Thread: Using Thread Local Storage (tls) in Olly
View Single Post
  #8  
Old 05-09-2005, 10:59
TQN TQN is offline
VIP
  
Join Date: Apr 2003
Location: Vietnam
Posts: 358
Rept. Given: 143
Rept. Rcvd 24 Times in 13 Posts
Thanks Given: 196
Thanks Rcvd at 168 Times in 51 Posts
TQN Reputation: 24
Hi asterix !
Sorry for my mistake when I assumed your plugin caused LDR_SNAPS string turn off in OllyDbg. I have found problem. When system loader loading EXE, if Loader Snap turn on, it will use ntdll.DbgPrint to print loader snap strings. The ntdll.DbgPrint will call ntdll.vDbgPrintExWithPrefix function, and in this function, it will check the PEB.BeingDebugged flag. If the flag turn on, it will call ntdll.RtlRaiseException with OUTPUT_DEBUG_STRING_EVENT, and if flag turn of, it will return.
Code:
ntdll.DbgPrint:
77F7093C    50                  push    eax
77F7093D    FF7424 08           push    dword ptr ss:[esp+8]
77F70941    6A 00               push    0
77F70943    6A FF               push    -1
77F70945    68 D240F777         push    ntdll.77F740D2
77F7094A    E8 25ABFEFF         call    ntdll.vDbgPrintExWithPrefix
77F7094F    C3                  ret
....
ntdll.vDbgPrintExWithPrefix:
.......
77F70875    E8 08FFFFFF         call    ntdll._vsnprintf
77F7087A    83C4 10             add     esp, 10
77F7087D    03F0                add     esi, eax
77F7087F    8975 E4             mov     dword ptr ss:[ebp-1C], esi
77F70882    834D FC FF          or      dword ptr ss:[ebp-4], FFFFFFFF
77F70886    3BFB                cmp     edi, ebx
77F70888    0F8C 8DFF0000       jl      ntdll.77F8081B
77F7088E    83FE FF             cmp     esi, -1
77F70891    0F84 97FF0000       je      ntdll.77F8082E
77F70897    8D85 E4FDFFFF       lea     eax, dword ptr ss:[ebp-21C]
77F7089D    8985 DCFDFFFF       mov     dword ptr ss:[ebp-224], eax
77F708A3    66:89B5 D8FDFFFF    mov     word ptr ss:[ebp-228], si
77F708AA    64:A1 18000000      mov     eax, dword ptr fs:[18]  ; CHECK PEB.BeginDebugged here
77F708B0    8B40 30             mov     eax, dword ptr ds:[eax+30]
77F708B3    3858 02             cmp     byte ptr ds:[eax+2], bl
77F708B6    0F85 80FF0000       jnz     ntdll.77F8083C
.....
77F8083C    C785 88FDFFFF 06000>mov     dword ptr ss:[ebp-278], 40010006
77F80846    899D 90FDFFFF       mov     dword ptr ss:[ebp-270], ebx
77F8084C    C785 98FDFFFF 02000>mov     dword ptr ss:[ebp-268], 2
77F80856    899D 8CFDFFFF       mov     dword ptr ss:[ebp-274], ebx
77F8085C    0FB785 D8FDFFFF     movzx   eax, word ptr ss:[ebp-228]
77F80863    40                  inc     eax
77F80864    8985 9CFDFFFF       mov     dword ptr ss:[ebp-264], eax
77F8086A    8B85 DCFDFFFF       mov     eax, dword ptr ss:[ebp-224]
77F80870    8985 A0FDFFFF       mov     dword ptr ss:[ebp-260], eax
77F80876    C745 FC 01000000    mov     dword ptr ss:[ebp-4], 1
77F8087D    8D85 88FDFFFF       lea     eax, dword ptr ss:[ebp-278]
77F80883    50                  push    eax
77F80884    E8 1E08FDFF         call    ntdll.RtlRaiseException
Continue with your great work !
Best regards,
TQN
Reply With Quote