6/14/2014
Debugging ring 3 part of PE/PE+ loader
Reverse engineering & programming blog Home Posts archive Crackmes tutorials Source codes Articles
Debugging ring 3 part of PE/PE+ loader January 31, 2013 / ReWolf posted in assembly, programming, reverse engineering, source code, WoW64, x64 / 4 Comments Someone may ask what is the purpose of debugging PE loader, here are a few reasons: checking why executable is not loaded properly (imports, TLS, other initialization related issues) looking for some hidden features (e.g. LdrpCheckNXCompatibility) plain curiosity Of course debugging ring 3 part of PE/PE+ loader can reveal only part of the truth, for the second part (or rather first part if I want to be strict) there is MiCreateImageFileMap function inside ntoskrnl (source code of this function can be found in Windows Research Kernel: \base\ntos\mm\creasect.c, it is a bit old, but most of the stuff hasn’t changed much). In this short article I’ll cover only x86 and x64 of ring 3 part. Ring 3 entry point for the new process (and also thread) is located in NTDLL, it is exported as LdrInitializeThunk, more information about this callback can be found at Skywing’s blog: http://www.nynaeve.net/?p=205. Basically above post inspired me to think about some other method to debug process initialization. It was few years ago and I came with a very simple idea (flawed, as it turned out lately when I got back to this project). Initial concept looked like this: Create process with dwCreationFlags set to CREATE_SUSPENDED Allocate one temporary page in the new process (VirtualAllocEx) inject small shellcode which will check PEB.BeingDebugged field in the loop and in case of debugger detection loop will end and int3 will be executed Redirect LdrInitializeThunk to the shellcode Resume process Attach favourite debugger I was using this scenario and it was sufficient at that time, however it was sometimes failing. Recently I got back to this and finally found the reason. There is a race condition, because during debugger attachment system http://blog.rewolf.pl/blog/?p=463
1/5
6/14/2014
Debugging ring 3 part of PE/PE+ loader
creates additional thread that should do DbgBreakPoint. So in my case, after resuming application, one of the threads was reaching my shellcode and second one was waiting until I hit ‘step over’ instead of ‘step into’ and in some cases it was taking the initialization process first, leaving me with the already initialized application. Here is new version of the x86 shellcode: BITS 32 _begin: jmp push push mov call
_skip 0 0 eax, 12345678h eax
call pop mov
$+5 eax word [eax - ($ - _begin - 1)], 9090h
; NtTerminateThread
_skip:
mov mov _loop: pause cmp je int3
mov mov mov jmp
eax, [fs:18h] eax, [eax + 30h]
; TEB ; PEB
byte [eax + 2], 0 _loop
; PEB.BeingDebugged
eax, 12345678h dword [eax], 12345678h word [eax + 4], 1234h eax
; LdrInitializeThunk ; restore original ; code
And the x64 version: BITS 64 default rel _begin: jmp xor xor mov call
_skip rcx, rcx rdx, rdx rax, 1234567890abcdefh rax
mov
word [_begin], 9090h
; NtTerminateThread
_skip:
mov mov _loop: pause cmp je int3
mov mov mov mov
rax, [gs:30h] rax, [rax + 60h]
; TEB ; PEB
byte [rax + 2], 0 _loop
; PEB.BeingDebugged
rax, 1234567890abcdefh dword [rax], 12345678h dword [rax + 4], 12345678h dword [rax + 8], 12345678h
; LdrInitializeThunk ;\ ;| restore original code ;/
http://blog.rewolf.pl/blog/?p=463
2/5
6/14/2014
Debugging ring 3 part of PE/PE+ loader
jmp
rax
Above code takes care of the second thread created during debugger attachment, so before entering the loop it overwrites first two bytes of the shellcode (jmp _skip) with NOPs and second thread goes directly to NtTerminateThread. To make life easier I’ve created small application called LdrDebug that utilize above method. It will detect format of the executable (PE or PE+), inject proper version of shellcode and print PID of the created process: e:\...\LdrDebug\Release>LdrDebug.exe notepad64.exe Creating process: notepad64.exe Arguments : (null) Type : x64 PID : 6216 (00001848) e:\...\LdrDebug\Release>LdrDebug.exe notepad.exe Creating process: notepad.exe Arguments : (null) Type : x86 PID : 6988 (00001B4C) e:\...\LdrDebug\Release>LdrDebug.exe /x64 notepad.exe Creating process: notepad.exe Arguments : (null) Type : x86 PID : 4240 (00001090)
There is additional switch ‘/x64′ that can be used to debug x64 part of x86 process under WOW64 subsystem. Application was tested on Windows 7, so I can’t guarantee that it will work on any other system. It might not work under Windows 8, as it uses wow64ext library and I had some reports that this library is not working on that system. Link to binary package: http://rewolf-ldrdebug.googlecode.com/files/rewolf.ldrdebug.zip Link to google code page: http://code.google.com/p/rewolf-ldrdebug/ Enjoy! < NO TAGS > « wow64ext library update 2Solving |sas0|’s “The Game” crackme (.NET) »
Comments (4) 1. 16:12, February 1, 2013ZigD / Reply ur posts dont come often, but when they do … always worthy … will look into … tnx n respects
http://blog.rewolf.pl/blog/?p=463
3/5
6/14/2014
Debugging ring 3 part of PE/PE+ loader
07:41, February 4, 2013ReWolf / Reply Thanks! :) 2. 03:40, February 4, 2013waliedassar / Reply My solution is easier. Use WinDbg’s Deferred Breakpoints e.g. bu ntdll!LdrIntializeThunk and then hit .restart
07:41, February 4, 2013ReWolf / Reply Yup, that should do the trick too, but mine works for every debugger :) Anyway, from the debugger point of view it’s even easier, because setting int3 on LdrIntializeThunk would be an ultimate solution (I saw that PEBrowse x64 has such feature).
Leave a Reply Name (*) Email (*) Website Allowed Tags - You may use these HTML tags and attributes in your comment. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Post Comment (Ctrl+Enter)
Pingbacks (0) › No pingbacks yet. Posts:
http://blog.rewolf.pl/blog/?p=463
4/5
6/14/2014
Debugging ring 3 part of PE/PE+ loader
Comments:
Search... BitCoin Donation 1REwoLFY8JNYxJSHoVyEdrVzEvJwnwTXi
Pages Articles Crackmes tutorials Posts archive Source codes Categories
reverse engineering (24) source code (15) programming (15) tools (10) x64 (8) java (8) WoW64 (8) dirtyJOE (7) assembly (5) papers (5) crackmes (4) python (4) cryptography (3) .NET (2) Blogroll dirtyJOE – Java Overall Editor GDTR Gynvael Coldwind Spinning mirrors tamaroth's corner Powered by WordPress / Theme SimpleDark by Justice / © 2004-2014 ReWolf All Rights Reserved
http://blog.rewolf.pl/blog/?p=463
5/5