walied
November 6th, 2012, 00:00
My latest blog post where i explain a new anti-attaching trick.
http://waleedassar.blogspot.com/2012/11/sizeofstackreserve-as-anti-attaching.html ("http://waleedassar.blogspot.com/2012/11/sizeofstackreserve-as-anti-attaching.html")
Any comments or ideas are very welcome
Indy
November 6th, 2012, 09:32
Too many letters. I do not understand how it prevent debugging
walied
November 6th, 2012, 10:02
In brief, on Windows versions that use the ZwCreateThreadEx function instead of ZwCreateThread to create threads e.g. Windows 7, patching the "SizeOfStackReserve" to a high value e.g. 0xFFFFFED7 prevents debuggers from attaching to your process.
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
extern "C"
{
IMAGE_NT_HEADERS* __stdcall RtlImageNtHeader(unsigned long ImageBase);
}
int main(int argc, char* argv[])
{
//----------------------------------------------------------------
unsigned long IB=(unsigned long)GetModuleHandle(0);
unsigned long old=0;
VirtualProtect((void*)IB,0x1000,PAGE_READWRITE,&old);
IMAGE_NT_HEADERS* pNt=RtlImageNtHeader(IB);
pNt->OptionalHeader.SizeOfStackReserve=0xFFFFFED7;
VirtualProtect((void*)IB,0x1000,old,&old);
//-----------------------------------------------------------------
int i=0;
while(8)
{
printf("Now try to attach a debugger to me (Win7) %x\r\n",i++);
Sleep(1000);
}
return 0;
}
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
