Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Defeating Memory Breakpoints

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Defeating Memory Breakpoints

Post by walied »

My latest blog post where i explain two anti-Memory-Breakpoints tricks.

http://waleedassar.blogspot.com/2012/11 ... oints.html

Any comments or ideas are very welcome
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Map not file section(R/E). Next you can not change the attributes.

[ATTACH]2679[/ATTACH]
Attachments
Pt.zip
(2.42 KiB) Downloaded 173 times
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Post by walied »

Indy, instead of iterating though all kernel32.dll page to determine the SizeOfImage value, you can just call the "ZwQueryVirtualMemory" function with "VirtualMemoryInformationClass" set to MemoryBasicVlmInformation 0x3. This should save you some instructions :)

#define MemoryBasicVlmInformation 0x3
struct MEMORY_BASIC_VLM_INFORMATION
{
unsigned long ImageBase;
unsigned long blah[0x2];
unsigned long SizeOfImage;
};

Code: http://pastebin.com/RCkVDNXJ

By the way, this trick does not work, something is missing as attributes are easily changed.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

walied
Module size is not needed.
By the way, this trick does not work, something is missing as attributes are easily changed.
This no can not work. Do you have a kernel there?
mb kernelbase ?
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Post by walied »

Indy,

Which page are you protecting in ptImg.exe? I have tested on XP SP2 (no kernelbase.dll) without seeing the expected results?

Is it page(s) at 0x410000 or kernel32.dll?

I am sure i am missing something.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Image
Image
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Post by walied »

Thanks Indy. Now i got it. This is a nice trick to defeat Software (INT3) breakpoints, i will definitely added to my bag of tricks. But this can't defeat memory breakpoints since the page protection can still be changed to PAGE_NOACESS. It can also be guarded.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Code can not be changed(NtProtectVM ret. STATUS_SECTION_PROTECTION).

Sample(for RWE):

Code: Select all

.data
pGdiGetSpoolMessage	PVOID ?

RegionAddress	PVOID 0
SynchLock		BOOLEAN FALSE
RaiseLock		BOOLEAN FALSE

.code
ThreadStartupRoutine proc UserParameter:PVOID
WaitLock:
	cmp SynchLock,FALSE
	je WaitLock
	mov RaiseLock,FALSE
; Align 4, W.
	push 0
	push 0
	push PAGE_SIZE
	push RegionAddress
	Call pGdiGetSpoolMessage
	mov RaiseLock,TRUE
	jmp WaitLock
ThreadStartupRoutine endp

%PERR macro
	.if Eax != STATUS_INVALID_PAGE_PROTECTION
		int 3
	.endif
endm

%APIERR macro
	.if !Eax
		int 3
	.endif
endm

$Gdi32	CHAR "Gdi32.dll",0
$Entry	CHAR "GdiGetSpoolMessage",0

Entry proc
Local ClientId:CLIENT_ID
Local ThreadHandle:HANDLE
Local RegionSize:ULONG
Local OldProtect:ULONG
Local DllHandle:PVOID
	invoke LoadLibrary, addr $Gdi32
	%APIERR
	invoke GetProcAddress, Eax, offset $Entry
	%APIERR
	mov pGdiGetSpoolMessage,eax
	invoke RtlCreateUserThread, NtCurrentProcess, NULL, FALSE, 0, 0, 0, addr ThreadStartupRoutine, 0, addr ThreadHandle, addr ClientId
Synch:
	mov RegionSize,PAGE_SIZE
	mov RegionAddress,0
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT, PAGE_READWRITE
	mov SynchLock,TRUE
	invoke ZwSuspendThread, ThreadHandle, NULL
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	test eax,eax
	mov SynchLock,FALSE
	jnz Raise
	invoke ZwResumeThread, ThreadHandle, NULL
	jmp Synch
Raise:
	%PERR
; test for free.
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	%PERR
; test for change.
	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, PAGE_NOACCESS, addr OldProtect
	%PERR
; Unlock
	invoke ZwResumeThread, ThreadHandle, NULL
@@:
	cmp RaiseLock,FALSE
	je @b
	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE
	int 3
	ret
Entry endp
[ATTACH]2681[/ATTACH]
Guard does not work for the region, which is described in TEB(StackBase & StackLimit).
Attachments
nt.png
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

walied

https://twitter.com/waleedassar/status/390334801321787392

It has been used in crackme(http://vxforum.net/), along with other techniques(self morph, write watch etc). Source code is available after registration :p

Code: Select all

		push [edi].Protect
		push MEM_DOS_LIM
		push ViewShare
		lea eax,ViewSize
		push eax
		lea eax,SectionOffset
		push eax
		push NULL
		push NULL
		lea eax,Sbase
		push eax
		push ProcessHandle
		push SectionHandle
		%NTCALL Api.pZwMapViewOfSection, 10
		.if Eax == STATUS_INVALID_PARAMETER_9 ; <=== WOW ?
			push [edi].Protect
			push 0
			push ViewShare
			lea eax,ViewSize
			push eax
			lea eax,SectionOffset
			push eax
			push NULL
			push NULL
			lea eax,Sbase
			push eax
			push ProcessHandle
			push SectionHandle
			%NTCALL Api.pZwMapViewOfSection, 10
		.endif
		add edi,sizeof(SECTION)
		dec Snum
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

indy send me exe
User avatar
ZaiRoN
Posts: 922
Joined: Fri Oct 12, 2001 7:00 am
Location: Italy
Contact:

Post by ZaiRoN »

What's the name of the crackme? Is it available on vxforum only?
A mind is like a parachute. It doesnt work if it's not open.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Aha. This registration test :sneaky:
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

this is the link i think ... http://vxforum.net/b/c.rar
Locked