![]() ![]() However, since this function should never return zero, such a result is a sure sign that the plug-in is present. If possible, Olly Invisible patches the debuggee’s ntdll CsrGetProcessId() function, so that it always returns zero. However, the current process can be specified in ways other than the pseudo-handle that is returned by the kernel32 GetCurrentProcess() function, and that must be taken into account. This method is almost unflawed, but it omits a check of whether the current process is specified. If all of these requirements are met, Olly Invisible writes a zero to the memory address at which the ProcessInformation parameter points. If no error occurred, then the block checks if the ProcessInformationClass is the ProcessDebugPort class, and that the ProcessInformation parameter is non-zero, and then checks that four bytes are writable at the specified memory address. This block calls the original ntdll NtQueryInformationProcess() function, and then checks whether an error occurred. Olly Invisible hooks the debuggee’s ntdll NtQueryInformationProcess() function in the same way again, replacing the first six bytes of the function with an indirect jump to a dynamically allocated block of memory. In this case the block always returns zero, regardless of the value in the PEB->BeingDebugged flag. The plug-in hooks the debuggee’s kernel32 IsDebuggerPresent() function in the same way – by replacing the first six bytes of the function with an indirect jump to a dynamically allocated block of memory. ![]() ![]() This block attempts to replace all ‘%’ characters with ‘_’ in the message. ![]() Similarly, Olly Invisible hooks the debuggee’s kernel32 OutputDebugStringW() function by replacing the first six bytes with an indirect jump to a dynamically allocated block of memory. The plug-in hooks the debuggee’s kernel32 OutputDebugStringA() function by replacing the first six bytes with an indirect jump to a dynamically allocated block of memory. However, a bug in the routine causes it to miss the last character in the string. Olly Invisible hooks the code in OllyDbg that is reached when it is formatting the kernel32 OutputDebugStringA() string, and then attempts to replace all ‘%’ characters with ‘ ’ in the message. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |