OpenRCE: Blog

How to hook a SEH?

Wed, 09 Nov 2005 08:13:20 -0600

I writed a tutorial wich explain how to hook a SEH to give answer to the people who wanna know how i worked.

http://www.pastapolis.info/?eax=00000002
http://www.pastapolis.info/tutorials/Bypass%20Hardware%20Breakpoint%20Protection.pdf

I writed a program which hook hiself :

http://www.pastapolis.info/misc/standalone_hooker.c

Anti Anti Hardware Breakpoint plugin [ollydbg]

Wed, 09 Nov 2005 08:11:28 -0600

Ollydbg Anti Anti Hardware Breakpoint
Copyright (c) 2005 - Mattwood^FRET - mattwood9@gmail.com - www.pastapolis.info - http://reverseengineering.online.fr/spip/

- *How install it?

set olly_hardware_breakpoint.dll in the ollydbg dir.

And if you want to use the user32.dll global loadlibrary add ravioli.dll in the System32 directory and ravioli.dll to the registery.
else set ravioli.dll in the same dir as olly_hardware_breakpoint.dll.

- * What does this plugin?

It hook ntdll i writed a tutorial about it.
http://reverseengineering.online.fr/spip/article.php3?id_article=53

- * How to use it?

If the target doesn't use user32.dll :
When you load a program do a F7 or F8 and in the menu and Force to load the dll.

Else it's good :)

If you wanna remove the hook in ntdll goto the menu and Remove the hook :].

- * Note?

Yep, it's a simple version. I load the dll like a pig :]

Cheers,

Mattwood^FRET

Ooops sorry !

Wed, 09 Nov 2005 08:06:46 -0600

I just see i forgotten to alert you that my polymorphic breakpoint got a bug :] a dumb bug :]

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=2&topic=1516

The new version can be found here :

http://reverseengineering.online.fr/spip/article.php3?id_article=50

Polymorphic Breakpoint For Ollydbg

Sat, 15 Oct 2005 07:30:13 -0500

It's a newplugin for ollydbg i have coded.

You can download it at : http://reverseengineering.online.fr/spip/article.php3?id_article=50

README:
Ollydbg Polymorphic Breakpoint Manager
Copyright (c) 2005 - Mattwood^FRET - mattwood9@gmail.com - http://reverseengineering.online.fr/spip/

- * What does this plugin do?

Classical breakpoint like 0CCh or 0EBh,0FEh are very easy to find just with a little antibreakpoint tricks likes :

00DE31FA  |.  B8 60060000   MOV     EAX,660

00DE31FF  |.  C1E8 03       SHR     EAX,3

00DE3202  |.  F2:AE         REPNE   SCAS BYTE PTR ES:[EDI]

00DE3204  |.  85C9          TEST    ECX,ECX

00DE3206  |.  74 04         JE      SHORT <0x90f.badboy>

The common way was to set a 0EBh,0FEh for bypass this little protection, but it's not very efficient.

The way of the plugin is to set a polymorphic EBFE likes :

00DE321C   .  E8 02000000   CALL    0x90f.00DE3223

00DE3221   .  DCED          FSUB    ST(5),ST

00DE3223   $  813424 371300>XOR     DWORD PTR SS:[ESP],1337

00DE322A   .- FF2424        JMP     NEAR DWORD PTR SS:[ESP]

Here the routine decrypt DCED with 1337 and the word at [00DE3221] = EBFE, but this way need to special right : the section must be writable.

So i have created a second way wich use the stack :

00DE320C   > \E8 00000000   CALL    0x90f.00DE3211

00DE3211   $  66:68 21FE    PUSH    0FE21

00DE3215   .  803424 CA     XOR     BYTE PTR SS:[ESP],0CA

00DE3219   .- FFE4          JMP     NEAR ESP

This way is universal.

- * The Polymorphic isn't to big for small function?

I already look at function likes GetCommandLineA :), they have a very nice padding :)

GetCommand>  A1 F435887C     MOV     EAX,DWORD PTR DS:[7C8835F4]

7C812C92     C3              RETN

7C812C93     90              NOP

7C812C94     90              NOP

7C812C95     90              NOP

7C812C96     90              NOP

7C812C97     90              NOP

7C812C98     FFFF            ???                                      ; Unknown command

7C812C9A     FFFF            ???                                      ; Unknown command

7C812C9C     0000            ADD     BYTE PTR DS:[EAX],AL

7C812C9E     0000            ADD     BYTE PTR DS:[EAX],AL

nice no? :)

- * How to delete this breakpoint?

I coded a manager for this plugin who can delete breakpoint.

- * Note?

Yep, it's a concept of the polymorphic breakpoint so i suggest you to change the default breakpoint wich i added.

Cheers,

Mattwood^FRET