Defeating Memory Breakpoints

**walied** · November 12th, 2012, 17:05

My latest blog post where i explain two anti-Memory-Breakpoints tricks.

http://waleedassar.blogspot.com/2012/11/defeating-memory-breakpoints.html

Any comments or ideas are very welcome

**Indy** · November 12th, 2012, 22:20

Map not file section(R/E). Next you can not change the attributes.

Pt.zip

**walied** · November 13th, 2012, 00:10

Indy, instead of iterating though all kernel32.dll page to determine the SizeOfImage value, you can just call the "ZwQueryVirtualMemory" function with "VirtualMemoryInformationClass" set to MemoryBasicVlmInformation 0x3. This should save you some instructions

#define MemoryBasicVlmInformation 0x3
struct MEMORY_BASIC_VLM_INFORMATION
{
unsigned long ImageBase;
unsigned long blah[0x2];
unsigned long SizeOfImage;
};

Code: http://pastebin.com/RCkVDNXJ

By the way, this trick does not work, something is missing as attributes are easily changed.

**Indy** · November 13th, 2012, 08:21

walied
Module size is not needed.

By the way, this trick does not work, something is missing as attributes are easily changed.

This no can not work. Do you have a kernel there?
mb kernelbase ?

**walied** · November 14th, 2012, 13:46

Indy,

Which page are you protecting in ptImg.exe? I have tested on XP SP2 (no kernelbase.dll) without seeing the expected results?

Is it page(s) at 0x410000 or kernel32.dll?

I am sure i am missing something.

**Indy** · November 14th, 2012, 21:43

**walied** · November 17th, 2012, 14:32

Thanks Indy. Now i got it. This is a nice trick to defeat Software (INT3) breakpoints, i will definitely added to my bag of tricks. But this can't defeat memory breakpoints since the page protection can still be changed to PAGE_NOACESS. It can also be guarded.

**Indy** · November 17th, 2012, 15:54

Code can not be changed(NtProtectVM ret. STATUS_SECTION_PROTECTION).

Sample(for RWE):

Code:

.data
pGdiGetSpoolMessage	PVOID ?

RegionAddress	PVOID 0
SynchLock		BOOLEAN FALSE
RaiseLock		BOOLEAN FALSE

.code
ThreadStartupRoutine proc UserParameter:PVOID
WaitLock:
	cmp SynchLock,FALSE
	je WaitLock
	mov RaiseLock,FALSE
; Align 4, W.
	push 0
	push 0
	push PAGE_SIZE
	push RegionAddress
	Call pGdiGetSpoolMessage
	mov RaiseLock,TRUE
	jmp WaitLock
ThreadStartupRoutine endp

%PERR macro
	.if Eax != STATUS_INVALID_PAGE_PROTECTION
		int 3
	.endif
endm

%APIERR macro
	.if !Eax
		int 3
	.endif
endm

$Gdi32	CHAR "Gdi32.dll",0
$Entry	CHAR "GdiGetSpoolMessage",0

Entry proc
Local ClientId:CLIENT_ID
Local ThreadHandle:HANDLE
Local RegionSize:ULONG
Local OldProtect:ULONG
Local DllHandle:PVOID
	invoke LoadLibrary, addr $Gdi32
	%APIERR
	invoke GetProcAddress, Eax, offset $Entry
	%APIERR
	mov pGdiGetSpoolMessage,eax
	invoke RtlCreateUserThread, NtCurrentProcess, NULL, FALSE, 0, 0, 0, addr ThreadStartupRoutine, 0, addr ThreadHandle, addr ClientId
Synch:
	mov RegionSize,PAGE_SIZE
	mov RegionAddress,0
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT, PAGE_READWRITE
	mov SynchLock,TRUE
	invoke ZwSuspendThread, ThreadHandle, NULL
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	test eax,eax
	mov SynchLock,FALSE
	jnz Raise
	invoke ZwResumeThread, ThreadHandle, NULL
	jmp Synch
Raise:
	%PERR
; test for free.
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	%PERR
; test for change.
	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, PAGE_NOACCESS, addr OldProtect
	%PERR
; Unlock
	invoke ZwResumeThread, ThreadHandle, NULL
@@:
	cmp RaiseLock,FALSE
	je @b
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	int 3
	ret
Entry endp

Guard does not work for the region, which is described in TEB(StackBase & StackLimit).

**Indy** · October 17th, 2013, 04:59

walied

https://twitter.com/waleedassar/status/390334801321787392

It has been used in crackme(http://vxforum.net/), along with other techniques(self morph, write watch etc). Source code is available after registration

Code:

		push [edi].Protect
		push MEM_DOS_LIM
		push ViewShare
		lea eax,ViewSize
		push eax
		lea eax,SectionOffset
		push eax
		push NULL
		push NULL
		lea eax,Sbase
		push eax
		push ProcessHandle
		push SectionHandle
		%NTCALL Api.pZwMapViewOfSection, 10
		.if Eax == STATUS_INVALID_PARAMETER_9 ; <=== WOW ?
			push [edi].Protect
			push 0
			push ViewShare
			lea eax,ViewSize
			push eax
			lea eax,SectionOffset
			push eax
			push NULL
			push NULL
			lea eax,Sbase
			push eax
			push ProcessHandle
			push SectionHandle
			%NTCALL Api.pZwMapViewOfSection, 10
		.endif
		add edi,sizeof(SECTION)
		dec Snum

**NeOXOeN** · October 18th, 2013, 07:08

indy send me exe

**ZaiRoN** · October 18th, 2013, 09:30

What's the name of the crackme? Is it available on vxforum only?

**Indy** · October 18th, 2013, 13:11

Aha. This registration test

**NeOXOeN** · October 19th, 2013, 04:00

this is the link i think ... http://vxforum.net/b/c.rar

Collaborative RCE Tool Library (CRCETL)	Collaborative RCE Knowledge Library (CRCEKL)
CrackZ	Fravia's Searchlores	Yates
ARTeam	Reverse Engineering Reddit	Reverse Engineering Team
KernelMode.info	OpenRCE	Tuts 4 You
NTCore	My Infected Computer	Evilcry's Dark Cave
j00ru//vx tech blog	cr4zyserb - deroko of ARTeam	UIC R.E. Academy
		The TiGa Video Tutorial Site
Fravia's Original Reversing Site	The Original RCE-CD	Krobars Collection of tutorials
OllyDbg Extensions: Version 1.x Version 2.x

Thread: Defeating Memory Breakpoints

Thread Tools

Search Thread

Display

Defeating Memory Breakpoints

Similar Threads

Defeating Windows Driver Signature Enforcement #1: default drivers

ARTeam: Defeating the Winlicense Main Executable version 2.0.5.0 by quosego

Article: Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass

Defeating PCGuard v5.0

Software Memory Breakpoints ??

Bookmarks

Bookmarks

Posting Permissions