Exetools - Unseen Debugger Detection (Ollydbg)

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Unseen Debugger Detection (Ollydbg) (https://forum.exetools.com/showthread.php?t=8211)

Unseen Debugger Detection (Ollydbg)

Maybe somebody came across this before, but i just came across it in a program, it kept catching me, and i couldnt for the life find where, finally after a while i came across the following, and emulated it here, any discussion if you saw it, would be nice.

The program calls ZwQueryObject, with a null handle and fills the OBJECT_ALL_TYPES_INFORMATION structure, it checks if the current object type is "DebugObject", if it is, it then checks if pObject->TotalNumberOfHandles, and pObject->TotalNumberOfObjects are greater than 0, if they then the program is being debugged, i didnt try it with softice, as i didnt get it installed yet, but it detects ollydbg just fine.

Heres the emulated code i wrote, and the compiled exe:

Hello Peter[Pan],

It looks good idea...though I have executed it in my WinXP SP2 withouth any debugger and it detects debugger :(

I'll have a deeper look as soon as I can.

Weird, try uncommenting the printf's and comparing when you have no debugger active etc, should see some differnces, maybe only 1 of the two i saw is affected, also iam running winxp sp2, and both were changed.

No Debugger:
TypeName: DebugObject
DefaultNonPagedPoolCharge: 30
DefaultPagedPoolCharge: 0
GenericMapping: 20001
HighWaterNumberOfHandles: 5
HighWaterNumberOfObjects: 6
InvalidAttributes: 0
MaintainHandleCount: 0
PoolType: 0
SecurityRequired: 1
TotalNumberOfHandles: 0
TotalNumberOfObjects: 0

Debugger:
TypeName: DebugObject
DefaultNonPagedPoolCharge: 30
DefaultPagedPoolCharge: 0
GenericMapping: 20001
HighWaterNumberOfHandles: 5
HighWaterNumberOfObjects: 6
InvalidAttributes: 0
MaintainHandleCount: 0
PoolType: 0
SecurityRequired: 1
TotalNumberOfHandles: 1
TotalNumberOfObjects: 1

winXP+SP1

ollydbg 1.10, not patched, with olly invisible plugin
-- it detects debugger

softice in DS3.2, without any plugin
-- it didn't detect debugger

:)

When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.

SoftICE don't use the Debug API, that is the reason that this trick don't detect it.

Regards,
Opc0de

I tried to write a debugger loader (createprocess in debug mode) which calls the ZwSetInformationObject just after having se to 0 those two values, just before resuming detect.exe, and I still get the detection message..

humm interesting..

in win98 everything goes ok, there is no message..... any explanation?

Quote:

Originally Posted by Opc0de

Thanks for the tech info, thats what i was looking for :)

I can add some info too. (Source code/Executable)
(When you run it, Olly crash)

to me it doesn't crash, Olly it's still alive after debugging of this..

Taos, what exactly is the difference between system and process debugger (as shown in your example?) I dont have SI installed to test but is that what it's referring to?

Shub: I think he was referring to his version that crashes in olly. Although when I run it, it detects a process debugger (same w/ msvs it detects process debugger). I think by crash he means it keeps running and doesn't stop. But it's definitately detected.

very interesting pan

Quote:

Originally Posted by Shub-Nigurrath

to me it doesn't crash, Olly it's still alive after debugging of this..

Yeah, but can you restart app? can you terminate app inside Olly?
can you pause and continue?. You can not use Olly to debug another app, you must exit.
App crash when you run it with Olly too.

Quote:

Originally Posted by Viasek

what exactly is the difference between system and process debugger (as shown in your example?)

System debugger is a SO internal installed debug (it runs at boot), like WinDbg from M$. Procees debugger is like Olly.

taos, effectively deepeer look revealed those strange things..any glue why?

I were also thinking a way to overcome the problem raised by the first post of this thread: how can I access that structure in a given process so as to proper values?

I mean, it's easily possible to patch the ZwQueryObject to return a null buffer and a null lenght, but it's not elegant. For example to avoid IsDebuggerPresent and similar checks, the most elegant way was to access the PEB block and change some values instead of patching the API.
Is such approach still doable with the OBJECT_ALL_TYPES_INFORMATION structure, where it is stored in a process?
I did some tests but were not able to find it or to find some specifications around.

Shub-Nigurrath, the information is actually gathered from kernel memory, at least its the case for DebugPort, only way to reset this is, by writing to kernel memory, which in some cases could be bad, take a look at:

http://illhostit.com/files/1787442368222872/Winject%201.5c%20(exe).rar

Last time i checked it was able to reset DebugPort from user mode, the way i think they are doing it is by getting the _EPROCESS struct for that particular process id, then doing some hacking to read/write to the memory of ->DebugPort and resetting it, which would be in kernel memory.

Atm iam solving with a kmd the DebugObject problem, but a usermode solution would be preferable.

LPVOID AddrZwQueryInformationProcess = (LPVOID)-1;
BYTE SavedByteZwQueryInformationProcess = 0;

bool DisableZwQueryInformationProcessDebugPort(void)
{
DWORD numread;
BYTE bFE = 0xFE;
HMODULE ntdll = GetModuleHandle("ntdll.dll");
AddrZwQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess");
ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);
return true;
}

bool ZwQueryInformationProcessTracer(DEBUG_EVENT evt)
{
DWORD numread;
BYTE bFE = 0xFE;

ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);

return false; // end trace
}

in debug loop:
if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION &&
evt.u.Exception.ExceptionRecord.ExceptionAddress == AddrZwQueryInformationProcess)
{
hthread = ThreadIdToHandle(evt.dwThreadId);

DWORD stack[6];
DWORD numread;
ReadProcessMemory(hproc, (LPVOID)ctx.Esp, &stack, sizeof(DWORD) * 6, &numread);
MsgBoxF("ZwQueryInformationProcess trapped ;) >%08X (%08X, %08X, %08X)", stack[0], stack[1], stack[2], stack[3]);
if (stack[2] == 7)
{
DWORD d0 = 0;
WriteProcessMemory(hproc, (LPVOID)stack[3], &d0, 1, &numread);
d0 = ctx.Esp - 4 * 3;
WriteProcessMemory(hproc, (LPVOID)(ctx.Esp + 3 * 4), &d0, sizeof(DWORD), &numread);
}
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
StartTrace(hthread, ZwQueryInformationProcessTracer);
ContinueStatus = DBG_CONTINUE;
} else

// note: plz do not rip this code 1:1 into any pulumbium tutorials