Results 1 to 13 of 13

Thread: Defeating Memory Breakpoints

  1. #1

    Defeating Memory Breakpoints

    My latest blog post where i explain two anti-Memory-Breakpoints tricks.

    http://waleedassar.blogspot.com/2012/11/defeating-memory-breakpoints.html

    Any comments or ideas are very welcome

  2. #2
    Map not file section(R/E). Next you can not change the attributes.

    Pt.zip
    Last edited by Indy; November 12th, 2012 at 22:26.

  3. #3
    Indy, instead of iterating though all kernel32.dll page to determine the SizeOfImage value, you can just call the "ZwQueryVirtualMemory" function with "VirtualMemoryInformationClass" set to MemoryBasicVlmInformation 0x3. This should save you some instructions

    #define MemoryBasicVlmInformation 0x3
    struct MEMORY_BASIC_VLM_INFORMATION
    {
    unsigned long ImageBase;
    unsigned long blah[0x2];
    unsigned long SizeOfImage;
    };

    Code: http://pastebin.com/RCkVDNXJ

    By the way, this trick does not work, something is missing as attributes are easily changed.

  4. #4
    walied
    Module size is not needed.

    By the way, this trick does not work, something is missing as attributes are easily changed.
    This no can not work. Do you have a kernel there?
    mb kernelbase ?

  5. #5
    Indy,

    Which page are you protecting in ptImg.exe? I have tested on XP SP2 (no kernelbase.dll) without seeing the expected results?

    Is it page(s) at 0x410000 or kernel32.dll?

    I am sure i am missing something.

  6. #6

  7. #7
    Thanks Indy. Now i got it. This is a nice trick to defeat Software (INT3) breakpoints, i will definitely added to my bag of tricks. But this can't defeat memory breakpoints since the page protection can still be changed to PAGE_NOACESS. It can also be guarded.

  8. #8
    Code can not be changed(NtProtectVM ret. STATUS_SECTION_PROTECTION).

    Sample(for RWE):
    Code:
    .data
    pGdiGetSpoolMessage	PVOID ?
    
    RegionAddress	PVOID 0
    SynchLock		BOOLEAN FALSE
    RaiseLock		BOOLEAN FALSE
    
    .code
    ThreadStartupRoutine proc UserParameter:PVOID
    WaitLock:
    	cmp SynchLock,FALSE
    	je WaitLock
    	mov RaiseLock,FALSE
    ; Align 4, W.
    	push 0
    	push 0
    	push PAGE_SIZE
    	push RegionAddress
    	Call pGdiGetSpoolMessage
    	mov RaiseLock,TRUE
    	jmp WaitLock
    ThreadStartupRoutine endp
    
    %PERR macro
    	.if Eax != STATUS_INVALID_PAGE_PROTECTION
    		int 3
    	.endif
    endm
    
    %APIERR macro
    	.if !Eax
    		int 3
    	.endif
    endm
    
    $Gdi32	CHAR "Gdi32.dll",0
    $Entry	CHAR "GdiGetSpoolMessage",0
    
    Entry proc
    Local ClientId:CLIENT_ID
    Local ThreadHandle:HANDLE
    Local RegionSize:ULONG
    Local OldProtect:ULONG
    Local DllHandle:PVOID
    	invoke LoadLibrary, addr $Gdi32
    	%APIERR
    	invoke GetProcAddress, Eax, offset $Entry
    	%APIERR
    	mov pGdiGetSpoolMessage,eax
    	invoke RtlCreateUserThread, NtCurrentProcess, NULL, FALSE, 0, 0, 0, addr ThreadStartupRoutine, 0, addr ThreadHandle, addr ClientId
    Synch:
    	mov RegionSize,PAGE_SIZE
    	mov RegionAddress,0
    	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT, PAGE_READWRITE
    	mov SynchLock,TRUE
    	invoke ZwSuspendThread, ThreadHandle, NULL
    	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
    	test eax,eax
    	mov SynchLock,FALSE
    	jnz Raise
    	invoke ZwResumeThread, ThreadHandle, NULL
    	jmp Synch
    Raise:
    	%PERR
    ; test for free.
    	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
    	%PERR
    ; test for change.
    	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, PAGE_NOACCESS, addr OldProtect
    	%PERR
    ; Unlock
    	invoke ZwResumeThread, ThreadHandle, NULL
    @@:
    	cmp RaiseLock,FALSE
    	je @b
    	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
    	int 3
    	ret
    Entry endp
    Name:  nt.png
Views: 4402
Size:  19.0 KB
    Guard does not work for the region, which is described in TEB(StackBase & StackLimit).

  9. #9
    walied

    https://twitter.com/waleedassar/status/390334801321787392

    It has been used in crackme(http://vxforum.net/), along with other techniques(self morph, write watch etc). Source code is available after registration

    Code:
    		push [edi].Protect
    		push MEM_DOS_LIM
    		push ViewShare
    		lea eax,ViewSize
    		push eax
    		lea eax,SectionOffset
    		push eax
    		push NULL
    		push NULL
    		lea eax,Sbase
    		push eax
    		push ProcessHandle
    		push SectionHandle
    		%NTCALL Api.pZwMapViewOfSection, 10
    		.if Eax == STATUS_INVALID_PARAMETER_9 ; <=== WOW ?
    			push [edi].Protect
    			push 0
    			push ViewShare
    			lea eax,ViewSize
    			push eax
    			lea eax,SectionOffset
    			push eax
    			push NULL
    			push NULL
    			lea eax,Sbase
    			push eax
    			push ProcessHandle
    			push SectionHandle
    			%NTCALL Api.pZwMapViewOfSection, 10
    		.endif
    		add edi,sizeof(SECTION)
    		dec Snum

  10. #10
    indy send me exe

  11. #11
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    What's the name of the crackme? Is it available on vxforum only?
    A mind is like a parachute. It doesnt work if it's not open.

  12. #12
    Aha. This registration test

  13. #13
    this is the link i think ... http://vxforum.net/b/c.rar

Similar Threads

  1. Defeating Windows Driver Signature Enforcement #1: default drivers
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 0
    Last Post: November 3rd, 2012, 21:17
  2. ARTeam: Defeating the Winlicense Main Executable version 2.0.5.0 by quosego
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 19th, 2009, 13:02
  3. Article: Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass
    By dELTA in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: February 2nd, 2005, 16:20
  4. Defeating PCGuard v5.0
    By SvensK in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: June 14th, 2004, 16:20
  5. Software Memory Breakpoints ??
    By Emerson in forum The Newbie Forum
    Replies: 2
    Last Post: January 24th, 2004, 07:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •