|
help patching apis
Hi all,
to write a tool of mine, I'm searching for infos on how to patch these apis/structures.. -Hide NtGlobalFlag -Hide ProcessHeapFlag -Patch ZwQueryInformationProcess (==patch UnhandledExceptionFilter) -Patch ZwSetInformationThread -Patch CheckRemoteDebuggerPresent -Patch OutputDebugStringA Detailed infos (how to patch, when, what where) are welcome! If some info is not good for public tell me and send it to me by PM, I will guarantee to not spread it! At least these are almost all I have knowledge should be patched, I already don't know how to do. 10x in advance for anwers.. |
you can look in pnluck tutorial for
-Hide NtGlobalFlag -Hide ProcessHeapFlag also isdebug due its peb and teb patching but in my oepfind when i just patch isdebpresent peb+2 then also it patches 2 others,dunno know how with olly, maybe they are necessery Control of Beingdebug 004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address ... 004XXXXX ADD EAX,2 ; PEB+2 is beingdebug memory address 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; AL maybe 0(not debug) or 1(debug present) ... 004XXXXX OR AL,AL 004XXXXX JE UnPackMe.004F2C67 Control of ProcessHeap 004XXXXX MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address ... after some operation 004XXXXX MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address .... after some operation 004XXXXX MOV EAX, DWORD PTR[EAX+18] ;PEB+0x18 return the ProcessHeap address 004XXXXX CMP DWORD PTR DS:[EAX+10],0 ;EAX+10 maybe 0(not debug) or other values (debug present) Controll of NtGlobalFlag 004XXXXX MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address 004XXXXX ADD EAX,8E4180C9 004XXXXX ADD EAX,71BE7F9F ;EAX = PEB+0X68 : address of NtGlobalFlag 004XXXXX MOV EAX,DWORD PTR DS:[EAX] ; NtGlobalFlag maybe 0x70(debug present) or 0 for zwquery you can look inside my oepfind for processheap, what i encountred when tried to apply it to oepfind, well on create_process you cant do it, due it yet doesnt exist, only when you are at EP also another problems you will encounter is on create_process there is only exe and ntdll.dll loaded, then later loads kernel32,and user32 so you have make plugin or patch to learn to wait when its loaded and then patch |
-Hide NtGlobalFlag, -Hide ProcessHeapFlag
On XP+ simply add _NO_DEBUG_HEAP=1 to sytem enviroment :) -Patch ZwQueryInformationProcess If second parameter is ProcessDebugPort (7), execute original API, then simply put zero at adress, extracted from thrid parameter. -ZwSetInformationThread If second parameter is HideFromDebugger (11h) simply return with stack correction and zero in eax -Patch CheckRemoteDebuggerPresen No need to patch coz it uses ZwQueryInformationProcess do detect debugger :) |
For "Hide NtGlobalFlag" you have NtGlobalFlag v 1.0 OllyDbgPlugin by stingduk(on BiW Reversing) comes with source..
bye |
If you want to destroy OutputDebugString -> Just patch a retn 4 at the begining of this API.
Else follow Param1 and put 0x00 there. Then just execute OutputDebugString. Both Methods should fix vulnerability of Olly. You better just patch if the machine is Win2k/2k3/XP. On Win 9x/ME every application shares its system-dlls with every other process afaik. When to patch: I think it's the best to patch at EP. Where to patch: Kernel32.dll and other System-DLLs on runtime. How to patch: Maybe just put a JMP <to your code> in every API that needs to get modified. You may use VirtualAlloc to get some free space to put your code somewhere. Just execute it on EP, put your code to handle APIs to new allocated space, put your JMPs in the APIs and then restore EP and jump back. |
Quote:
:D |
maybe its for the same reason they use three %s's when one %n would be enough or smth
|
10x a lot to any1, time to read all the suggestion..I'm writing a tutorial using them also, greetings will be inside of course.
|
| All times are GMT +8. The time now is 09:38. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX