http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Fri, 08 Mar 2013 16:13:08 -0600 https://www.openrce.org/blog/view/4515/2_anti-trace_mechanisms_specific_to_windows_x64 everdox <email-suppressed@example.com> <a href="http://everdox.blogspot.com/2013/03/2-anti-tracing-mechanisms-specific-to.html">http://everdox.blogspot.com/2013/03/2-anti-tracing-mechanisms-specific-to.html</a> Thu, 07 Mar 2013 09:02:54 -0600 https://www.openrce.org/blog/view/4513/Advanced_debugging_techniques everdox <email-suppressed@example.com> This article explains how from user-mode we can use NtSetInformationProcess to install an InstrumentationCallback which we can use to monitor access to the following callbacks, without actually hooking them in memory.<br /> <br /> This member only exists in x64 versions of windows.<br /> <br /> LdrInitializeThunk<br /> KiUserExceptionDispatcher<br /> KiRaiseUserExceptionDispatcher<br /> KiUserApcDispatcher<br /> KiUserCallbackDispatcher<br /> <br /> as well as all system calls.<br /> <br /> Please note that the InstrumentationCallback member of KPROCESS can only be set from user-mode if the target process is NOT running in the wow64 thunk layer. If you want to use this feature for wow64 processes you must use a driver or go in manually with KD.<br /> <br /> <br /> <a href="http://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu">http://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu</a> Wed, 06 Mar 2013 10:48:32 -0600 https://www.openrce.org/blog/view/4512/Branch_tracing_and_LBR_access_from_user-mode_in_windows. everdox <email-suppressed@example.com> This article is an in-depth explanation of leveraging access to the debug_ctl MSR's from user-mode and how windows provides access to LBRs in it's ExceptionInformation[] structure.<br /> <br /> The article goes on to explain a quick trick I discovered where the last branch can be located when a caller nukes it's call stack prior to a branch.<br /> <br /> The article also explains how the features can be used to detect whether or not the program runs under the control of certain hyper-visors. <br /> <br /> The in depth article can be found here: <a href="http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing">http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing</a><br /> <br /> An older article not by me discussing these features can also be found here: <a href="http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers">http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers</a> Tue, 05 Mar 2013 14:00:25 -0600 https://www.openrce.org/blog/view/4511/Using_pre-paged_in_virtual_memory_as_an_anti-dumping_and_anti-debugging_mechanism everdox <email-suppressed@example.com> <a href="http://everdox.blogspot.com/2013/03/utilizing-paged-virtual-memory-as-anti.html">http://everdox.blogspot.com/2013/03/utilizing-paged-virtual-memory-as-anti.html</a> Tue, 05 Mar 2013 13:59:02 -0600 https://www.openrce.org/blog/view/4510/Context_switches_and_cycle_time_counting_as_anti-debug_mechanism everdox <email-suppressed@example.com> <a href="http://everdox.blogspot.com/2013/02/infer-debugger-presense-by-counting.html">http://everdox.blogspot.com/2013/02/infer-debugger-presense-by-counting.html</a>