Scylla and Api Set Map

Microsoft introduced a new technique for API redirection with Windows 7. Microsoft splits the kernel32 functions in different DLLs e.g. api-ms-win-core-libraryloader-l1-1-0.dll. This special DLLs follow a strict naming convention. A special DLL called apisetschema.dll is injected in every process with the redirection information. It is possible to manually resolve these redirections but Scylla is not doing it manually right now. I tried to investigate this a little bit because Scylla didn’t/doesn’t work very well on Windows 8. I wrote a tool to manually parse these redirections and the result is surprising (read more here). Continue reading

Anti-Debug NtQueryObject

NtQueryObject is another example of a known and underestimated anti-debug measurement. Most anti-debug articles describe (here or here) that we must call NtQueryObject with the class ObjectAllTypesInformation (Index number 3, but the correct name is ObjectTypesInformation). This class will return a list with all existing object types. But it is much better to call this function with class index number 2 ObjectTypeInformation. ObjectTypeInformation will only return the type information of the supplied handle. So how to get a debug handle? We simply create our own debug handle. This technique is very powerful to detect any debugger and no anti-anti-debug tool/plugin is currently able to defeat this. Continue reading

Anti-Debug Fiber Local Storage (FLS)

Peter Ferrie mentioned a nice trick in his Anti-Debugging Reference article with RtlProcessFlsData. He provided a “cryptic” example code in assembler. Although his example will work, there are a lot of open questions he doesn’t answer. His code is not usable in a productive environment and I wanted to demonstrate this trick with a more readable and solid example. This trick is very undocumented and I couldn’t find any further information with Google. This trick works since Vista. Fiber Local Storage (FLS) is similar to Thread Local storage (TLS), because a thread is created which can be used to execute some hidden stuff.
Continue reading

Anti-Debug NtSetInformationThread

Most people who work with debuggers don’t really care about anti-debug tricks, because there are plenty of anti-anti-debug plugins e.g. StrongOD, Phantom, Stealth64, IdaStealth, HideDebugger, etc. and they do a great job against standard anti-debug tricks found in “anti-debug reference” articles (e.g. here). But most anti-debug articles simply copy & paste known source code without adjusting it. Most tricks work fine with Windows XP, but don’t work with Windows Vista/7/8, e.g. one of the worst anti-debug trick ever is kernel32!OutputDebugString. And some other known tricks can be updated and improved to work even better with Vista/7/8. Continue reading