Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: Win Debug API's

  1. #1

    Win Debug API's

    Hi guys,

    Can anyone tell me what I'm doing wrong with this snippet of code? I just try to start an Asprotected Exe through the WinDebug Api and to evade the IsDebuggerPresent call I 'try' to clear the flag.

    All my calls to ReadProcessMemory fail though...

    Code:
    HideIsDebuggerPresent proc
    LOCAL Ouch:BYTE
    
    	mov tc.ContextFlags, CONTEXT_FULL
    	invoke GetThreadContext,pi.hThread,o$ tc
    	
    	mov ecx, tc.regFs
    	add ecx, 18h
    	invoke ReadProcessMemory,pi.hProcess,ecx,a$ szTemp,4,NULL
    	mov ecx, d$ [szTemp]
    	add ecx, 30h
    	invoke ReadProcessMemory,pi.hProcess,ecx,a$ szTemp,4,NULL
    	mov ecx, d$ [szTemp]
    	invoke ReadProcessMemory,pi.hProcess,ecx,a$ szTemp,4,NULL
    	mov ecx, d$ [szTemp]
    	add ecx, 2
    	mov Ouch, 0
    	invoke WriteProcessMemory,pi.hProcess,ecx,a$ Ouch,1,NULL
    	ret
    HideIsDebuggerPresent endp
    I'm using as base for this Icz's Tut Number 28, only modification is that all calls to ContinueDebugEvent are flagged as DBG_EXCEPTION_NOT_HANDLED.

  2. #2
    Here's the whole source...
    Attached Files Attached Files

  3. #3
    sHice
    Guest
    mov ecx, tc.regFs <- let's say FS is 30h
    add ecx, 18h <- and you add 18h.this means that you try to read memory from 48h! so ReadProcessMemory fails!

    here's the way i do it:
    assume fs: nothing
    mov eax, fs:[18h]
    mov eax, [eax+30h]
    add eax, 02h
    invoke WriteProcessMemory, t_hProcess, eax, addr DbgPatch, sizeof DbgPatch, 0 ;DbgPatch db 00h
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I see how that can be false.. but still - no go I can't make the connection.

    This is what I'm basing it on...

    assume fs: nothing
    mov eax, fs:[18h]
    mov eax, [eax+30h]
    add eax, 02h

    And then I load my exe and need to get the address of what RegFs[18h] is pointing to in that context, right?

    How would I do that with the indirection of 18h?

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by sHice
    here's the way i do it:
    assume fs: nothing
    mov eax, fs:[18h]
    mov eax, [eax+30h]
    add eax, 02h
    invoke WriteProcessMemory, t_hProcess, eax, addr DbgPatch, sizeof DbgPatch, 0 ;DbgPatch db 00h
    Actually, this will use the debugger-process's memory to compute EAX. You want to use the debuggee-process's memory to compute EAX, since you will be using the value of EAX in the context of the debuggee. Thus, instead of using the code above to retrieve fs:[18h], you should use GetThreadSelectorEntry(...) to get the address of the fs segment in the debuggee, and then add 18h to that and ReadProcessMemory(...) it. Then ReadProcessMemory(...) that plus 30h, and then add 2.

  6. #6
    I'm on it

  7. #7
    Howdy,

    Can someone have a look and tell me if I'm getting closer?

    Code:
    HideIsDebuggerPresent proc
    LOCAL Ouch:BYTE
    
    	;int 3
    	mov tc.ContextFlags, CONTEXT_FULL
    	invoke GetThreadContext,pi.hThread,o$ tc
    
    	invoke GetThreadSelectorEntry,pi.hThread,tc.regFs,o$ ltdentry
    
    	xor eax, eax
    	mov ax, ltdentry.BaseLow
    	xor edx, edx
    	mov dl, ltdentry.HighWord1.Bytes.BaseMid
    	shl edx, 16
    	xor ecx, ecx
    	mov cl, ltdentry.HighWord1.Bytes.BaseHi
    	shl ecx, 24
    	add eax, edx
    	add eax, ecx
    	;int 3
    	; eax == 7FFDF000 (assume correct)
    	add eax, 18h
    	invoke ReadProcessMemory,pi.hProcess,eax,o$ szTemp,4,0
    	 mov eax, o$ szTemp
    	 add d$ [eax], 30h
    	 invoke ReadProcessMemory,pi.hProcess,[eax],o$ szTemp,4,0
    	 mov eax, o$ szTemp
    	 add d$ [eax], 2
    	 mov Ouch, 0
    	 mov edx, eax
    	 invoke WriteProcessMemory,pi.hProcess,edx,a$ Ouch,1,NULL
    	ret
    HideIsDebuggerPresent endp
    Attached Files Attached Files

  8. #8
    YES!!!!!!!!!

    Got it!

    Last Line I forgot the indirection with [edx]

    Correct version below:

    Code:
    HideIsDebuggerPresent proc
    LOCAL Ouch:BYTE
    
    	;int 3
    	mov tc.ContextFlags, CONTEXT_FULL
    	invoke GetThreadContext,pi.hThread,o$ tc
    
    	invoke GetThreadSelectorEntry,pi.hThread,tc.regFs,o$ ltdentry
    
    	xor eax, eax
    	mov ax, ltdentry.BaseLow
    	xor edx, edx
    	mov dl, ltdentry.HighWord1.Bytes.BaseMid
    	shl edx, 16
    	xor ecx, ecx
    	mov cl, ltdentry.HighWord1.Bytes.BaseHi
    	shl ecx, 24
    	add eax, edx
    	add eax, ecx
    	;int 3
    	
    	add eax, 18h
    	invoke ReadProcessMemory,pi.hProcess,eax,o$ szTemp,4,0 ; eax == 7FFDF018
    	 mov eax, o$ szTemp
    	 add d$ [eax], 30h	;	[EAX]==???
    	 invoke ReadProcessMemory,pi.hProcess,[eax],o$ szTemp,4,0
    	 mov eax, o$ szTemp
    	 add d$ [eax], 2
    	 mov Ouch, 0
    	 mov edx, eax
    	 invoke WriteProcessMemory,pi.hProcess,[edx],a$ Ouch,1,NULL
    	ret
    HideIsDebuggerPresent endp
    About bloody time.

  9. #9
    sHice
    Guest
    i forgot to mention that the pointer to the PEB, which is located at fs:[30h], is the same for every process (on my machine it's 7FFDF000h).so it doesn't matter if we grab the offset in the process of the debugger or in the process of the debuggee... offset will stay the same.
    Last edited by sHice; May 3rd, 2005 at 12:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    eh, you already recieved:
    CREATE_PROCESS_DEBUG_INFO.lpThreadLocalBase;

    & for new thread:
    CREATE_THREAD_DEBUG_INFO.lpThreadLocalBase;

    so you not need those GetThread..apis..

    [edit]
    p.s.

    assume fs: nothing
    mov eax, fs:[18h]
    mov eax, [eax+30h]

    is same:
    mov eax, fs:[30h]
    Last edited by evaluator; May 3rd, 2005 at 13:49.

  11. #11
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    now now eval, perhaps he isn't handling the CREATE_THREAD debug event in order to keep track of threads, and it makes for clearer code to clearly show what is occuring (get the handle in the code that uses it, not somewhere clear across source files)

    Best wishes,

    -nt20

  12. #12
    Registered User
    Join Date
    Feb 2004
    Location
    France
    Posts
    99
    Hello,

    so it doesn't matter if we grab the offset in the process of the debugger or in the process of the debuggee... offset will stay the same.
    This is not the fact on all NT O.S. In my own debugger, this idea was working like a charm on win 2k, but this wasn't exact on win XP Pro SP2.

    AFAIK, you shouldn't rely on any segment address on win XP, and shoudn't presume that those segments will be the same in the context of the debugger and in the debugged process/thread.

    You could end up in some unknown behaviours or results. Most of the time Read/WriteProcessMemory doesn't return correctly and getlasterror returns "ERROR_PARTIAL_COPY" if you base your code on the same address.

    I've previously experienced this problem, and with the same code as JimmyCliff, all results were good.
    Omne tulit punctum qui miscuit utile dulci

  13. #13
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    This is the same thing that always pisses me off about poorly written remote-process tools that deal with loaded DLLs. They often assume that the address that the module is loaded at in the debugger is the same that the module is loaded at in the debuggee. Though often true, it's not guaranteed.

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,507
    Blog Entries
    15
    7ffdf000 is constant only on w2k in xp it varies to any thing from 7ffda000 to
    others

    also 7ffde000 aka fs:[0] aka teb also is constant only in w2k not in xp
    so dont hardcode them instead always
    use assume fs:NOTHING
    MOV EAX,fs:[blah]
    mov eax,[eax+blah]
    code which will work on both platforms
    what both these have in common is
    env values at 10000
    heap at 130000
    *processparams at 20000
    all other hardcodes dont work

  15. #15
    Hi guys,

    Sorry for not reading up on it - but where did I receive the CREATE_PROCESS_DEBUG_INFO.lpThreadLocalBase and how would it cut down those two GetThread Apis?

Similar Threads

  1. Debug Injected DLL with IDA Pro
    By Harakiri in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: October 23rd, 2011, 22:08
  2. Syser Debug
    By qferret in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 27th, 2007, 00:54
  3. DLL Debug
    By Qubeley in forum OllyDbg Support Forums
    Replies: 8
    Last Post: January 9th, 2007, 21:39
  4. WIN32 Debug API
    By yousky in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 30th, 2004, 04:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •