201401-an OD detection solution based on driver traversal-Kido [4st team]

An OD detection solution based on drive Traversal

Kido [c.l. g] [4. S. T]

I haven't written any articles for a long time. This time I wrote a popular article on OD detection.

For personal opinions, do not dislike it.

As we all know, ollydbg is a popular 32-bit free ring3 debugging tool in windows.

Thanks to its rich plug-ins, convenient operations, and powerful functions, it is favored by a variety of creatures such as programmers, gray customers, and security brick houses.

At the beginning of software development, the debugger has always existed. With the development of the times, many rural and non-young people yearn for the gray customer technology, and software security and encryption and decryption are becoming increasingly popular.

In order to optimize, reverse, and secondary development, people look for vulnerabilities, modify, and crack a program, and the tricky action they perform is called debugging.

Debugging can be divided into black box and white box, but sometimes the concept of gray box is introduced.

The so-called black box is to tease a girl you don't know. The white box is a loving relationship between husband and wife. The gray box is a kind of center concept, which is probably the magical thing between lovers.

Due to my personal interest, this article mainly focuses on teasing a strange girl (debugee.

In order to debug a strange girl, people have developed a variety of debuggers? Debugger), This article focuses on ollydbg, a must-have player. Not every girl is Jin Lian, and some will bring some very Nb anti-wolf tools (Anti-Debug ).

For example, isdebuggerpresent is a method to prevent the player from being played by observing whether the player exists.

The wretched secondary element humans have a complete understanding of the target in order to make a successful play, and naturally there are some anti-wolf measures (anti-Debug ), among them, the most advanced foreign gas is a tool called strongod. In order to play less words, people usually affectionately call it sod.

Sod not only upgrades the OD from the user layer, but also protects the OD in the driver layer. For example, stealth (hiding the OD process) and easy-to-use (hook function enables debugee to check the debugger as normal.

Sod also protects its own driver, making the driver file invisible and unrecognizable unless it is violent.

Fortunately, we can still observe XT:

File not found indicates that the driver file has been hidden and cannot be seen.

My od was renamed holyshit. Red indicates that he has been hidden.

The ring3 access state is deny, which indicates that the object cannot be operated.

Let's take a look at what sod has done to the driver layer!

Ssdt hook 10 functions.

Shadowssdt hook six functions.

These hooks ensure that the OD cannot be traversed through hwnd, And the OD process cannot be operated.

This ensures the position of the debugger.

The method described in this article is actually a commonplace. A very old method.

Attackers can obtain the driver by brute force and determine whether the driver is strongod for debugging.

I was a young man forced to download vs2013 in a day.

The code below:

//////////////////////////////////////// ///////////////////////////////////////

//////////////////////////////////////// ///////////////////////////////////////

//////////////////////////////////////// ///////////////////////////////////////

# Include <stdio. h>

# Include <tchar. h>

Include <shlwapi. h>

# Include <psapi. h>

# Pragma comment (Lib, "psapi ")

# Define arra_size 1024

Int _ tmain (INT argc, _ tchar * argv [])

{

Lpvoid drivers [array_size];

DWORD cbneeded;

Int cdrivers, I;

If (enumdevicedrivers (drivers, sizeof (drivers), & cbneeded)

& Cbneeded <sizeof (drivers ))

{

Char szdriver [array_size];

Char szpath [array_size];

Char szdbghelp [array_size];

Char szsystem [array_size];

Size_t Len = 0;

Bool file = false;

Getsystemdirectory (szsystem, sizeof (szsystem ));

Strcat_s (szsystem, "\ dbghelp. dll ");

Cdrivers = cbneeded/sizeof (drivers [0]);

For (I = 0; I <cdrivers; I ++)

{

If (getdevicedriverbasename (drivers [I], szdriver, sizeof (szdriver)/sizeof (szdriver [0])

{

Getdevicedriverfilename (drivers [I], szpath, sizeof (szpath ));

If (szpath [1] = '? ')

{

Len = strlen (szpath );

Do {

Len --;

} While (szpath [Len]! = '\\');

Do {

Len --;

} While (szpath [Len]! = '\\');

Szpath [Len + 1] = 0;

For (uint I = 0; I <Len; I ++)

{

Szpath [I] = szpath [I + 4];

}

Sprintf_s (szdbghelp, "% sdbghelp. dll", szpath );

If (pathfileexists (szdbghelp ))

{

If (strcmp (szsystem, szdbghelp) = 0)

{

Continue;

}

Printf_s ("ollydbg detected: \ n"

"Path: % s \ n"

"Strongod driver name: % s \ n", szpath, szdriver );

}

}

}

}

}

Return 0;

}

//////////////////////////////////////// ///////////////////////////////////////

//////////////////////////////////////// ///////////////////////////////////////

//////////////////////////////////////// ///////////////////////////////////////

The above code mainly uses enumdevicedrivers to obtain all the drivers.

Then, the driver path is retrieved using getdevicedriverfilename.

Remove "\\?? \ ", Remove the driver name and return a directory.

Check whether the dbghelp. dll file exists in the directory.

If the directory does not exist and the directory is not % System %, it is determined that this is a debugger.

Then output the detected OD path and the driver name of SOD (which can be customized in ollydbg. INI ).

:

Once the OD directory is obtained. If the driver name is sod, uninstall the driver and destroy the OD. Then, use cmd to call the OD to append the current debugger and restore the ssdt hook. This is not the content of this article.

Note: The modifications required during vs2012/vs2013 Compilation:

Compatible with XP and use ANSI Mode

Add the necessary static library.

In this way, you can.

In this article, we will try to see more information.

Sorry.