Map and projects (the most frequently updated page of this blog)

Anti

Counter-Measures (Anti-debugs, etc...) (in progress)
printable cheat sheet

Generics
  • BeingDebugged: PEB.BeingDebugged db [fs:[30] + 2] == 1
  • IsDbgPresent: BeingDebugged check, via IsDebuggerPresent
  • NtGlobalFlag: PEB.NtGlobalFlag dd [fs:[30] + 68] has 70 set
  • HeapFlags: Heap.Flags dd [[fs:[30] + 18] + C] == 2
  • ForceFlags: Heap.ForceFlags dd [[fs:[30] + 18] + 10] is not null
  • msvcrt!trigo: msvcrt!CIasin(invalid) => al = NtGlobalFlag ? a8 : 98
  • deletefiber: DeleteFiber(invalid) => LastError = ForceFlags ? 80000003 : 57
  • gs: GS is reset, on thread switch
  • pop ss: debuggers can't step right after pop SS => TF set in EFlags, 100 via pushf
  • smsw: operand = just after FPU ? 80010031 : 8001003b
  • int 2c/2e: slides over next instruction + sets EDX to next EIP, but incorrect if stepped
  • int 2d: triggers BREAKPOINT exception if not under a debugger
  • InvalidHandle: CloseHandle(invalid) ! INVALID HANDLE exception if debugger is present
  • ChkRemoteDbg: CheckRemoteDebuggerPresent(GetCurrentProcess(),;&result) = 1 : 0
  • NtQueryInfo: NtQueryInformationProcess(-1,ProcessDebugPort =7, var, ...) => [var] = present ?-1:0
  • HideThread: NtSetInformationThread(-2,ThreadhideFromDebugger= 11, -1, 0) => not responding
  • csr: OpenProcess(..., 0,CsrGetProcessId()) => no error if SeDebugPrivilege acquired
  • Timing: comparison of two RDTSC, inlined GetTickCount, GS resets, ...
  • Timing API: comparison of two APIs like GetTickCount, GetSystemTime, QueryPerformanceCounter, ...
Exceptions tricks (in the exception handler):
  • jmp: change resume address via Context.regEIP (Context+B8)
  • step: step next instruction and re-trigger via setting TF in Context.EFlags (Context+C0)
  • hwbp: set or detects hardware breakpoint via Context.dr* (Context+04/+18)
  • higher: overwrite higher handler and trigger exception ([esp+18])
  • return: overwrite return address in stack ! context re-loading is skipped ([esp+24])

Ollydbg (1.1) specific:
  • esi: esi = -1 on startup under ollydbg, not in general
  • FPU: Display FFFFFFFF FFFFFFFF C0/40 3D as float => crash
  • OdbgStr: OutputDebugStringA("%s%s") => crash

VmWare specific:
  • backdoor: in 'VMXh', 'VX' => exception if not present, else modifed eax and ebx
  • sidt: [operand + 5] == e8 or ff if present
  • sldt: result != 0 if present
  • str: result == 4000h if present

Reminders:
  • TF is used by a debugger for stepping: set TF, an exception will be triggered after next execution is stepped
  • TEB is at fs:[18]
  • the PEB is accessible directly (fs:[30]) or via TEB.EnvironmentPointer ([fs:[18] + 30])
  • LastError is accessible via TEB.LastErrorValue ([fs:[18] + 34]) => GetLastError is inlinable
  • GetCurrentProcess = FFFFFFFF (constant value)
  • GetCurrentThread = -2 (constant value)
  • CsrGetProcessId= dword[7C980380] => (inlineable)
  • GetTickCount = dword [7FFE0000] * dword[7FFE0004]) >> 24 => inlineable
References:
Peter Ferrie
Nicolas Falliere
Marc Vincent Yason

Subscribe to: Posts (Atom)