# die Vista, die or why DEADDEEF is alive?

intraarterial injection: fixing old bugs in Vista ms-guys inevitably add new ones. don’t ask me for proofs unless you want to hurt your face-painting wretched system. do you know the system I’m talking about? good! the following code has no impact on NT, W2K, XP, but… it freezes malformed Vista. it just hangs the system up! (I tested Vista SP0). download the binary or compile the file by yourself.


get off the subject: remember a simple anti-dbg trick with closing a non-existing handler? something like CloseHandle(0xBADC0DE) or CloseHandle(0xBADC0DE). if we’re under a debugger – OS generates C0000008h (INVALID HANDLE) exception. no debugger means no exception. the problem is: how to close an assuredly invalid handler? if you didn’t open it, any system DLL might opened it. of course, you can use GetHandleInformation() to check: if the handler has been opened, but… it’s too obvious (for hackers) and too trivial to be interested for us. there is another way — our way.

flowing well: has it never come in upon your mind how OS assigns handlers? a handler is DWORD, right? but it’s impossible to get all values busy. some values will be taken, but some of them should be free, because it’s impossible to open all of 4,294,967,296 possible handlers. it’s out of the limit! so, lets perform a fast research of system internals. what we’re going to do is: to consume all handlers until CreateFile() says: “no more handlers, I give up“. well, time to call GetHandleInformation() and check: is there any predictable template? which handlers are taken and which are not?

dead marines: holly cow!!! just look at it!!! wow! this is the very template we looked for! handlers 0h .. 02h are taken, handler 07h is taken as well, but… the rest of them fits the following equation: (((h – 0×12) % 04). so, it’s easy to determine handlers that will be not taken whatever happens to them, thus these handlers will definitely raise an exception on the close attempt. the point is: closing a handler like 1Bh looks reasonable from hacker’ point of view, but it’s just a way to generate an exception under debugger.

HANDLE: 00h is invalid
HANDLE: 01h is invalid
HANDLE: 02h is invalid
HANDLE: 03h is valid
HANDLE: 04h is valid
HANDLE: 05h is valid
HANDLE: 06h is valid
HANDLE: 07h is invalid
HANDLE: 08h is valid
HANDLE: 09h is valid
HANDLE: 0Ah is valid
HANDLE: 0Bh is valid
HANDLE: 0Ch is valid
HANDLE: 0Dh is valid
HANDLE: 0Eh is valid
HANDLE: 0Fh is valid
HANDLE: 10h is valid
HANDLE: 11h is valid
HANDLE: 12h is valid
HANDLE: 13h is invalid
HANDLE: 14h is valid
HANDLE: 15h is valid
HANDLE: 16h is valid
HANDLE: 17h is invalid
HANDLE: 18h is valid
HANDLE: 19h is valid
HANDLE: 1Ah is valid
HANDLE: 1Bh is invalid
HANDLE: 1Ch is valid
HANDLE: 1Dh is valid
HANDLE: 1Eh is valid

Achilles’ spear: so, you got it! we have the magic formula allowing us to check any arbitrary value. take 0xBADC0DEh for example. download the sources of IsInvalid.c and call IsHandlerInvalid(0xBADC0DE) or simile run IsInvalid.exe. as you can see, 0xBADC0DE could not be taken, so it’s a good choice to cause an exception.

ok, another try — 0xDEADBEEF. just pass the value to our magic function and… ops! it says: “HANDLE: DEADBEEFh is possibly valid“, so it’s potentially unsafe to use CloseHanlde(0xDEADBEEF). oh, come on! fat chance to close a file, opened by system or custom DLL, but… it’s still possible. btw, VMProtect uses CloseHanle(0xBADC0DE), which is safe. coincidence? or… anyway, Dermatolog (Иван Пермяков, Екатеринбург –the geek who created it) is a very wise guy and his protector is one of the best. it’s stuffed by anti-dbg tricks and it was a pleasure for me to dig them up. what’s about you?

handler consuming leads to consume kernel memory as well (handler_explorer.exe is running), sorry for the Russian screen-shoot, will appreciate your help, if somebody send me eng one (info # re - lab . org )

handler consuming leads to consume kernel memory as well (handler_explorer.exe is running), sorry for the Russian screen-shoot, will appreciate your help, if somebody send me eng one (info # re - lab . org )

Tags: , , , , ,  


  1. Chris, stop using your English like a bitch. Phrases like “unless you want to hurt your face-painting wretched system. do you know what the system I’m talking about?” is bad motherfucker. None of native-speaking would say this. Use SIMPLE english. You are not a Sheikspear, but a good reverser.

  2. Hi Tony! you made your point! my English sucks, doesn’t it? I admit that. but how I’m supposed to learn, using simple constructions and keeping a low profile? I want to learn, I want to practice. thanks for your feed-back – your negative response is very useful for me. I would very appreciate your help. could you please tell me: if you were native, how you would say that sentence? thanks in advance!

  3. Probably fixed in SP1, since my systems have no problem with it.
    In my anti-debugging paper, I used CloseHandle(esp).
    Fewest bytes. ;-)

  4. IMHO Tony wants to say you should use only the group of Indefinite Tences, rarely Present and Past Perfect and the group of Continious Tences to build short, simple for understanding sentences because they are easy for reading and lets to make less mistakes in Sequence of Tenses. As I know, that’s the summary of rules which native-speaking use to talk.

  5. Hi, iZverrG!
    common ground! I agree with you, but I would prefer to act up to my principles. I’m trying to get used to English, trying to find the best way to express my mind. maybe my posts are uneven and funny. they definitely are. but at least I’m trying.

    will handle English sooner or later.. anyway, I very appreciate your feedback!

  6. I just wanted to explain some simple rules to speak easy and correctly in hope it would be useful for you) I respect your methods very much and I’m sure you know what you are doing.

  7. yes, sure. I’m interested!

  8. Hi Peter!
    I don’t altogether agree with you! CloseHandle(esp) takes one extra byte for push, but… if you don’t care about the exact value – just don’t remove bytes from the previous _cdecl function (if you have the one :-), so my solution is two bytes shorter.

    but it’s only for crack-me, not for commercials, because it’s not safe. it’s possible to close an open handler which leads to undefined behavior.

Leave a comment

Comments are closed.