API tools faq
paste
Advertisement
waliedassar

Some Anti-Attaching Candidate Functions

waliedassar
Jan 25th, 2013
668
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.31 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. Windows XP (32-bit):
  5. KiUserApcDispatcher-calls->LdrInitializeThunk-calls->LdrpInitialize-calls->LdrpInitializeThread
  6.                    -calls->ZwContinue(pContext,..);
  7.  
  8. N.B. KiUserApcDispatcher, LdrInitializeThunk, and ZwContinue are exported from ntdll.dll.
  9. N.B. In normal threads ZwContinue is called with "EIP" in CONTEXT set to "kernel32!BaseThreadStartThunk"
  10. and "EAX" set to user-defined entrypoint. i.e. BaseThreadStartThunk is reponsible for redirecting
  11. execution to the user-defined entrypoint. But in "DebugActiveProcess" threads "EIP" in CONTEXT is
  12. directly set to the "DbgUiRemoteBreakin" function and "EAX" is set to zero.
  13.  
  14. N.B. Even though the "BaseThreadStartThunk" function is not exported from kernel32.dll, we can still
  15. resolve its address by creating any process in debugging state CreateProcess(DEBUG_PROCESS) and
  16. inspecting the "lpStartAddress" field of the "CREATE_THREAD_DEBUG_INFO" structure. 
  17. -----------------------------------------------------------------
  18. Windows 7 (32-bit):
  19. LdrInitializeThunk-calls->LdrpInitialize-calls->LdrpInitializeThread-->RtlIsCurrentThreadAttachExempt
  20.                                                                     -->LdrpCallInitRoutines
  21. LdrInitializeThunk-calls-> ZwContinue(pContext,..);
  22.  
  23. N.B. LdrInitializeThunk and ZwContinue are exported from ntdll.dll.
  24. N.B. In normal threads ZwContinue is called with the "EIP" in CONTEXT set to "ntdll!RtlUserThreadStart"
  25. and "EAX" set to user-defined entrypoint i.e. RtlUserThreadStart is responsible for redirecting
  26. execution to the user-defined entrypoint.
  27. But in "DebugActiveProcess" threads, ZwContinue is called directly with "EIP" set to the
  28. "DbgUiRemoteBreakin" function and "EAX" set to zero.
  29. -------------------------------------------------------------------
  30. Windows 7 (64-bit), Wow64 Thread:
  31. ntdll!LdrInitializeThunk-calls->ntdll!LdrpInitialize-calls->Wow64!Wow64LdrpInitialize if(UseWow64)
  32.                                                     -calls->ntdll!LdrpInitializeThread if(!UseWow64)
  33.  
  34. Wow64LdrpInitialize--calls--->Wow64!ProcessInit (if first thread).
  35.                           --->Context conversion from 64Bit to 32Bit
  36.                           --->Simulation code via. wow64cpu!CpuSimulate-->ntdll32!LdrInitializeThunk and so on.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!