Usermode Debugger Check Prevention
It’s easy enough to use OllyDbg or any other debugger to bypass debugger checks, but any sort of anti-debugging technique that utilizes the time stamp counter such as QueryPerformanceCounter, GetTickCount, and others, can be bypassed by setting the 2nd bit in control register 4 (CR4) which disables the TimeStamp Counter from working for applications operating […]
Breaking Down System Routines #2 [NtQuerySystemInformation]
System Routine Overview NtQuerySystemInformation is a system routine that gathers system information specific to the class value provided. During this breakdown, we’ll look at it in much more depth because, like the previous system routine documented, it’s just a wrapper for an internal kernel routine that actually gathers the system information. However, the internal routine it […]
Breaking Down System Routines #1 [NtQuerySection]
NtQuerySection is a system routine for the Windows operating system that queries information related to a section object and provides the information regarding that object by filling a buffer passed to the function. As an important note, all disassembly and reversing took place on Windows 10 x64 Professional. It requires 4 arguments, 5 if you […]
Hiding Strings from Disassemblers
Developers attempt to obscure or obfuscate any reverse engineers view of strings through the use of compile-time encryption techniques, packing, virtualization, and the like. In this post, I briefly describe a method to prevent strings from entering the .rdata segment of the executable by using a method of indirect initialization forcing the various characters and […]
SizeOfStackReserve Denial of Service
In this post I will be referencing information I’ve found through reversing and through waleedassars blog article titled SizeOfStackReserve Anti-Attaching Trick. It should be noted that the following was tested on Windows 10. The routine RtlCreateUserStack in ntoskrnl.exe is called following a call to CreateRemoteThread, CreateThread, and/or of course NtCreateThreadEx. The RtlCreateUserStack is called far later in a […]
Using Flags of RTL_USER_PROCESS_PARAMETERS for Anti-Debugging
OverviewThere are various flags in the PEB associated with a specific process such as the CrossProcessFlags, the BitField (4th member of the PEB), AppCompatFlags, and so forth. I’d always tried looking for differences in the flags when operating in a standard runtime environment vs. a debugged runtime environment and after many failed attempts to find […]