Results 1 to 3 of 3

Thread: # Olly loads Olly to bypass anti-attach tricks /* Clerk? trick */

  1. #1
    Imported blog (Kris Kaspersky)
    Join Date
    May 2008

    # Olly loads Olly to bypass anti-attach tricks /* Clerk? trick */

    the problem of anti-anti-attaching came up in conversation on the legendary site. Clerk (a very clever guy carring a heavy plasma gun, loaded with rounds of brilliant ideas) as always offered a very elegant, yet bizarre solution (ru). I wonder - what kind of Rasta stuff makes him so creative! well, stop to expatiate, back to business.

    previous posts demonstrate numerous anti-attach tricks and most of them based on the system thread, creating by OS during attaching. here they are (the tricks): BaseThreadStartThunk => NO_ACCESS, NtRequestWaitReplyPort, DbgBreakPoint

    the question is - how to ask OS do not create the system thread? to do it we should know OS internals. IDA-Pro/Soft-Ice shows us that KERNEL32!DebugActiveProcess comes to NTDLL!DbgUiDebugActiveProcess, who calls NTDLL!ZwDebugActiveProcess/ NTDLL!DbgUiIssueRemoteBreakin| NTDLL!DbgUiStopDebugging (just to dissemble NTDLL!DbgUiDebugActiveProcess to see it with your own eyes).

    the point is - NTDLL!ZwDebugActiveProcess does all job, attaching a debugger to the process. . as soon as NTDLL!ZwDebugActiveProcess returns status ok, the process has been attached and can be debugger. but! operation system calls NTDLL!DbgUiIssueRemoteBreakin just to notify the debugger by generating breakpoint exception, however, we don’t need it!!!

    so, what we’re going to do? I prefer to use old soft-ice with global breakpoints support. just set HW or software breakpoint on NTDLL!DbgUiDebugActiveProcess or NTDLL!ZwDebugActiveProcess and skip the rest of the function. it’s easy, but soft-ice does not work with newest operation system.

    Clerk found the way how to do this with Olly. the idea is: load Olly into Olly. yeah! right!

    1) load Olly into Olly /* to avoid a mess lets call the first Olly (I) and the loaded copy - Olly (II) */;
    2) Olly (I): Set breakpoint on NTDLL!DbgUiDebugActiveProcess: View\Executable Modules\NTDLL.DLL, CTRL-N, “DbgUiDebugActiveProcess”, F2, ENTER;
    3) Olly (I): run Olly (II): press F9 several times until right corner “paused” changed by “running” meaning that Olly (II) is still under debugging but it’s running now;
    4) ALT-TAB to switch to Olly (II);
    5) Olly (II): File\Attach\name_of_the_trickily_process to attach (for example: to_attach_36.exe);
    6) Olly (I) pops up, the breakpoint has been triggered;
    7) to_attach_36.exe is still running;
    8) Olly (I): press F8 several time until NTDLL!ZwDebugActiveProcess is executed;
    9) to_attach_36.exe has been stopped, Olly (II) has been attached to it, Olly (II) is stopped as well;
    10) Olly (I): move cursor to the next command after NTDLL!DbgUiStopDebugging, right click to context menu and “new origin here” or simple press CTRL+Gray * (”gray” means small numeral keyboard);
    11) Olly (I): press F9 to run Olly(II);
    12) ALT-TAB to switch to Olly (II);
    13) Olly (II) shows naked screen w/o any info, to_attach_36.exe is running;
    14) Olly (II): View\Threads. do you see the only one thread? the main thread of the app?! wow!
    15) Olly (II): press “pause” to stop to_attach_36.exe;
    16) Olly (II) updates CPU window and from that moment we can trace to_attach_36.exe as usual;

    well, you got it. a nice trick to bypass anti-attaches. it’s very powerful and universal, but does not work with PEB=>LdrData . um, every technique has its own limitations.

    meanwhile, you probably know, if the process is already attached to another process, we can’t attach our debugger to it. many protections use this trick - they create a child process (packed), attaches to it for dynamic unpacking. but there is a loophole. we can attach to the parent process unless the child not attached to the father. yes!!! a debugged process can attach to the debugger!!! it looks like (parent <== attach ==> child)

    I’ll write about it latter, showing you how to break this chain. for now, you can play with Clerk’s trick!

    Olly loaded into Olly attached to to_attach_36.exe

  2. #2
    Very interesting technique. This could be implemented as an Olly plugin (through in-memory patching of ntdll)

  3. #3
    Neat stuff. The Russians always come up with interesting concepts when it comes to reverse engineering. I don't know how they can be so strong in one area but props to them!

Similar Threads

  1. Olly crashes when I try to attach to a new process that malware started
    By Sunk in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 22nd, 2012, 16:31
  2. How to get around anti-disassembly tricks on Olly?
    By Sunk in forum The Newbie Forum
    Replies: 2
    Last Post: March 20th, 2012, 14:08
  3. A new Anti-Olly trick
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: December 27th, 2011, 04:58
  4. An anti-attach trick.
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: December 20th, 2011, 14:37
  5. ICanAttach, a plugin to bypass anti-attaching tricks.
    By walied in forum Plugins (General)
    Replies: 0
    Last Post: December 13th, 2011, 16:35


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts