📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  What is fs:[30] ?

Topic created on: September 20, 2007 08:58 CDT by Pnluck .

I'm analyzing a thing (a packer from china I believe), and I found this code

MOV EAX,DWORD PTR FS:[30] //0x7ffdd030
MOVZX EAX,BYTE PTR DS:[EAX+2]

I would know to which structure the fs:[30] point to. Thx

  jms     September 20, 2007 09:11.31 CDT
That pointer is pointing to the Thread Information Block described here.

At that particular offset in the TIB struct points to the Process Environment Block (PEB)described here

Quite possibly it will be looking at some of the PEB information to determine if a debugger is attached, we discussed some of this in the LDR_MODULE (Anti-Debugging) thread. Hope this helps.

  jms     September 20, 2007 09:35.05 CDT
Oh and if you are using ImmunityDebugger you can just use:


peb = imm.getPEB()
peb_addr = imm.getPEBaddress()


Here is what this looks like:

  lafkuku     September 20, 2007 11:47.37 CDT
> jms: That pointer is pointing to the Thread Information Block described here.
>
> At that particular offset in the TIB struct points to the Process Environment Block (PEB)described here
>
> Quite possibly it will be looking at some of the PEB information to determine if a debugger is attached, we discussed some of this in the LDR_MODULE (Anti-Debugging) thread. Hope this helps.

Yea the +2 offset is where the isDebuggerPresent variable lives. So it's basically, checking for a debugger without making the call the the isDebuggerPresent API.

  jms     September 20, 2007 11:50.37 CDT
Dami posted his one liner:



imm.writeMemory(imm.getPEBaddress()+2, "\x00")



On the Immmunity Forum

  Pnluck     September 20, 2007 12:34.45 CDT
Thanks for the help =)

  anonymouse     September 21, 2007 11:22.51 CDT
lkd> dt  nt!_TEB ProcessEnvironmentBlock ProcessEnvironmentBlock.BeingDebugged
   +0x030 ProcessEnvironmentBlock               : Ptr32 _PEB
      +0x002 BeingDebugged                         : UChar

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit