Debuggers Anti-Attaching Techniques - Part 1

출처 

http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques.html

It's been a while since i played with packing/unpacking tricks. So, i am going to choose some fancy tricks and try to explain them in detail.

The story begins when i was trying to analyze a security issue in an infamous application. I tried to attach ollydbg to the running process but the process immediately crashed. I quickly googled "anti-attach tricks" and found many useful links.

In the next few posts, i am going to explain those anti-attach tricks.

It would surely be better to understand how debuggers attach themselves to running processes in order to understand those tricks and perhaps innovate new ones.

The main idea behind attaching is that a debugger calls the "DebugActiveProcess" function which ends up with calling the "RtlCreateUserThread" function to create a new remote thread into the target process, with the "DbgUiRemoteBreakin" function as the new thread entry point. 

Thread creation occurs in the "DbgUiIssueRemoteBreakin" function, which looks something like the highlighted line in the image below.

As far as i see, one way to prevent debuggers from attaching to a process is conducted by hooking the "DbgBreakUiRemoteBreakin" or "DbgBreakPoint" function.

I will write a simple executable to demonstrate that. It overwrites the first byte of the "DbgUiRemoteBreakin" function with 0xC3, opcode for retn, thus killing this kind of threads. Similarly, we can patch the "DbgBreakPoint" function.

Here you can download the source code for the example above.

Trying to attach to such a process, as you can see in the image below, results in an access violation.

Bypassing this trick is pretty easy. Just use ollydbg to debug itself, set a breakpoint on the "RtlCreateUserThread" function call, and finally modify its seventh paramter to point to any int3 in the target process address space. 

Once execution stops at int3 (in the debugged ollydbg), kill the current thread.

This way we can by pass any API patching regardless of which function is patched in the target process address space.

This bypass trick seems to be impractical. So, i decided to write a simple ollydbg plugin for this situation. The plugin simply patches the "DebugActiveProcess" function in ollydbg.exe to jump to the plugin code. The code gets the target process identifier (pid) from the stack and then writes a few instructions to the the "DbgUiRemoteBreakin" function prologue in this process address space.

Here you can download the plugin dll.

Here is the virustotal report.

N.B. This write-up is based on analysis conducted on Windows XP SP3. Soon, I will extend it to include later operating systems.

N.B. The plugin is only tested on windows XP SP3.