OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 28, 2007 00:31 CDT by jaffersathik2010 .

Hi All,

Here I'm once again need of your help in reversing a application. I could not able to run a application inside the debugger because of the following code.



ntdll.dll:7C95077B ntdll_DbgUiRemoteBreakin:

ntdll.dll:7C95077B push    8

ntdll.dll:7C95077D push    offset unk_7C9507C8

ntdll.dll:7C950782 call    near ptr unk_7C90EDC2

ntdll.dll:7C950787 mov    eax, large fs:18h

ntdll.dll:7C95078D mov    eax, [eax+30h]

ntdll.dll:7C950790 cmp    byte ptr [eax+2], 0

ntdll.dll:7C950794 jnz    short loc_7C95079F

ntdll.dll:7C950796 test    ds:byte_7FFE02D4, 2

ntdll.dll:7C95079D jz      short loc_7C9507BF

ntdll.dll:7C95079F

ntdll.dll:7C95079F loc_7C95079F:                          ; CODE XREF: ntdll.dll:7C950794j

ntdll.dll:7C95079F and    dword ptr [ebp-4], 0

ntdll.dll:7C9507A3 call    near ptr ntdll_DbgBreakPoint

ntdll.dll:7C9507A8 jmp    short loc_7C9507BB

"DbgUiRemoteBreakin" is referrenced by the function "DbgUiDebugActiveProcess".

So, I think if we disable the "DbgUiDebugActiveProcess", we can eliminate the problem. But I dont know how to disable it. Please help me.

I welcome any other tips also to remove this issue.

Thanks,
Jaffer.

jms		August 28, 2007 10:33.11 CDT
What is the return value from that call that gets evaluated?

anonymouse		August 28, 2007 12:15.33 CDT
ntdll.dll:7C950787 mov eax, large fs:18h ntdll.dll:7C95078D mov eax, [eax+30h] ntdll.dll:7C950790 cmp byte ptr [eax+2], 0 thats IsDebuggerPresent() fs:30->IsDebugged aka Peb->isdebugged it is testing for the presence of debugger and if it is present it calls an int3 ntdll.DebugBreakPoint() you have to find out why you land here first and disable that route never try to disable system dlls code is a generic rule disable the root cause never enter here some thing or someother thing gets you here find that way and if possible eliminate it

anonymouse		August 28, 2007 12:30.39 CDT
i didnt have the referance handy but i had the feeeling the next constant is isdebuggerpresent too and indeed it is +0x2d4 KdDebuggerEnabled : UChar so both the above check for debugger presense and take appropriate action and it is a legal function so some one is utilising it find the place which uses these apis or wrapers or internals of some api

RolfRolles		August 28, 2007 14:26.13 CDT
Check out tAKane's post here. Edit re: anonymouse below: My mistake. I had interpreted his question (which was vague) to be about DbgUiDebugActiveProcess's role in anti-debugging mechanisms.

anonymouse		August 29, 2007 13:02.29 CDT
since rolfrolles linked a post i followed it but i will respond here [quote] Certain programs also freeze for me after OllyDbg's attachment. Once attached, OllyDbg says "Attached process paused at at ntdll.DbgBreakPoint"... but it's actually at the RETN immediately after the INT3 at ntdll.DbgBreakPoint. [/quote] yes int 3 is a trap class interrupt ( i think thats the terminology feel free to correct) so the eip will always point at the instruction next to int3 which in this case happens to be a ret a sample implementation patching on the fly (hard coding an int3 and then an infinite loop and then executing it with f9 run) 00401E65 >/$ 6A 18 PUSH 18 00401E67 CD 03 INT 3 00401E69 - EB FE JMP SHORT 00401E69 ollydbg outputs this message Log data, item 0 Address=00401E67 Message=INT3 command at testconh.00401E67 look at eip in registers window EAX 00000000 ECX 0006FFB0 EDX 7FFE0304 EBX 7FFDF000 ESP 0006FFC0 EBP 0006FFF0 ESI 0012BBD4 EDI 000003F7 EIP 00401E69 testconh.00401E69 <------ C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) int 3 is at 0x####67 while eip is at 0x######69 now dbgbreakpoint was called by DbgUiRemotebreakin Call stack of thread 000006F8, item 0 Address=0469FFCC Stack=77F7285C Procedure / arguments=ntdll.DbgBreakPoint Called from=ntdll.77F72857 Frame=0469FFF4 if you follow the callee you will see that it was called from DbgUiRemotebreakin $ ==> 77F72838 ntdll.DbgUiRemoteBreakin PUSH 8 $+2 77F7283A PUSH ntdll.77F741D8 $+7 77F7283F CALL ntdll._SEH_prolog $+C 77F72844 <ntdll.tib->self> MOV EAX, DWORD PTR FS:[18] $+12 77F7284A <ntdll.fs:[30]> MOV EAX, DWORD PTR DS:[EAX+30] $+15 77F7284D <ntdll.peb->BeingDebugged> CMP BYTE PTR DS:[EAX+2], 0 $+19 77F72851 <ntdll.NoR3dbgchkR0Dbg> JE SHORT <ntdll.check for kd> $+1B 77F72853 <ntdll.0 or -1> AND DWORD PTR SS:[EBP-4], 0 $+1F 77F72857 CALL ntdll.DbgBreakPoint $+24 77F7285C <ntdll.-1 or 0> OR DWORD PTR SS:[EBP-4], FFFFFFFF $+28 77F72860 PUSH 0 $+2A 77F72862 <ntdll.kill DbgactProcthread > CALL ntdll.RtlExitUserThread $+2F 77F72867 INT3 $+30 77F72868 <ntdll.check for kd> TEST BYTE PTR DS:[<kuser_shared_page->kddebuggerenabled>], 2 $+37 77F7286F JE SHORT ntdll.77F72860 $+39 77F72871 JMP SHORT <ntdll.0 or -1> [quote] Looking at the next piece of code that it returns to (at least for me; ntdll.DbgUiRemoteBreakin), it indicates that the software I'm analysing might have a fairly decent anti-debugging mechanism. [/quote] no that is not antidebugging mechanism thats how attach always work if im not wrong see alex ionescus posts dealing on debugging internals [quote] ntdll.DbgUiIssueRemoteBreakin, which is referenced from ntdll.DbgUiDebugActiveProcess, which doesn't appear to be referenced from anywhere. [/code] neither is LdrInitializeThunk is referanced from anywhere but it is an integral part and its function gets over when kernel passes control to it after CreateProcess and MappingSections and initialising ntdll like wise DbgUiRemoteBreakin isnt referanced from Ring3 it passes control to a debugger if it is present (so it checks if debugger is present it checks for r3 debugger if present uses int 3 and creates a debug event if no r3 debugger checks for r0 debugger and creates a debug event with int3 again if there is none it puts the exit code as -1 and terminates the thread that was spawned to attach the active process speaking of disabling it doesnt make much sense is my opinion

jaffersathik2010		August 30, 2007 23:42.16 CDT
Hi All, Thannks for your inputs, I will try it and update you guys soon --Jaffer

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit