Anti-anti-dattach OllyDbg Plugin
 Joe Stewart (joestewart) <jstewart lurhq com> |
Friday, August 26 2005 13:24.26 CDT |
Piotr recently came up with a cool technique to hook NtContinue in order to prevent debugger attaching (see Piotr's blog for more details).
For fun, I've written an OllyDbg plugin called AttachAnyway to bypass Piotr's anti-dattach protection and allow you to attach to a protected process. It's pretty straightforward, it just enumerates all processes, looking for a hook on the first 5 bytes of NtContinue, and if it finds one, lets you restore the original code and call OllyDbg's Attachtoactiveprocess export. Nothing particularly earth-shattering, but perhaps more code examples like this could inspire more people to write OllyDbg plugins. :)
It should be available in the OpenRCE downloads section soon, but for now you can get it from:
http://www.joestewart.org/tools/attachanyway.zip
Also included in the zip file is an assembled version of Piotr's anti-dattach.asm for testing purposes, along with the source code to the plugin.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |