walied
December 13th, 2011, 16:35
I have recently created an ollydbg plugin, ICanAttach, to bypass the "DbgUiRemoteBreakin", "DbgBreakPoint", and "NtContinue" anti-attach tricks. It overwrites the Entry points of these functions, which had supposedly been patched by malware.
It has only been tested on XP SP3. Glad if someone tests it on other OSes and gives me some feedback.
http://ollytlscatch.googlecode.com/files/ICanAttach2.dll
Source code
http://ollytlscatch.googlecode.com/files/ICanAttach.tar.gz
For more info:
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques.html
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques_11.html
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques_13.html
N.B. The plugin has been updated to cover cases where race conditions may occur.
It has only been tested on XP SP3. Glad if someone tests it on other OSes and gives me some feedback.
http://ollytlscatch.googlecode.com/files/ICanAttach2.dll
Source code
http://ollytlscatch.googlecode.com/files/ICanAttach.tar.gz
For more info:
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques.html
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques_11.html
http://waleedassar.blogspot.com/2011/12/debuggers-anti-attaching-techniques_13.html
N.B. The plugin has been updated to cover cases where race conditions may occur.