Results 1 to 8 of 8

Thread: An anti-attach trick.

  1. #1

    An anti-attach trick.

    I need to present a new anti-attach trick that i have recently come up with.

    Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such.

    This is a simple demonstrating example.
    http://ollytlscatch.googlecode.com/files/example1.rar

    Name:  2.jpg
Views: 531
Size:  29.2 KB

    To make things harder, we would use dynamic TLS callbacks instead.

    To implement a dynamic TLS callback, follow these 2 steps:
    1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
    2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

    Source code can be found here.
    http://ollytlscatch.googlecode.com/files/example2.rar

    It works on Win XPSP3 only. You can edit the source code to include other OSes.

    N.B. This trick is still in progress and i am waiting for any feedback.

  2. #2
    When creating a remote thread to remove the dbgport.

  3. #3
    Hi Indy,

    Honestly, i could not get it all. Could you plz elaborate?

  4. #4

  5. #5
    The "load olly into olly" workaround works fine as we jump over the call to the "DbgUiIssueRemoteBreakin" function, bypassing creation of any remote threads. It is also noteworthy that some functionalities fail after applying that workaround.

  6. #6
    Set the ldr notifier. Now proceed detach from it(NtRemoveProcessDebug).

  7. #7
    Code:
    		xxx++; //one more thread is created in this process
    		if(xxx>MAX_NUM_OF_THREADS)
    		{
    		    MessageBoxA(0,"A7a, Are you trying to attach a debugger to me?","A7a",0);
    		    ExitProcess(100);
    		}
    ...how can you know the number of concurrent thread you ever have? What if one of the libraries *dare* to create a thread of internal workings?
    The idea is nice, but you cannot use it that simplicistic way, at least for complex applications in a (relatively) complex dll environment.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  8. #8
    I know counting threads is not the best option. It is here just for simplification. We can rather query the starting address (entry point) of each new thread. If the starting address is a specific function (e.g. DbgUiRemoteBreakin) or not belonging to a set of defined functions, then it is an attaching thread and process should exit.
    Last edited by walied; December 20th, 2011 at 15:36.

Similar Threads

  1. some anti-disassembler trick ?
    By NoLOcKs in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 13th, 2009, 17:00
  2. # JL/JGE Intel CPU bug as anti-reversing trick
    By nezumi-lab in forum Blogs Forum
    Replies: 2
    Last Post: March 1st, 2009, 20:20
  3. Replies: 2
    Last Post: February 15th, 2009, 21:52
  4. # anti-attach: BaseThreadStartThunk => NO_ACCESS
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: February 13th, 2009, 23:19
  5. A cute anti-tracing trick
    By naides in forum The Newbie Forum
    Replies: 7
    Last Post: November 10th, 2007, 03:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •