# San-Francisco – A Dream Came True

ever had a dream that came true exactly the way you saw it? I had a dream and it came true. the story began on Wednesday, April 23, 2008 03:03 AM when I sent a mail to Maryellen O’Connell who is a senior recruiter at Macrovision. “23″ is my lucky number as well as “#3″ and it was a lucky shoot. I shot in the dark. there was just me, my den and a job offer posted on OpenRCE board.

Macrovision was looking for motivated, experienced, and intellectually curious engineers to develop-n-implement security code for Blu-ray discs in their San Francisco office. at that time I was nobody. I had no education, never wrote a resume before, never ever tried to find a job in US, my English was just terrible (especially the spoken one) and I had no real experience at all, but I was a very successful writer, published a dozen hacker books, some of them were translated to English and became quite popular. well, we all began as something else…

the first resume in my life were written by Maryellen. yeah, I’m serious. I just sent her a letter to introduce myself and she had done the rest of paperwork. she was the first HRM I met, but she is the best, she is very professional. only because of her I found myself in Macrovision, or to be more specific – former Cryptograph Research Team, acquired by Macrovision, but at that moment I had no idea who I was going to work for.

there was a phone interview with manager of the group and I was not good on phone. I got a challenge and failed it. the H-1 visa’s applications had been closed that year, so Maryellen had no idea what we could do. she did not say allez-vous en, none the less.

time was getting on and on, I was keeping my head high, trying to be strong, telling myself: “you can not give up your dreams” and Maryellen was the only one who could make it happen and it’s actually happened.

Friday, July 25, 2008 12:55 AM. Maryellen wrote me: “working on bringing you here in the next couple of weeks…..“. the fire in my eyes was slowly fading out until I’d realized that I had no chance to be there. I’m not a welcome person to US. life never turns out the way you want it.

Sunday, May 31, 2009 8:48 PM: Finally, I’ve got my visa. it took more than a year!!! I was afraid that Maryellen forgot me, because… well, who would wait for an employee more that a year?!

could you believe that they did remember me and still were interested?! wow! but at this moment I wasn’t nobody. I became a well-recognized person, a part of McAfee team (former Endeavor Security) and got two my own projects there. my projects, my co-workers, my boss (now – my supervisor) who is my best friend. I was just keeping myself hooked up to that line, and it worked as it’s working now. It takes me to another dimension of relieving the reality, like I’ve been up on ecstasy, my module, my shell-code detector, had been integrated into a commercial product and I was so excited about. I had no intention to leave McAfee and I have no intention to do it now, but I wanted to be the front line of defense against pirates of Blu-ray content, research and implement novel and foremost tamper resistance techniques or, simple, anti-dbg tricks. the only motive I had is to make something out of my life. I wanted to be on the edge and the former Cryptograph Research Group was the excellent opportunity.

Wednesday, June 10, 2009 2:40 PM (UTC+4), DOMODEDOVO, Moscow, Russia. Flight Number 159. Seat 12A. American Airlines. Departure. Boeing-767. nice 2 rows seats plain my first transatlantic flight. I was in Malaysia (Boeing 747, KLM), I was in Israel (Boeing 737, Transaero), I was in South Africa (Boeing 747, KLM), I was in Korea (Boeing 777, Koran Airlines), I was… hell I remember… but it was my first transatlantic flight (cam on the board is allowed. will upload my shoots soon). well, basically it’s just nothing. annoying noise, dirty clouds, ugly crew members (American stewardesses are the worst nightmare I’d ever had in my life, even Aeroflot crew members much better and friendly).

Wednesday, June 10, 2009 9:20 PM (UTC-8), San Francisco, CA. Wow! I’m in SFO, riding to Galleria Park Hotel (very nice hotel, btw, but it’s nothing compared to Asian hotels, well, even South Africa hotels have much better erumpent and better service, and of course, the better view of windows, well, never mind, it’s my dream after all, I was not looking for luxury, I came not as a tourist).

the next morning. I was walking SFO streets dispatching my route to Macrovision office which is only two bocks away. ok, this is it. ground zero. 575 Market Street. high building with two doors: McDonald and the closed one. what’s the hell?! called to Naomi (the gal that runs the office) and asked her to bring me up. in a few seconds I met her. she is a) while, b) skinny; c) beautiful. I thought she is black. I don’t know why. I love black girls! fat chance to meet a black girl in the states. there is no one left. they’re not black. if you want to meet a real one – come to Zimbabwe. black girls there are just awesome!!! well, never mind. I came to US not for girls. anyway, Naomi is not my girl, she is the one who brought me up to the office. we passed a bridge over A-River, decorated with stones – what’s a beautiful place! I liked it from the first sight. I like stones, Korean people do unbelievable things with stones. I just wonder, who designed #575 building? it’s very different from the regular ones, composed of metal and glass. Cryptograph Research building is awesome. good place to work!!!

a few minutes later. I met the team. some people I knew, but most of them – not. what could I say? I found the smartest team I’d even seen in my life. there was Jeremy (you can met him at OpenRCE and Hex-Rays). this guy is a genius. and there was Jonny. he has more patents than I could even imagine. and there was Neil. a black guy. not wonder that we got on like a house on fire and quickly chummed up. I like black guys especially after being in South Africa. they’re open-mind and friendly. so, I was very happy to be among these people.

the next day. I got a challenge. an obfuscated crack-me. it was simple (no anti-dbg tricks, simple math algo, FPU registers were used by engine, but they were not obfuscated at all, so basically there was no obfuscation, bur even if it were, lack of resistance against black-box analyze allowed to hack the crack-me in a second), but… I get used to work in my den, _not_ in foreign environment. I was not nervous, the code was clear for me, but… I could not concentrate. probably because of getting so much exciting feelings in short time. so, I failed the task. well, not really. my motto is: never give up. giving up is easy, I did not want to ruin my dream, and had to intention to throw away my life. to give up without a fight – it’s not my way, so I just cheated. yeah. I always cheat if want to take control, but I can’t. and it worked. they were supposed to say something like: go away, but they did not. don’t know why. maybe because I explained _why_ I cheated. I’m a hacker. can you understand the word I just said? I never go the way I’m supposed to. I prefer to do something unexpected. finally, there is always one more way than it’s expected. that way – is my way. real life asks only “what” (need to do), but never wonders “how”. real protection is not a crack-me, begging, oh, please, don’t patch me, oh, man, you should understand the logic. should I? why? for what reason?

nowadays. I know nothing, I mean _nothing_ about cryptography (though, McAfee is going to patent my finding, related to crypto), I’d never even seen Blu-Ray disk, but I’m on my way to work for former Cryptography Research group, focused on protecting Blu-Rays. It was my dream and it came true. I _will_ do move to San-Francisco or bay area. even if Macrovision will decide do not hire me, well, there is McAfee headquarters in Santa-Clara. even if McAfee will decide do not hire me, well, it’s California – the cradle of many companies. and I’m a reverser. I will do find my job there. well, maybe not… my team is in DC. we were together more than a year. I know them, they know me, I have a job, I like what I’m doing and (what is more important) I see my future in McAfee, but have no idea what I’m going to do for Macrovision.

the funniest thing is – I’m still an independent consultant. I have no position neither in McAfee, nor in Macrovision and this fact pissed me off. and the more important thing is – why the states? moving to the states it’s a standard. moving to South Africa it’s… yeah, it’s something that nobody expects me to do. come on, I’m serious. South Africa it’s a good place to live! and for me is no problem to earn money working remotely. but… remote job means to be alone. fuck. what’s a fucking world. I don’t know why I wrote this post and what’s it for. I’m like Buridan’s ass placed exactly in the middle between two stacks of hay of equal size, starves to death since it’s too hard to make any rational decision to start eating one rather than the other. the only way is – just forgot these two stacks and find the third. this is the only way to solve the problem, especially if one stake exclude another.

San Francisco, 575 Market St, 11th floor, Macrovision office outview (former Cryptograph Research)

San Francisco, 575 Market St, 11th floor, Macrovision office outview (former Cryptograph Research)

 

# a bomb from McAfee (a nasty one)

accidentally McAfee sent me a file-bomb and now I need to backup my NTFS volume, reformat it, and copy data back to recover internal NTFS structures. shit happens! will write more latter, stay tuned.

 

# badly kept garden

nezumi-lab was deserted and tumbling into ruins. abandoned. felling into disusing. like a dead track. what I was doing with my life? what I’m doing with it now? where am I? as always – in the middle of something very important that keeps me alive, makes me busy, adsorbs days and nights. no free time. hell existence called life. where am I? what’s happening to me? what is this pain I feel? why does it hurt? something definitely wrong with me, but who cares? I’m moving forward, madding maybe the biggest mistake in my life trying to find a way to heaven.

 

# back to civilization

my trip (see: “I’m on my way to South Africa“) is over, time to wind into the bushes of my den and dive into reversing work. where am I? what’s happening to me? everything’s so cold, everything’s so dark, what is this pain I feel? why does it hurt? please no, let me die!!! brick stones. four walls. a dozen computers. five monitors. three telescopes. my native workplace raped by gothc music: BlutEngel, Sirenia, LAme-Immortelle… but why I feel kind of a great depression? my den… it’s not just stuff, it’s a part of me, it’s me by myself. so, why I’m unhappy? I live in the best place ever (see photos), I have everything I want: computers, kang (see Chinese dictionary), fast Internet connection, a good job – this is not what I do, this is what I am, but why the best place does not make me happy anymore. well, it does, but there are better places! they are different, exotic and very-very attractive.

should I compare my den with the Capital of the South AfricaPretoria – city where I was tripping for two weeks? guess, better do not. basically, Pretoria is a big village. clear air, a lot of tress, very friendly people, who hail you even we never met before. most of them are white. and they look good. but black people look better. they are just amazing! especially girls. I met a girl from Zimbabwe. if she were not married I would offer her my heart.

blacks and whites. what’s a contrast!!! friendly people and barbed wire up and down with “armed response” banners (means: we shoot you first, and ask who you’re – the second). interesting. yeah. there are a lot of problems there. but, you know, guys, South Africa is my second favorite place. the first is Israel. South Africa is too European. Israel is very special. kind of ethereal energetic is there. I can feel it (meanwhile, I’m religious neutral).

Right now I’m working for McAfee. it’s remote job and there are a lot of problems. I’m tired of my den, tired of loneliness. this is the reason why I started to offer Reverse Engineering Course to everybody. I’m just enjoying being with clever men, smart teams.

What’s about South Africa? oh, you would not believe me. there is a very special and unique firm called Sense Post, focused on pen-testing, consulting, training, etc. this is the smartest team I ever met in my life. they’re bright and creative. dress-code is a bull-shit. the only civil man there was my fried from Iran. the rest wear whatever they want. wow!!! this is what I call a freedom. ideal place to grow and generate new ideas, speaking of which I found a new way of immunizing applications and servers against remote attacks. the question is how to find a buyer :=)

had I a worker visa I would move to South Africa or Israel years ago. USA just an option. it’s something, oh! USA! a lot of job, thousands security firms, but… the question is the same: no visa means nothing. like anyone is going to give me a visa to fly to USA. that’s funny. the states does not want me to enter. fine! “highly skilled foreign professional may also be considered for permanent Resident StatusMalaysia Deputy Prime Minister had said

anyway, I’ve returned enriched by new ideas (will describe them soon, follow the news) and, you know, I’m very happy. for the short time I crossed four seasons – flied out of winter to summer, met autumn there and returned to spring. awesome! thanks for Jacqui, Haroon, Nicholasand the rest of Sense Post team! I was really happy to share my knowledge with them and I learned a lot from them as well!!! old ppl say: “you are not great just because you say you are” and Sense Post guys do not say they’re great. they’re just great. in silence.

Endeavor Security (now Endeavor System – the part of McAfee empire) was like the heaven for me. Christopher Jordan (the CEO) and Barnaby Page (Senior Vice President) are my friends. there’re very friendly, open-mind, wise and clever and technical. not bureaucratic. nobody plays political games. it was good. but now… Endeavor is a part of McAfee, things are changing and I just don’t know what to expect for. Alone in the dark. over and over. the endless story. oh… a lot of thing to do. and when you have a lot to do, start with a meal!

South Africa, Zebra Hotel

South Africa, Zebra Hotel

 

# I’m on my way to South Africa

Hi all! Guess where I am now? In the dessert of cold snow, in the an international airport of Moscow on my way to Amsterdam (transit) and South Africa (the final destination). There is summer now, so from winter to summer – what’s a trip I’m going to get. Quite long trip I should say. I have not slept 3 days. My mind just freezing like beta version of Windows. But it’s worth what it costs. Far away from my den, I’m not alone. There are a lot of people here and I just enjoy talking and chasing girls. You know guys, girls are easy on trips. They’re expected to be diseased, oh, no not diseased, I mean they are just so sexy and they want what I want – find the best way to kill time.
I would rather watch girls on youtube, but wifi Internet is quite expensive here – about $10/hour. And I forgot my headset. Damn! There is so much noise, my ASUS eee has no too powerful speaker, so I hear nothing. Btw, my ASUS eee is she, not he. I’m not a gay after all. Um, don’t read this crap, I just too sleepy and type it for one reason only – do not fall asleep. It’s Moscow!!! You fall asleep and you lost everything you have had. In my case it’s ASUS eee with stuff prepared for RE-training, Nikon D80 (cheap, but good enough for me, however, I’m going to buy D300). Did I miss something? Well, cell phone, cash, etc. so, better to keep myself awake, typing any crap on my blog. Um, I will delete this post anyway :=) guess, nobody is going to read it. Well, maybe not. Maybe I’m wrong and people want to know how good (bad) Moscow it. Of course, different people have different points of view, but in general, Moscow is a huge, noise, ugly, dirty, cold city. Architecture is just awful. Much worse than Kuala-Lumpur, Tel-Aviv, Jerusalem or Amsterdam. I would not like here, I prefer to stay at my place – North Caucasus or… move to Israel, or to South Africa. Why not? Maybe I will fall in love with that place from the first sight. Who knows? The only way to find it out – check it out, making a try. So, I’m flying to South Africa.
Meanwhile – is was not easy to get my visa to South Africa! It was just a mess! We (me and Sense Post company) were very nervous about it. We all invested a lot of money and… getting a visa was a real issue, bug problem, solved from the both side. Sense Post grabbed lawyers to called to the embassy and explain how important to make a visa in time. Me? Well, I’m far away from Moscow and have no lawyers, but I asked the best traveling agency for help and it actually worked out!!! In 12 hours I’ll fly to Amsterdam. It’s about 4 hours. And about 13 hours of flying from Amsterdam to South Africa. Kind of torture, but never mind. I get used to it – changing places, planes, hotels. Sorry my terrible English. There is no dictionary, no spell-checker, and I just hate small notebook’ keyboard!!!

 

# JL/JGE Intel CPU bug as anti-reversing trick

months ago Bow Sineath (a very clever reverser!) asked me: “does JL [jump is less] instruction check ZF flag?” I said: “well, give me a second to think, well, it’s supposed to check it, otherwise it would act like JLE [jump if less or equal] and besides, JL is synonym of JNGE (jump if not great or equal), so JL should check ZF!“.

but, according to Intel’ manuals JL and JNGE check only if SF != OF. CMOVL/CMOVNGE work the same way. at that time I thought that it’s just a documentation bug and even pointed this out in my presentation on HITB 2008 conference.

fragment of Intel manual

fragment of Intel' manual

but I was wrong!!! I have checked it and found out that JL/JNGE does not check ZF flag!!! to do this I wrote extremely simple POC (if you’re too lazy to type, download source and binary):

__asm
{
mov eax, 002C2h ; S = 1, O = 0, Z = 1
push eax
popfd
jl jump_is_taken ; ==>
mov p, offset noo
jump_is_taken:
}

mov eax, 2C2h/push eax/popfd set SF with ZF and clear OF. so, SF != OF, but ZF is set. what CPU is going to do? easy to check with Olly! just load the program and start tracing. ops!!! JL is taken!!! JL ignores ZF!!! x86emu (plug-in for IDA-Pro) acts the same. didn’t check other emulators yet.

well, it’s interesting. why JL (and similar commands) ignores ZF?! guess, normal CPU command (like TEST/CMP/XOR/etc) never set ZF if result is less, so JL just ignores it. but… if we set flags manually or use other tricks… it becomes a real trap!!! consider the listing above and ask your co-worker: is the jump taken or not? I’m sure, some of them will answer: of course, the jump is not going to be taken! a good anti-reversing trick!!! I just wonder – how software is still working on buggy hardware.

JL does not check ZF flag as it is supposed to do!!!

JL does not check ZF flag as it is supposed to do!!!

 

# self-replicated processes

adown the stream of time, back in the old days… well in advance, after a while now and again everything will come in its proper time to put the clock back, for some time past – old UNIX tricks work! nothing new under the sun!

taking self-replication processes for example! Morris used this technique in his worm. the idea as simple as brilliant: a process forks every second, well, maybe not every second, but pretty often. what’s the point?! there’re two points guys! first! by default a debugger is able to debug only debugged process. the process, created by the debugged process is not debugged as well, like le vassal de mon vassal n’est pas mon vassal (“the vassal of my vassal is not my vassal“). so what?

let’s try to write a very simple program and try to debug it with Olly, IDA-Pro and Soft-Ice. we will see who is the beast and why I want to port Soft-Ice on Vista. this is the program. type it or download source and binary.

main(c, v) char **v;{if (–c) printf(v[1]), execlp(v[0], v[0], &v[1][1], 0);}

it displays the argument passed via command line cutting one char every iteration. load the execlp.exe into OllyDbg, now \Debug\Arguments\ and type something like “- – - * – *”. restart the debugger by CTRL-F2 to apply changes and start the debug.

ops!!! every time when the debugger steps over 00401022!call execlp it just loses control, allowing the debugged program to fly out! did you expect something else? like what?! no way!!! le vassal de mon vassal n’est pas mon vassal!

btw, IDA-Pro 5.3 has a bug. the debugged process attached to a new console, but all children process creates another console. the secondary console is closed when the process is terminated, but the first console is still open even the debugger is terminated. OllyDbg has no this bug.

ok, what we’re going to do? I’m not a guru, so, lets find a guru and ask him or her. I would rather want to her, but… never mind. what ever. anonymouse
said: “well then you can try using the modified commandline plugin get the latest from my repositary (i think the downloads doesn’t hold the latest one) and use its childdbg function to debug the childs in succession you can also use windbg with its .childdbg command here is a log of a session tracing this with ollydbg

well, now we can debug children process as well, but… basically they’re the same. they execute the main loop and we want to trace only this loop. we’re not interested to trace start-up code every time. we want to set breakpoints, but… breakpoint affects only the parent process!!! not good. and this is the second point!

my solution is: to use hard-coded software breakpoints. just put breakpoint wherever you want with HIEW or other hex-editor (software breakpoint is just CCh byte) and load the program under your favorite debugger (IDA-Pro as an example). just do not forget to restore the original content under CCh code. for IDA-Pro and OllyDbg is easy to write a simple script/plug-in to automate the job.

ops!!! breakpoints in children processes cause crash! yes! coz they are not under debugger!!! who is supposed to catch the breakpoint expectations?! Soft-Ice of course!!! start Soft-Ice, type “I3HERE ON“, exit from Soft-Ice and run execlp.exe w/o debugger (Soft-Ice works in background).

wow!!! now we can debug children process _with_ breakpoints!!! now, our hacker’s life is a poem!!!

ok, another example (type it or download source and binary):

main(int c, char **v)
{ printf(“\rattach to me or kill me, my PID: %d”,
GetCurrentProcessId()); Sleep(33); execlp(v[0], v[0], 0, 0);}

try to attach to it or… kill the beast! just thinking :) the solution is simple. as the last resort press CTRL-Break, but… of course, the code might ignore it, so it’s just a loophole. real code will be not breakable by this simple trick.

 

# Olly Plug-ins and MS VC

oh, not again… I got so many letters “how to build Olly plug-ins with MS VC?“. so many too decide to answer here. (feel free to skip this post if you’re experienced enough). this is going to be step-by-step guide. and the first step is…

1) go to http://www.ollydbg.de/ and download PDK 1.10
2) unpack it and see. there are Plugins.hlp (documentation, but who read documentation after all?), Plugin.h (include file with all definitions); Ollydbg.def (def file for linker), Bookmark.c/Cmdexec.c/Command.c – source code of a few simple plug-ins we’re going to build; cmdline.rtf – documentation for Cmdexec.c plug-in; there is also /VC50 folder. open it and see VC-related stuff: OLLYDBG.LIB – library file for linker, *.mak and *.ds? files for make and Visual Studio. but we’re going to build plug-ins with our hands, so… what do we need?!
3) we need: OLLYDBG.LIB, OLLYDBG.DEF and PLUGIN.H. this is all!
4) let’s try to build Bookmark.c from pure command line!
5) type: “CL.EXE /LD Bookmark.c Ollydbg.lib“, where /LD – key to make DLL (as we know plug-ins are DLLs), Bookmark.c – name of plug-in to build, Ollydbg.lib – library (it should be in current directory or any directory listed in “LIB” environment variable (type “SET LIB” to see your list of LIBs dir); PLUGIN.H should be located in the current directory (you can move it to any system include directory, just type “SET INCLUDE” to see the list);
6) ok, all system are go. we’re pressing enter, and… ops!!! PLUGIN.h wants us to specify /J key (to force compiler to use unsigned char, instead of signed char by default);
7) updated command line looks like: “CL.EXE /LD /J Bookmark.c Ollydbg.lib“, we’re pressing enter and…
8) …endless list of errors of 32 unresolved externals symbols. why?!
9) the answer is: OLLYDBG.LIB is incorrect!!! ok, we have DEF file, so no problem to create the new one;
10) “lib.exe /DEF:Ollydbg.def” (lib.exe comes with Microsoft Visual C++);
11) ok, we have a new Ollydbg.lib. lets try to build the source again… what?! the same errors!!!
12) well, DEF file is wrong and has to be fixed. open it with any text editor and replace all “_” by “”, save changes and exit (of course, we’re supposed to remove only “_” prefixes, do not touching “_” symbols in the middle of functions, but we’re lucky and there is no function with “_” in the middle);
13) run “lib.exe /DEF:Ollydbg.def” again;
14) try to build the source once more: “CL.EXE /LD /J Bookmark.c Ollydbg.lib
15) fatal error LNK1120: 8 unresolved externals
16) well, 8 is less than 32, so the progress is good and fixed .lib-file is working, but… something is still broken, but… look at names of the unresolved symbols!!!!
17) __imp__DefMDIChildProcA@16, __imp__MessageBoxA@16, __imp__CreatePopupMenu@0
18) they’re obliviously belong to USER32.lib! so, just add USER32.lib to our command line!!!
19) the final (we hope so) try look like: “cl.exe /J /DL Bookmark.c Ollydbg.lib USER32.lib
20) wow!!! it was built without any single error or warning!!! we’re very happy!!!
21) copy the fresh Bookmark.dll to Olly’ Plug-in directory and check how good (bad) it is!
22) btw, don’t forget about optimization!!! “cl.exe /Ox /J /DL Bookmark.c Ollydbg.lib USER32.lib“, where /Ox means – max. optimization (of course, feel free to use other compiler keys, whatever you want!!!)

you can download fixed version of Ollydbg.lib/Ollydbg.def. I tested it with Microsoft Visual Studio 6.0 and it works fine.

 

# Olly loads Olly to bypass anti-attach tricks /* Clerk’ trick */

the problem of anti-anti-attaching came up in conversation on the legendary wasm.ru site. Clerk (a very clever guy carring a heavy plasma gun, loaded with rounds of brilliant ideas) as always offered a very elegant, yet bizarre solution (ru). I wonder – what kind of Rasta stuff makes him so creative! well, stop to expatiate, back to business.

previous posts demonstrate numerous anti-attach tricks and most of them based on the system thread, creating by OS during attaching. here they are (the tricks): BaseThreadStartThunk => NO_ACCESS, NtRequestWaitReplyPort, DbgBreakPoint

the question is – how to ask OS do not create the system thread? to do it we should know OS internals. IDA-Pro/Soft-Ice shows us that KERNEL32!DebugActiveProcess comes to NTDLL!DbgUiDebugActiveProcess, who calls NTDLL!ZwDebugActiveProcess/ NTDLL!DbgUiIssueRemoteBreakin| NTDLL!DbgUiStopDebugging (just to dissemble NTDLL!DbgUiDebugActiveProcess to see it with your own eyes).

the point is – NTDLL!ZwDebugActiveProcess does all job, attaching a debugger to the process. . as soon as NTDLL!ZwDebugActiveProcess returns status ok, the process has been attached and can be debugger. but! operation system calls NTDLL!DbgUiIssueRemoteBreakin just to notify the debugger by generating breakpoint exception, however, we don’t need it!!!

so, what we’re going to do? I prefer to use old soft-ice with global breakpoints support. just set HW or software breakpoint on NTDLL!DbgUiDebugActiveProcess or NTDLL!ZwDebugActiveProcess and skip the rest of the function. it’s easy, but soft-ice does not work with newest operation system.

Clerk found the way how to do this with Olly. the idea is: load Olly into Olly. yeah! right!

1) load Olly into Olly /* to avoid a mess lets call the first Olly (I) and the loaded copy – Olly (II) */;
2) Olly (I): Set breakpoint on NTDLL!DbgUiDebugActiveProcess: View\Executable Modules\NTDLL.DLL, CTRL-N, “DbgUiDebugActiveProcess”, F2, ENTER;
3) Olly (I): run Olly (II): press F9 several times until right corner “paused” changed by “running” meaning that Olly (II) is still under debugging but it’s running now;
4) ALT-TAB to switch to Olly (II);
5) Olly (II): File\Attach\name_of_the_trickily_process to attach (for example: to_attach_36.exe);
6) Olly (I) pops up, the breakpoint has been triggered;
7) to_attach_36.exe is still running;
8) Olly (I): press F8 several time until NTDLL!ZwDebugActiveProcess is executed;
9) to_attach_36.exe has been stopped, Olly (II) has been attached to it, Olly (II) is stopped as well;
10) Olly (I): move cursor to the next command after NTDLL!DbgUiStopDebugging, right click to context menu and “new origin here” or simple press CTRL+Gray * (“gray” means small numeral keyboard);
11) Olly (I): press F9 to run Olly(II);
12) ALT-TAB to switch to Olly (II);
13) Olly (II) shows naked screen w/o any info, to_attach_36.exe is running;
14) Olly (II): View\Threads. do you see the only one thread? the main thread of the app?! wow!
15) Olly (II): press “pause” to stop to_attach_36.exe;
16) Olly (II) updates CPU window and from that moment we can trace to_attach_36.exe as usual;

well, you got it. a nice trick to bypass anti-attaches. it’s very powerful and universal, but does not work with PEB=>LdrData . um, every technique has its own limitations.

meanwhile, you probably know, if the process is already attached to another process, we can’t attach our debugger to it. many protections use this trick – they create a child process (packed), attaches to it for dynamic unpacking. but there is a loophole. we can attach to the parent process unless the child not attached to the father. yes!!! a debugged process can attach to the debugger!!! it looks like (parent <== attach ==> child)

I’ll write about it latter, showing you how to break this chain. for now, you can play with Clerk’s trick!

Olly loaded into Olly attached to to_attach_36.exe

Olly loaded into Olly attached to to_attach_36.exe

 

# anti-attach: BaseThreadStartThunk => NO_ACCESS

another anti-attach trick. during attaching to the process, operation system creates a thread inside it and as far as we know, every thread has the start address. the address of the system thread is BaseThreadStartThunk. it calls BaseAttachComplete, who calls DbgBreakPoint in order to raise the breakpoint exception to pass control back to debugger. so, if we block BaseThreadStartThunk somehow, DbgBreakPoint will be never called and a debugger will never get control. theoretically…

…practically, operation system notifies a debugger when a new thread is about to be created, thus a debugger does not need in DbgBreakPoint at all!!! just set Option\Debugger option\Events\Break on new thread in Olly or Debug\Debugger options\Stop on thread start/exit in IDA-Pro and enjoy!!!

but, there is something else. first of all – these options are not set by default. second of all – if the system thread issues an exception – we can’t just continue execution! we need to kill the system thread to suppress the exception – not every hacker knows it and not every debugger allows us to do it (IDA-Pro does not).

well, guess, “Break on new thread” is set. this means our debugger stops _before_ executing the first command of BaseThreadStartThunk. how we’re going to generate an exception?! it’s easy! page of BaseThreadStartThunk => NO_ACCESS! of course, operation system will send exception notification to the debugger, allowing us to kill the system thread and continue executing/tracing the main one, but as it was said above not every hacker are ready to handle this situation.

ok, lets play with this trick. be warned: it’s not safe. we can’t set no access only for BaseThreadStartThunk, it affects the whole memory page where might be essential functions, but… for W2K/XP/S2K3 it works well. just… BaseThreadStartThunk is not an exported function. so, how we’re going to find where it’s located in memory? guess, the most universal way is to create a child process, attach to it, get CREATE_THREAD_DEBUG_EVENT notification and memorize u.CreateThread.lpStartAddress.

download the sources and binary of the POC to play with.

Olly fails to attach and the only way to continue debugging is to kill the system thread

Olly fails to attach and the only way to continue debugging is to kill the system thread