Sunday, December 18, 2011

Debuggers Anti-Attaching Techniques - Part 5

In this post, i will explain another anti-attaching trick. The trick is that if we manipulate the _PEB_LDR_DATA structure pointed to by PEB.LoaderData, we can cause functions like EnumProcessModules and GetModuleFileNameExA to fail.


Consequently, ollydbg would not be able to see the process in the "Select process to attach" dialog box.


You can play with this demo.

N.B. This trick can't be reliably used unless you carefully choose APIs in your application. Try to avoid APIs which read or write to the _PEB_LDR_DATA structure.

Update:
I have made a tiny plugin for OllyDbg v1.10. The plugin enables debugging those applications, which don't show in the "Select process to attach" dialog box. The plugin first checks the integrity of the target process's _PEB_LDR_DATA structure. If a manipulated structure is detected, a new typical one will be created.

The plugin can be downloaded from here and its source code from here.

Update:
Variants of this trick manipulate PEB.LoaderData so that an infinite loop occurs in OllyDbg or any other application which tries to use the "EnumProcessModules" function or the likes. See the image below.
The demo can be found here.

You can follow me on Twitter @waleedassar 

4 comments:

  1. First, thanks for your great post

    But the link of demo was died. Please re-upload it. Thank you very much

    -rickb

    ReplyDelete
  2. I have just uploaded it to code.google.com.

    You can find it here

    http://ollytlscatch.googlecode.com/files/attachTome.exe

    Btw, the link is okay.

    ReplyDelete
  3. Hello, thank you for your articels i really like to read them. :)

    But now i have a question:

    Is the PEB_LDR_DATA structure a global structure where all processes have access on it?

    I dont understand why Olly cant show me the process name if i click on attach. I mean i call these assembler instructions in a virtual address space.
    I know only that every process has its on process enviroment block.

    ReplyDelete
    Replies
    1. Yes, every single process has its own Process Environment Block(PEB). You can't read PEB of another process unless you use the "ReadProcessMemory" function, which reads across processes boundaries provided that you have the required privileges).

      The reason why OllyDbg does not show it is because OllyDbg uses the "EnumProcesses", "OpenProcess", "EnumProcessModules", "GetModuleFileNameExA" functions sequence (See screenshot no. 1).
      EnumProcessModules and GetModuleFileNameExA wrap up calls to the "ReadProcessMemory" function.
      For more info, read this:
      http://waleedassar.blogspot.com/2012/03/getmodulefilenameex-and-infinite-loops.html

      Delete