ICanAttach, a plugin to bypass anti-attaching tricks.
 Walied (waleedassar) <waliedassar gmail com> |
Tuesday, December 13 2011 15:35.09 CST |
I have recently created an ollydbg plugin, ICanAttach, to bypass the "DbgUiRemoteBreakin", "DbgBreakPoint", and "NtContinue" anti-attach tricks.
It has only been tested on XP SP3 and WOW64 windows 7.
Glad if someone tests it on other OSes and gives me some feedback.
http://ollytlscatch.googlecode.com/files/ICanAttach2.dll
Source code
http://ollytlscatch.googlecode.com/files/ICanAttach.rar
For more info:
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques.html
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques_11.html
Comments
 PeterFerrie |
Posted: Thursday, December 15 2011 10:55.48 CST |
|
but a thread that checks the code for these APIs will detect the change, so you have a race condition in that case. |
|
 waleedassar |
Posted: Friday, December 16 2011 16:52.19 CST |
|
Cool, thanks alot, Peter. My plugin has been updated to cover that scenario. Now, it hooks the "DbgUiIssueRemoteBreakin" function,, rather than the "DebugActiveProcess" function. 1) In DbgUiIssueRemoteBreakin (in ollydbg.exe), the seventh parameter passed to RtlCreateUserThread has been changed to be my own code. 2) In the target process, all relative offsets in ntdll.dll to ZwContinue have been fixed to be offsets to my own NtCOntinue. The updated plugin http://ollytlscatch.googlecode.com/files/ICanAttach2.dll Glad to see any demos. Waiting for any feedback. |
|