Unseen Debugger Detection (Ollydbg)

When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.

SoftICE don't use the Debug API, that is the reason that this trick don't detect it.

Regards,
Opc0de

Quote:

Originally Posted by Opc0de

When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.

SoftICE don't use the Debug API, that is the reason that this trick don't detect it.

Regards,
Opc0de

Thanks for the tech info, thats what i was looking for

[taos]

I can add some info too. (Source code/Executable)
(When you run it, Olly crash)

[upb]

LPVOID AddrZwQueryInformationProcess = (LPVOID)-1;
BYTE SavedByteZwQueryInformationProcess = 0;

bool DisableZwQueryInformationProcessDebugPort(void)
{
DWORD numread;
BYTE bFE = 0xFE;
HMODULE ntdll = GetModuleHandle("ntdll.dll");
AddrZwQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess");
ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);
return true;
}

bool ZwQueryInformationProcessTracer(DEBUG_EVENT evt)
{
DWORD numread;
BYTE bFE = 0xFE;

ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);

return false; // end trace
}


in debug loop:
if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION &&
evt.u.Exception.ExceptionRecord.ExceptionAddress == AddrZwQueryInformationProcess)
{
hthread = ThreadIdToHandle(evt.dwThreadId);

DWORD stack[6];
DWORD numread;
ReadProcessMemory(hproc, (LPVOID)ctx.Esp, &stack, sizeof(DWORD) * 6, &numread);
MsgBoxF("ZwQueryInformationProcess trapped >%08X (%08X, %08X, %08X)", stack[0], stack[1], stack[2], stack[3]);
if (stack[2] == 7)
{
DWORD d0 = 0;
WriteProcessMemory(hproc, (LPVOID)stack[3], &d0, 1, &numread);
d0 = ctx.Esp - 4 * 3;
WriteProcessMemory(hproc, (LPVOID)(ctx.Esp + 3 * 4), &d0, sizeof(DWORD), &numread);
}
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
StartTrace(hthread, ZwQueryInformationProcessTracer);
ContinueStatus = DBG_CONTINUE;
} else

// note: plz do not rip this code 1:1 into any pulumbium tutorials

[bilbo]

I tried with a more polite solution, but I had no success...

I closed the DebugObject handle remotely (WinXP), using a CreateRemoteThread and CloseThread as thread address, and, as soon as I did so, I lost the debuggee control from the debugger...

Regards, bilbo

[upb]

well doh, the debug port exists for a purpose...
guess what is used for

[bilbo]

thx for the explanation, upb...
I would never have been able to find it myself ;-)
bilbo