# attach to me… if you can (part II)

the previous post describes how to intercept attaching, but that way does not prevent attaching itself. as it happens there is a simple and elegant way to block any attaching attempts. just wipe out PEB=>PPEB_LDR_DATA field. the application is running well, the process is present in the processes list of Task Manager/Process Explore, but… it’s not listed in the Olly 1.10/Olly 2.00i attach windows!!!

to_attach_ldr.exe is not present in the attach windows!

to_attach_ldr.exe is not present in the attach windows!

ok, guys another plan! load the file directly into OllyDbg 1.10 in order to debug it. can we debug it? well, yes, but… no. OllyDbg 1.10 does not show us the module list (so, how we’re supposed to set breakpoints on API?) and the map window is empty as well. OllyDbg 2.00i and IDA-Pro 5.3 have no such problem.

IDA-Pro 5.3 can’t attach to the process as well, she just freezes!!! and there is nothing to do but terminate IDA-Pro with all changes we have made. a very nasty bug!

the source code is extreme simple. see it bellow or download.

__asm{
mov eax, fs:[30h] ; // PEB
mov [eax + 0xC], eax ; // damage LdrData to prevent attaching
}
// do something
while(1) printf(“\rattach to me [%c]“,x[++a % (sizeof(x)-1)]), Sleep(100);
}

so, you get it. any ideas how to hack it? does anybody know the way how to attach to the process?

note: Elias Bachaalany checked IDA-Pro 5.4 (both with WinDbg plug-in and build-in win32 debugger). it does not freeze, but attached is code crashed inside NTDLL.DLL and IDA catches a lot of exceptions, so this trick works for IDA-Pro 5.4 as well. it’s not IDA-Pro bug! and IDA-Pro has nothing to do to fix it.

 

3 Comments

  1. I can’t even imagine how quick You find new small, numerous features of code..I tried this code in Visual Studio Debugger It found this process. But the studio freezed too((

  2. thanks for feedback! it was easy for me to find this trick. I’m a stupid mouse, but Peter helped me. he pointed out that NTDLL!DbgBreakPoint is not the first function executed inside the address space of the process. I knew it before and like I wrote in the first post – it called by BaseAttachComplete called by BaseThreadStartThunk, how I found this? oh, just looked at Thread Start Address of the system thread with Olly.

    the question is – who calls BaseThreadStartThunk? of course it’s easy to find out with soft-ice, but I went another way. just wrote a simple program that… (plz, don’t kill me) well, the program just wiped out the entry address space of its process. this helps me to observer how debugger attached to the process and which functions are called by the OS kernel (not KERNEL32.DLL, but ring-0).

    I found out that kernel relies on user’ PEB. so, I wiped out PEB and… ops! nobody can attach to the process. the question is – which field(s) of PEB responses for attaching? I used a simple brute force method (wiped half of PEB, then another half…) it took less than 3 minutes to find LdrData. so, the crack-me was born. thank Peter for inspiration!

  3. hi kris,

    tried this on win7/32bits and it does not work.

    IDA 5.4, and I would assume earlier versions equally, will attach normally.

    Olly 1.10 still fails to list it in the process list though.

    If someone can second that.

Leave a comment

Comments are closed.