Results 1 to 2 of 2

Thread: # attach to me? if you can (part II)

  1. #1
    Imported blog (Kris Kaspersky)
    Join Date
    May 2008
    Posts
    61

    # attach to me? if you can (part II)

    the previous post describes how to intercept attaching, but that way does not prevent attaching itself. as it happens there is a simple and elegant way to block any attaching attempts. just wipe out PEB=>PPEB_LDR_DATA field. the application is running well, the process is present in the processes list of Task Manager/Process Explore, but… it’s not listed in the Olly 1.10/Olly 2.00i attach windows!!!

    to_attach_ldr.exe is not present in the attach windows!


    ok, guys another plan! load the file directly into OllyDbg 1.10 in order to debug it. can we debug it? well, yes, but… no. OllyDbg 1.10 does not show us the module list (so, how we’re supposed to set breakpoints on API?) and the map window is empty as well. OllyDbg 2.00i and IDA-Pro 5.3 have no such problem.

    IDA-Pro 5.3 can’t attach to the process as well, she just freezes!!! and there is nothing to do but terminate IDA-Pro with all changes we have made. a very nasty bug!

    the source code is extreme simple. see it bellow or download.

    __asm{
    mov eax, fs:[30h] ; // PEB
    mov [eax + 0xC], eax ; // damage LdrData to prevent attaching
    }
    // do something
    while(1) printf(”\rattach to me [%c]“,x[++a % (sizeof(x)-1)]), Sleep(100);
    }
    so, you get it. any ideas how to hack it? does anybody know the way how to attach to the process?



    http://nezumi-lab.org/blog/?p=122

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    PEB_LdrData seems to be the same for every running process at that time. Code a loader that will inject some code that will restore PEB_LdrData to its rightful state. How to know it's rightful state. Simple, just execute in loader:
    mov eax, fs:[30h]
    mov eax, [eax + 0xC]

    Then eax holds value that PEB_LdrData in target process should be restored to. Didn't test it, but I imagine it works. I suppose I could put something together if anyone was interested.

Similar Threads

  1. An anti-attach trick.
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: December 20th, 2011, 14:37
  2. # try to attach to me? if you can!
    By nezumi-lab in forum Blogs Forum
    Replies: 2
    Last Post: February 9th, 2009, 14:57
  3. Cant attach blocked by RtlCreateUserThread
    By Refund in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 17th, 2009, 15:50
  4. How attach to a process not visible?
    By djneo in forum OllyDbg Support Forums
    Replies: 5
    Last Post: April 1st, 2005, 21:26
  5. How to attach Files ?
    By bobik in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 12th, 2001, 12:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •