and when hit just read the context.dr0 to context.dr7
and modify it to your needed values

you can take a look at NtGlobalFlag plugin on BiW (source
avl) it hooks and waits for Ntdll.Debugbreak to patch ntdll :) for logging the debug strings and breaking on Tls
Callbacks as well as DllInitRoutines




  Darawk     September 7, 2005 18:59.59 CDT
You'll actually want to hook KiUserExceptionDispatcher and NtContinue.  Because if you set any debug registers while using  a debugger, the process could detect them in the CONTEXT structure.  So, you'll want to zero them out before the structure is passed to the various exception handlers, and then set them back to their original state afterwards.

  anonymouse     September 8, 2005 05:28.47 CDT
what i meant was a simple break on ZwContinue()
and following in dump the context structure and modifying
the Dr0. to dr7

as an example prototype

setup seh handler
then
xor eax,eax
mov [eax],eax <-- exception raised here

shift+f7 or f8 or f9
will make RtlpExecuteExceptionHandler() call you seh handler
now in seh handler you do whatever you fancy
and then you have to return back to ntdll with
one of the preset return values
like
Exception_continue_search
Exception_handled
[email protected]

now ntdll would check the return and would do
either a
ZwContinue()
or ZwRaiseException()
A malware intentionally creting an exception to manipulate
some structures would have to return Exception_handled
for it to survive
now if it returned Exception_handled
ntdll will pass
control to
ZwContinue() the parameters for ZContinue are
PCCONTEXT and CINT IRQLEVEL

now if you have a break here amd wait for it to be hit
you can easily
ReadprocessMemory and Writeprocessmemory
any of the registers
that is your handler will be the handler after the original handler :)



Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit