the previous ("http://nezumi-lab.org/blog/?p=115") post describes how to intercept attaching, but that way does not prevent attaching itself. as it happens there is a simple and elegant way to block any attaching attempts. just wipe out PEB=>PPEB_LDR_DATA field. the application is running well, the process is present in the processes list of Task Manager/Process Explore, but… it’s not listed in the Olly 1.10/Olly 2.00i attach windows!!!

http://nezumi-lab.org/gif/to_attach_ldr.gifto_attach_ldr.exe is not present in the attach windows!


ok, guys another plan! load the file directly into OllyDbg 1.10 in order to debug it. can we debug it? well, yes, but… no. OllyDbg 1.10 does not show us the module list (so, how we’re supposed to set breakpoints on API?) and the map window is empty as well. OllyDbg 2.00i and IDA-Pro 5.3 have no such problem.

IDA-Pro 5.3 can’t attach to the process as well, she just freezes!!! and there is nothing to do but terminate IDA-Pro with all changes we have made. a very nasty bug!

the source code is extreme simple. see it bellow or download. ("http://nezumi-lab.org/ffh/to_attach_ldr.zip")

__asm{
mov eax, fs:[30h] ; // PEB
mov [eax + 0xC], eax ; // damage LdrData to prevent attaching
}
// do something
while(1) printf(”\rattach to me [%c]“,x[++a % (sizeof(x)-1)]), Sleep(100);
}

so, you get it. any ideas how to hack it? does anybody know the way how to attach to the process?



http://nezumi-lab.org/blog/?p=122

PEB_LdrData seems to be the same for every running process at that time. Code a loader that will inject some code that will restore PEB_LdrData to its rightful state. How to know it's rightful state. Simple, just execute in loader:
mov eax, fs:[30h]
mov eax, [eax + 0xC]

Then eax holds value that PEB_LdrData in target process should be restored to. Didn't test it, but I imagine it works. I suppose I could put something together if anyone was interested.