Wednesday, March 14, 2012

strenc()

Well, it's been quite a while since I've had time to play around and make something useful, but I think you guys will like this one. This is a small project (about a 2-hour project, actually) I made which can obfuscate strings within a C++ application. Everything is explained on the Google Code project page, so go check it out.

Wednesday, January 11, 2012

Debugger Detection

I must say, it has been quite the while since I've been able to make a post. However, now that I have some free time, here's a tutorial on debugger detection. The source code will be posted within a day or so, I've got to run for now.

Saturday, December 17, 2011

SEH Hooking

In this example, I will cover a method of hooking which uses SEH (Structured Exception Handling) in order to hook code in any location without overwriting the code. This method of hooking is very much alike the SEH Hooking which is used by many debuggers to place breakpoints, but has two small differences.
  1. Instead of writing INT3 Breakpoints and catching the BREAKPOINT Exception, I'm setting the memory to PAGE_NOACCESS and catching the ACCESS_VIOLATION Exception.
  2. Instead of writing the address of my handler to the PEB directly, I'm using a VEH (Vectored Exception Handler), which is being added using the AddVectoredExceptionHandler() WinAPI Function.
This method of hooking works by modifying the protection of a byte of memory at the location of our hook to PAGE_NOACCESS. When this memory is executed, our VEH catches an ACCESS_VIOLATION Exception. It then checks the instruction pointer to see if the violation occurred at the location of our hook. If this ACCESS_VIOLATION is not our hook, we return CONTINUE_SEARCH to allow other handlers to work with the exception. However, if it is our hook, we do 3 things:
  1. Execute our hook's callback
  2. Restore the memory access to its original state
  3. Set the trap flag, which will trigger a single step
We then return CONTINUE_EXECUTION. This time, the hooked code executes it's first byte flawlessly and then triggers a SINGLE_STEP Exception. This single step is a result of setting the trap flag, and it allows us to set the hooked memory back to PAGE_NOACCESS so our hook will execute again the next time the hooked memory is accessed.

Since our exception handler's ContextRecord contains a pointer to the top of the stack, we are also able to access function arguments and find return addresses. Because of this, we can block the execution of a function or change the input, just like in a normal hook. To block execution, we can place a JMP [ReturnAddressFromStack] in our hook handler. While this jumps right back into execution and skips steps 2 and 3 of our exception handling, it is jumping back to the calling function and not the hooked code. The NOACCESS remains in place for next time.

While this rendition of SEH Hooking isn't flawless, it does illustrate the concept and get the job done. In most cases, if you plan on using SEH Hooking, I would recommend using INT3 Breakpoints, though. This method, however, is a good way to bypass modification detection. While programs may checksum their code, they don't usually verify the memory protection of every page in the program.

In the example code, I hook the MessageBoxA() WinAPI Function. Inside my handler, I call printf() to print the caption and text to the console. I then block execution of MessageBoxA().


Tuesday, December 13, 2011

IAT Hooking

The tutorial and explanation can be seen below, and I have also provided the example source code.

Monday, December 12, 2011

Workstations v1.0

Workstations is a program I have written in C++ using the Qt GUI Framework which allows the user to open multiple instances of their Windows Desktop and iterate between them. The program is very similar to Desktops which was written by SysInternals. There are a few notable differences between the software, however:

  • Workstations is open-source
  • Workstations allows up to 8 desktops, Desktops only allows 4
  • Workstations is currently not finished. When it is, it will also have hotkeys for changing desktops and the ability to change the maximum number of desktops that can be opened, capping at 8 and being no less than 4.

Workstations was developed and tested on Windows 7 Enterprise x64 and seems to work nearly flawlessly. I would appreciate if some readers with different OS's especially could report and bugs they find with details on said bugs so I can fix them in later releases.



You can checkout from the repository and play with or recompile the code, or you can grab the pre-compiled binary to test out the software. This is one of the peices of software which I intent to update, so if you like what you see please help me out by reporting issues and voicing concerns via comments on this blog. 

Saturday, December 10, 2011

CodeReload

This is a program I wrote which will automatically find memory addresses for any 32 bit program, given specific patterns to match. This works very similar to the "OllyDBG method" (Where you copy ASM code around the address in the known version and search it in the unknown), but also provides better functionality. Not only can you search static or wildcard values, but you can also do greater and less than comparisons.

The program is written in C++ using the Qt GUI library. Included with the program is an example pattern file with patterns created for a game called Tibia. It also includes instructions on how to properly define patterns.

Notes:

  • Patterns longer than 128bytes will not work in some situations
  • Patterns using greater than and less than have not been fully tested
  • Patterns must be written with the syntactical scrutiny of a grammar nazi, my parsing is crude
  • Patterns may only use hexadecimal values




So without further adieu, here's the source. If you just want to use the binary, you can find it in the Release\Release folder. (Redundant, I know, but I needed to organize the QT Dll's somewhere isolated)

Thread Injection

The tutorial and explanation can be seen below, and I have also provided the example source code.