My latest blog post where i explain two anti-Memory-Breakpoints tricks.
http://waleedassar.blogspot.com/2012/11 ... oints.html
Any comments or ideas are very welcome
Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
Defeating Memory Breakpoints
Indy, instead of iterating though all kernel32.dll page to determine the SizeOfImage value, you can just call the "ZwQueryVirtualMemory" function with "VirtualMemoryInformationClass" set to MemoryBasicVlmInformation 0x3. This should save you some instructions 
#define MemoryBasicVlmInformation 0x3
struct MEMORY_BASIC_VLM_INFORMATION
{
unsigned long ImageBase;
unsigned long blah[0x2];
unsigned long SizeOfImage;
};
Code: http://pastebin.com/RCkVDNXJ
By the way, this trick does not work, something is missing as attributes are easily changed.
#define MemoryBasicVlmInformation 0x3
struct MEMORY_BASIC_VLM_INFORMATION
{
unsigned long ImageBase;
unsigned long blah[0x2];
unsigned long SizeOfImage;
};
Code: http://pastebin.com/RCkVDNXJ
By the way, this trick does not work, something is missing as attributes are easily changed.
Code can not be changed(NtProtectVM ret. STATUS_SECTION_PROTECTION).
Sample(for RWE):
[ATTACH]2681[/ATTACH]
Guard does not work for the region, which is described in TEB(StackBase & StackLimit).
Sample(for RWE):
Code: Select all
.data
pGdiGetSpoolMessage PVOID ?
RegionAddress PVOID 0
SynchLock BOOLEAN FALSE
RaiseLock BOOLEAN FALSE
.code
ThreadStartupRoutine proc UserParameter:PVOID
WaitLock:
cmp SynchLock,FALSE
je WaitLock
mov RaiseLock,FALSE
; Align 4, W.
push 0
push 0
push PAGE_SIZE
push RegionAddress
Call pGdiGetSpoolMessage
mov RaiseLock,TRUE
jmp WaitLock
ThreadStartupRoutine endp
%PERR macro
.if Eax != STATUS_INVALID_PAGE_PROTECTION
int 3
.endif
endm
%APIERR macro
.if !Eax
int 3
.endif
endm
$Gdi32 CHAR "Gdi32.dll",0
$Entry CHAR "GdiGetSpoolMessage",0
Entry proc
Local ClientId:CLIENT_ID
Local ThreadHandle:HANDLE
Local RegionSize:ULONG
Local OldProtect:ULONG
Local DllHandle:PVOID
invoke LoadLibrary, addr $Gdi32
%APIERR
invoke GetProcAddress, Eax, offset $Entry
%APIERR
mov pGdiGetSpoolMessage,eax
invoke RtlCreateUserThread, NtCurrentProcess, NULL, FALSE, 0, 0, 0, addr ThreadStartupRoutine, 0, addr ThreadHandle, addr ClientId
Synch:
mov RegionSize,PAGE_SIZE
mov RegionAddress,0
invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT, PAGE_READWRITE
mov SynchLock,TRUE
invoke ZwSuspendThread, ThreadHandle, NULL
invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
test eax,eax
mov SynchLock,FALSE
jnz Raise
invoke ZwResumeThread, ThreadHandle, NULL
jmp Synch
Raise:
%PERR
; test for free.
invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
%PERR
; test for change.
invoke ZwProtectVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, PAGE_NOACCESS, addr OldProtect
%PERR
; Unlock
invoke ZwResumeThread, ThreadHandle, NULL
@@:
cmp RaiseLock,FALSE
je @b
invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
int 3
ret
Entry endpGuard does not work for the region, which is described in TEB(StackBase & StackLimit).
- Attachments
-
walied
https://twitter.com/waleedassar/status/390334801321787392
It has been used in crackme(http://vxforum.net/), along with other techniques(self morph, write watch etc). Source code is available after registration
https://twitter.com/waleedassar/status/390334801321787392
It has been used in crackme(http://vxforum.net/), along with other techniques(self morph, write watch etc). Source code is available after registration
Code: Select all
push [edi].Protect
push MEM_DOS_LIM
push ViewShare
lea eax,ViewSize
push eax
lea eax,SectionOffset
push eax
push NULL
push NULL
lea eax,Sbase
push eax
push ProcessHandle
push SectionHandle
%NTCALL Api.pZwMapViewOfSection, 10
.if Eax == STATUS_INVALID_PARAMETER_9 ; <=== WOW ?
push [edi].Protect
push 0
push ViewShare
lea eax,ViewSize
push eax
lea eax,SectionOffset
push eax
push NULL
push NULL
lea eax,Sbase
push eax
push ProcessHandle
push SectionHandle
%NTCALL Api.pZwMapViewOfSection, 10
.endif
add edi,sizeof(SECTION)
dec Snum
this is the link i think ... http://vxforum.net/b/c.rar