http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Tue, 17 Aug 2010 10:16:14 -0500 https://www.openrce.org/blog/view/1579/Bypassing_OllyAdvanced grzonu <email-suppressed@example.com> I`m currently doing research on some method to detect &amp; disconnect a debugger. <br /> For example, I use NtQuerySystemInformation with SystemHandleInformation parameter to search for Handles to my process (Handle type = 0x07) and the Debug Handles (type == 0x0B).<br /> If a process has both handles, then it's probably a debugger that is debugging our process.<br /> We can then remove the debugger using ZwRemoveProcessDebug.<br /> But... <br /> If the debugger is using the OllyAdvance plugin, then if we use NtQuerySystemInformation we get an empty list of debugger-owned handles. Also, if we use NtQueryProcessInformation to get parent process ID, we get the ID of our own process and so, we can`t open the debugger`s (parents) process, nor duplicate handles.<br /> It seems that if we use SYSCALL to call these functions, OllyAdvance is modyfing the results of calls. However, If we use INT 2E to perform this call to the functions, OllyAdvanced doesn't &quot;work&quot; and we get the proper, unmodified, results ;)<br /> It seems that OllyAdvance uses a hook on the function that sysexit return to (ntdll.KiFastSystemCallRet), so it can modify the results. On the other hand, INT 2E don`t use sysexit to return to User Mode, so OllyAdvance cant`t hook this.<br /> We can now both easily detect the debugger and disconnect it ;)