Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =Yazdığım kiçik dokumentasiya. Öz hazırladıqım malware-da istifadə etdiyim anti-dbg texnikalarından biridir.=
- Windows NT data structure TIB ==> PEB (opaque type)
- PEB addr can be accessed as an offset of segment register FS locate == > the addr at TIB (Thread environment block data structure) in import table offset 0x30 (30h) linear address of PEB
- img diagram: http://1.bp.blogspot.com/-qu8V9tv1p2I/T9Hby63yfAI/AAAAAAAAACA/wlwHTQMkgmU/s1600/finding_kernel32.png
- Receiving PEB (pointer) addr from TIB
- INSTRUCTION (1)
- http://en.wikipedia.org/wiki/Win32_Thread_Information_Block#Contents_of_the_TIB_.2832-bit_Windows.29
- Position Length Windows Versions Description
- FS:[0x30] 4 NT Linear address of Process Environment Block (PEB)
- The address of PEB movement with mov instruction
- INSTRUCTION(2)
- In the PEB settled BeingDebugged field = offset 0x0002
- Ref:
- blog.rewolf.pl/blog/wp-content/uploads/2013/03/PEB_Evolution.pdf
- x86 offset Field Name x64 offset
- offset:bit(len) offset:bit(len)
- 0x0002 unsigned char,BeingDebugged 0x0002
- ======================================================================================================
- used extra segment register : FS +==> FS are commonly used by OS kernels to access thread-specific memory.In windows, the FS register is used to manage thread-specific memory.
- asm (intel) syntax
- mov EAX, FS:[0x30] #1
- mov EAX,[EAX+2] #2
- C my malware source :)
- #include<stdio.h>
- void *antideb()
- {
- void *pTib;
- //AT&T syntax
- __asm__("movl %%fs:0x30, %%eax" : : : );
- __asm__("movl 2(%%eax), %%eax" : "=r" (pTib) : : );
- return pTib;
- }
- void main(){
- printf("%x\n",antideb());
- //validation pointer and kayfa davam :)
- }
- debug screen :?
- http://f-picture.net/lfp/s004.radikal.ru/i205/1411/88/20ffac09e12d.png/htm
- #eminghuliev,@st1ll_di3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement