comment $ --------------------------------------------------- Debugger "On-Attach" detection method TWO --------------------------------------------------- by Piotr Bania http://pb.specialised.info All rights reserved! Disclaimer ---------- Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. Info ---- Few days before i have released Debugger "On-Attach" detection method, which gives an opportunity to place a hook somewhere from KiUserApcDispatcher to DbgBreakPoint (just like Jarkko Turkulainen wrote on his blog) and act before debugger takes over the control of the debugged application. Just imagine what debug prevention potencial it has, if the hook will be placed randomly with various injections like: call/jmp/push-ret/ on-the-fly decryptors etc. etc. on random location - it makes the hook detection process very complicated. Anyway i have researched some new technique which is based on similiar fact, while we are attaching a debugger the ntdll!LdrInitializeThunk function is executed, then the PEB_LDR_DATA (loader data) from Process Enviroment Block (PEB) is being parsed: .text:77F62AB4 mov eax, [ebx] <-- EBX=PEB_LDR_DATA .text:77F62AB6 mov esi, [eax+14h] <-- struct LIST_ENTRY InMemoryOrderModuleList My idea was to setup PAGE_NOACCESS or PAGE_GUARD access protection on PEB_LDR_DATA due to this when you will attach the debugger, our application will cause an access violation. This method is bit problematic for original application since PEB_LDR_DATA is used/scanned by most of windows APIs, but using it with the schema: Reset PEB_LDR_DATA protection -> call NEEDED_API -> Set up the protection etc. etc. should make the deal. Of course the protection can be set on different PEB_LDR_DATA members etc. etc. Windbg's react to this technique: ModLoad: 00400000 00405000 image00400000 Access violation - code c0000005 (first chance) eax=00251e90 ebx=7ffdf00c ecx=77fc1774 edx=00000000 esi=7ffdf000 edi=7ffdf000 eip=77f62ab6 esp=003afc3c ebp=003afc9c iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 77f62ab6 8b7014 mov esi,[eax+0x14] ds:0023:00251ea4=???????? Now the funny thing, while PEB_LDR_DATA is not accessible, OllyDbg/LordPE and some others tools CAN'T find the process it is invisible on Olly/LordPE process list. Moreover check this thingie with ProcessExplorer from Sysinternals (Process Properties->Threads) and yes you are also catched!!! and secondly Process Explorer is not able to get DLL handles, sweet. Now enjoy, this will execute an infinite sleep loop attach to the proggie then. $ include my_macro.inc call ki_hook_setup mov ebx, dword ptr fs:[30h] ; PEB mov ebx, dword ptr [ebx+0ch] ; PEB_LDR_DATA mov dword ptr [peb_ldr_data],ebx mov edx,PAGE_NOACCESS mov ecx,5 mov eax,ebx call make_prot ay: push 500 ; attach debugger here @callx Sleep jmp ay in_s: mov edx,PAGE_READWRITE mov ecx,5 mov eax,dword ptr [peb_ldr_data] call make_prot @debug "Debugger detected!",MB_ICONINFORMATION exit: push 0 @callx ExitProcess peb_ldr_data dd 0 _KiUserExceptionDispatcher dd 0 ; some of my old procedures cut out from protty ki_hook_setup proc pushad @delta2reg ebp @get_api_addr "NTDLL.DLL","KiUserExceptionDispatcher" mov dword ptr [_KiUserExceptionDispatcher],eax mov edx,PAGE_READWRITE mov ecx,5 mov eax,dword ptr [ebp+_KiUserExceptionDispatcher] call make_prot mov edi,dword ptr [ebp+_KiUserExceptionDispatcher] lea eax,[ebp+_HKiUserExceptionDispatcher] call make_jump mov edx,PAGE_EXECUTE_READ mov ecx,5 mov eax,dword ptr [ebp+_KiUserExceptionDispatcher] call make_prot popad ret ki_hook_setup endp make_prot proc pushad @delta2reg ebp call @@x dd 0 @@x: push edx push ecx push eax @callx VirtualProtect @check2 0,"Error: VirtualProtect() failed" popad ret make_prot endp ;EAX=hook proc / EDI=WHERE make_jump proc pushad MOV BYTE PTR [EDI], 0E9h SUB EAX, EDI SUB EAX, 5 MOV DWORD PTR [EDI + 1], EAX popad ret make_jump endp _HKiUserExceptionDispatcher: call in_s end start