Results 1 to 2 of 2

Thread: Protected Mode Segmentation as a powerful anti-debugging measure

  1. #1

    Protected Mode Segmentation as a powerful anti-debugging measure

    The segmentation functionality has been present on the Intel processors since early stages of the CPU manufacturing. In real-mode, segments were the basis of 16-bit memory management, allowing the operating system or application to specify separate memory areas for different types of information, i.e. code, regular data, stack and so on. When a more complex [...]

    http://j00ru.vexillium.org/?p=866

  2. #2
    j00ru
    real-mode
    POC((c) Indy): Switch to V8086 mode(and back) to bypass APC-dispatcher(KiUserApcDispatcher()).
    Code:
    %NTERR macro
    	.if Eax
    		Int 3
    	.endif
    endm
    
    .code
    CreateHiddenThread proc uses ebx esi edi Ip:PVOID
    Local Context:CONTEXT
    Local RegionAddress:PVOID, RegionSize:ULONG
    Local ThreadHandle:HANDLE
    Local ClientId:CLIENT_ID
    	mov RegionAddress,4
    	mov RegionSize,PAGE_SIZE
    	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT or MEM_RESERVE or MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE
    	%NTERR
    	invoke RtlCreateUserThread, NtCurrentProcess, NULL, TRUE, 0, NULL, NULL, -1, 0, addr ThreadHandle, addr ClientId
    	%NTERR
    	mov Context.ContextFlags,CONTEXT_CONTROL or CONTEXT_SEGMENTS
    	invoke ZwGetContextThread, ThreadHandle, addr Context
    	%NTERR
    ; Cs:Ip
    	mov Context.regEip,2
    	mov Context.regSegCs,0
    	mov Context.regEFlags,EFLAGS_VM or EFLAGS_MASK
    	mov ebx,Context.regEsp
    	mov dword ptr ds:[2],90FEEBF9H	; Stc/Jmp $
    	invoke ZwSetContextThread, ThreadHandle, addr Context
    	%NTERR
    	invoke ZwResumeThread, ThreadHandle, NULL
    	%NTERR
    	.repeat
    		invoke ZwGetContextThread, ThreadHandle, addr Context
    		%NTERR
    		test Context.regEFlags,EFLAGS_CF
    	.until !Zero?
    	invoke ZwSuspendThread, ThreadHandle, NULL
    	%NTERR
    	mov ecx,Ip
    	mov Context.regSegCs,KGDT_R3_CODE or RPL_MASK
    	mov Context.regSegDs,KGDT_R3_DATA or RPL_MASK
    	mov Context.regSegEs,KGDT_R3_DATA or RPL_MASK
    	mov Context.regSegSs,KGDT_R3_DATA or RPL_MASK
    	mov Context.regSegFs,KGDT_R3_TEB or RPL_MASK
    	mov Context.regEsp,ebx
    	mov Context.regEip,ecx
    	mov Context.regEFlags,EFLAGS_MASK
    	invoke ZwSetContextThread, ThreadHandle, addr Context
    	%NTERR
    	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
    	invoke ZwResumeThread, ThreadHandle, NULL
    	%NTERR
    	ret
    CreateHiddenThread endp
    
    Payload proc Arg:PVOID
    Local Response:ULONG
    	invoke ZwRaiseHardError, STATUS_SUCCESS, 1, 0, 0, OptionOkCancel, addr Response
    	invoke RtlExitUserThread, STATUS_SUCCESS
    Payload endp
    
    Entry proc
    Local Context:CONTEXT
    	mov Context.ContextFlags,CONTEXT_CONTROL
    	mov Context.regEbp,ebp
    	mov Context.regEip,offset Cont
    	mov Context.regSegCs,KGDT_R3_CODE or RPL_MASK
    	mov Context.regEFlags,EFLAGS_MASK	; !TF
    	mov Context.regEsp,esp
    	mov Context.regSegSs,KGDT_R3_DATA or RPL_MASK
    	invoke ZwContinue, addr Context, FALSE
    	test eax,eax
    Cont:
    	invoke CreateHiddenThread, addr Payload
    	ret
    Entry endp
    end Entry

Similar Threads

  1. Replies: 0
    Last Post: April 28th, 2008, 16:00
  2. linux anti anti debugging tut
    By 0xf001 in forum Linux RCE
    Replies: 13
    Last Post: January 21st, 2005, 19:48
  3. Replies: 2
    Last Post: October 9th, 2004, 15:38
  4. A Protected Mode Debugger
    By ajron in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 3rd, 2004, 16:17
  5. heh, on the subject of anti debugging....
    By Lord Soth in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: November 30th, 2000, 18:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •