Results 1 to 10 of 10

Thread: PAGE_EXECUTE_WRITECOPY As Anti-Debug Trick

  1. #1

    PAGE_EXECUTE_WRITECOPY As Anti-Debug Trick

    Here you can find it

    http://waleedassar.blogspot.com/2012/09/pageexecutewritecopy-as-anti-debug-trick.html

    Any comments or ideas are very welcome

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    though virtualquery / virtual protect / access violation check / guard page seh handler and that kind of things are a bit old

    i want to comment that using of hardware bps for step over / trace over etc isn't new to odbg 2.1

    it has been there for quiet some time iirc from 1.08

    a screen shot for 1.10 where you can ask odbg to set hbp for step over posted below
    Attached Images Attached Images  

  3. #3
    Oh, yeah. This was just to note that not every OllyDbg version has this option e.g. OllyDbg v2.00.01 (Latest 2.x version) seems to lack this option. Thanks anyway, i have updated the blog post to include OllyDbg v1.10.

  4. #4
    This is not a trick.

  5. #5
    Quote Originally Posted by Indy View Post
    This is not a trick.
    I am sure i am not so good at naming stuff. but what is your point?

  6. #6
    Quote Originally Posted by blabberer View Post
    though virtualquery / virtual protect / access violation check / guard page seh handler and that kind of things are a bit old
    Could you please elaborate more?

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    look for articles by peter ferrie / kris kaspersky etc


    basically ollydbg break on memory access uses PAGE_GUARD and handles the exception raised iirc 0x80000001 and resets the flag using VirtualProtect

    which possibly can be monitored is the underlying concept

  8. #8
    Quote Originally Posted by blabberer View Post
    look for articles by peter ferrie / kris kaspersky etc


    basically ollydbg break on memory access uses PAGE_GUARD and handles the exception raised iirc 0x80000001 and resets the flag using VirtualProtect

    which possibly can be monitored is the underlying concept
    By the way, the way Breakpoint-> Memory-On-Access works in OllyDbg is not by calling the "VirtualProtectEx" function with the "flNewProtect" parameter set to PAGE_GUARD. It just works by calling the "VirtualProtectEx" function with the "flNewProtect" parameter set to PAGE_NOACCESS. However, OllyDbg properly handles STATUS_GUARD_PAGE_VIOLATION exceptions.

  9. #9
    VirtualAlloc( MEM_WRITE_WATCH ) is similar

  10. #10
    Quote Originally Posted by aqrit View Post
    VirtualAlloc( MEM_WRITE_WATCH ) is similar
    Thanks Sir. I really did not know that. It is really useful.

Similar Threads

  1. SuppressDebugMsg As Anti-Debug Trick
    By walied in forum Advanced Reversing and Programming
    Replies: 19
    Last Post: February 18th, 2013, 09:27
  2. Wow64-Specific Anti-Debug Trick
    By walied in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 17th, 2013, 11:14
  3. Yet Another Anti-Debug Trick
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 22nd, 2012, 11:31
  4. Inside DeleteFiber() as Anti Debug Trick
    By evilcry in forum Blogs Forum
    Replies: 15
    Last Post: August 22nd, 2008, 23:38
  5. Is This A New Anti Debug Trick
    By DaBoo in forum The Newbie Forum
    Replies: 6
    Last Post: June 15th, 2007, 10:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •