Update to AttachAnyway
 Joe Stewart (joestewart) <jstewart lurhq com> |
Wednesday, September 7 2005 11:05.56 CDT |
I've updated my AttachAnyway plugin to be able to
attach to processes protected by Piotr's anti-debugger-attach method two.
http://www.joestewart.org/tools/attachanyway.zip
In it, we just find the PEB_LDR_DATA pointer and VirtualProtectEx the bytes back to PAGE_READWRITE - thus the exception handler will never alert that the page has been accessed by the debugger when attaching. This is harder than it first sounds; Windows XP SP2 no longer keeps the TEB/PEB at static locations, (you can't just do FS:[0] to find the PEB because you are not running in the context of that process) you have to search for the TEB/PEB blocks by signature.
There's probably a more elegant way (this would make a good tutorial if you have a better way to locate the TEB of another process), but it works. Once again, this is just PoC, no guarantees it'll work everywhere.
Update: anonymouse has suggested an alternative, more elegant way to find the PEB of another process using NtQueryInformationProcess, which you can check out on his blog:
https://www.openrce.org/blog/browse/anonymouse
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |