Microsoft introduced a new technique for API redirection with Windows 7. Microsoft splits the kernel32 functions in different DLLs e.g. api-ms-win-core-libraryloader-l1-1-0.dll. This special DLLs follow a strict naming convention. A special DLL called apisetschema.dll is injected in every process with the redirection information. It is possible to manually resolve these redirections but Scylla is not doing it manually right now. I tried to investigate this a little bit because Scylla didn’t/doesn’t work very well on Windows 8. I wrote a tool to manually parse these redirections and the result is surprising (read more here). Continue reading
NtQueryObject is another example of a known and underestimated anti-debug measurement. Most anti-debug articles describe (here or here) that we must call NtQueryObject with the class ObjectAllTypesInformation (Index number 3, but the correct name is ObjectTypesInformation). This class will return a list with all existing object types. But it is much better to call this function with class index number 2 ObjectTypeInformation. ObjectTypeInformation will only return the type information of the supplied handle. So how to get a debug handle? We simply create our own debug handle. This technique is very powerful to detect any debugger and no anti-anti-debug tool/plugin is currently able to defeat this. Continue reading
Peter Ferrie mentioned a nice trick in his Anti-Debugging Reference article http://pferrie.host22.com/papers/antidebug.pdf with RtlProcessFlsData. He provided a “cryptic” example code in assembler. Although his example will work, there are a lot of open questions he doesn’t answer. His code is not usable in a productive environment and I wanted to demonstrate this trick with a more readable and solid example. This trick is very undocumented and I couldn’t find any further information with Google. This trick works since Vista. Fiber Local Storage (FLS) is similar to Thread Local storage (TLS), because a thread is created which can be used to execute some hidden stuff.
NtCreateThreadEx is a new API since Vista and it is very powerful. It is mostly used for DLL injection, but it can be used as an anti-debug trick aswell. No anti-anti-debug tool/plugin can defeat this. Continue reading
Most people who work with debuggers don’t really care about anti-debug tricks, because there are plenty of anti-anti-debug plugins e.g. StrongOD, Phantom, Stealth64, IdaStealth, HideDebugger, etc. and they do a great job against standard anti-debug tricks found in “anti-debug reference” articles (e.g. here). But most anti-debug articles simply copy & paste known source code without adjusting it. Most tricks work fine with Windows XP, but don’t work with Windows Vista/7/8, e.g. one of the worst anti-debug trick ever is kernel32!OutputDebugString. And some other known tricks can be updated and improved to work even better with Vista/7/8. Continue reading