waliedassar

Some Anti-Attaching Candidate Functions

Jan 25th, 2013
293
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. Windows XP (32-bit):
  5. KiUserApcDispatcher-calls->LdrInitializeThunk-calls->LdrpInitialize-calls->LdrpInitializeThread
  6.                    -calls->ZwContinue(pContext,..);
  7.  
  8. N.B. KiUserApcDispatcher, LdrInitializeThunk, and ZwContinue are exported from ntdll.dll.
  9. N.B. In normal threads ZwContinue is called with "EIP" in CONTEXT set to "kernel32!BaseThreadStartThunk"
  10. and "EAX" set to user-defined entrypoint. i.e. BaseThreadStartThunk is reponsible for redirecting
  11. execution to the user-defined entrypoint. But in "DebugActiveProcess" threads "EIP" in CONTEXT is
  12. directly set to the "DbgUiRemoteBreakin" function and "EAX" is set to zero.
  13.  
  14. N.B. Even though the "BaseThreadStartThunk" function is not exported from kernel32.dll, we can still
  15. resolve its address by creating any process in debugging state CreateProcess(DEBUG_PROCESS) and
  16. inspecting the "lpStartAddress" field of the "CREATE_THREAD_DEBUG_INFO" structure. 
  17. -----------------------------------------------------------------
  18. Windows 7 (32-bit):
  19. LdrInitializeThunk-calls->LdrpInitialize-calls->LdrpInitializeThread-->RtlIsCurrentThreadAttachExempt
  20.                                                                     -->LdrpCallInitRoutines
  21. LdrInitializeThunk-calls-> ZwContinue(pContext,..);
  22.  
  23. N.B. LdrInitializeThunk and ZwContinue are exported from ntdll.dll.
  24. N.B. In normal threads ZwContinue is called with the "EIP" in CONTEXT set to "ntdll!RtlUserThreadStart"
  25. and "EAX" set to user-defined entrypoint i.e. RtlUserThreadStart is responsible for redirecting
  26. execution to the user-defined entrypoint.
  27. But in "DebugActiveProcess" threads, ZwContinue is called directly with "EIP" set to the
  28. "DbgUiRemoteBreakin" function and "EAX" set to zero.
  29. -------------------------------------------------------------------
  30. Windows 7 (64-bit), Wow64 Thread:
  31. ntdll!LdrInitializeThunk-calls->ntdll!LdrpInitialize-calls->Wow64!Wow64LdrpInitialize if(UseWow64)
  32.                                                     -calls->ntdll!LdrpInitializeThread if(!UseWow64)
  33.  
  34. Wow64LdrpInitialize--calls--->Wow64!ProcessInit (if first thread).
  35.                           --->Context conversion from 64Bit to 32Bit
  36.                           --->Simulation code via. wow64cpu!CpuSimulate-->ntdll32!LdrInitializeThunk and so on.
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×