Jump to content
Tuts 4 You

0xNOP Blog

  • entries
    3
  • comments
    12
  • views
    10,769

Quick & Dirty Way to Bypass Themida Anti-Attach!

0xNOP

7,510 views

[ATTENTION ! - BEFORE YOU READ ANYTHING!]
The following article you're about to read, have been written with the mentality to help other fellow members that currently have a job as Malware Analyst and
are working hard everyday against Malwares in the wild, given that this forum is publicly available to anyone, this article is intended to be
used only as an educational resource and should NOT BE put to the test with any kind of Commerical Programs / Applications / Softwares
protected by Themida, Breaking / Circumventing the protection of Themida -itself- or by any kind of Commercial Program / Application / Software is something
totally unlawful and you could be hold accountable for your actions in a court. 

The author of this article ('0xNOP') and/or the hosters of this Blog ('www.tuts4you.com') does not takes
any kind of responsibility towards anything that, you ('the reader'), might do with such content.
Given this term of agreement, you are the sole and only person responsible of your own actions. If you agree with this, you may continue reading, if not, I advise you to discontinue reading,
close this page and continue browsing the forums as usual. If you continue reading it means you are automatically accepting this terms of agreement.

Don't Speak English? - Translate HERE!  - No Eres Bueno en Ingles? - Traduce AQUI! - 不会说英语吗 - 英語を話すことはありません - Не говорить по-английски?

Spoiler

 

Epilogue: Probably the method that I'm going to be covering here it's not rocket science for some geniuses in the scene, or some other may have already knew it. However this method is geared towards people that doesn't know this approach yet, So keep on reading to find out how I did it, and see if you knew the approach already! if you would like to skip the story reading and you want to TL;DR go to where it says in big red bold letters, [TUTORIAL], last but not least, Hope you enjoy it!

Story: Hello everyone! Here I am coming back form a recess :D

So I was working on a Themida protected DLL, and such DLL was getting hooked at runtime by the game Entrypoint (e.g. push <DLLName>; jmp &LoadLibraryA; If DLL was found -> Continue Exec. else Jmp to Exit) Alright till here everything was good... Now when I started digging in it, I saw that... when I attached x64dbg to the process, it was getting terminated! So I said.. probably the program is protected with something... So here's where it gets interesting... The game executable wasn't protected with anything! but that just one module... so I said.. pretty cool that a DLL detects if a debugger is being attached... probably by Themida's API Hooking and I kept on going thinking to myself what could be wrong... Not so long passed that I was getting aggravated with it, the impossibility to do something with the program really got me badly.

So I kept on going until I started digging out with Kernel Mode drivers.. Well to start off.. I didn't actually made my own driver, mainly because my current level of expertise is not that the one to create a 1337 driver, and second because I'm on a x64 system and it will be just a pain in the arse to build one and test one without PatchGuard making my life even more miserable... So I kept on looking for tools that could help me to achieve what I wanted, and found out about TitanHide, didn't worked... ScyllaHide, still was terminating the process on attach, even though I used the Themida preset! so I left ScyllaHide for later on because I know it works... I just had to know what to do in order to get that Anti-Anti-Attach done... well lastly I searched and searched until I got a treasure it's a program called PC Hunter, it's a very well done and handy tool that comes with a Kernel Driver that lets you access things that are hidden from our Ring 3 space... So I went on, did some magic (the one I'm going to explain further below) and LO AND BEHOLD! I crossed my fingers, made that look with the eyes almost closed, almost not wanting to look at the screen, and it finally worked! I couldn't believe I was attached to the program and it didn't showed "thread terminated: status DED!" xD so now I decided to share my happiness with the whole world.. or at least who ever reads this entry :D

[TUTORIAL]

0. CRITICAL STEP: Suspend your process at Startup! or after the troublesome Protected DLL loads!

To "suspend" a process after a specific DLL was loaded, I went and downloaded API Monitor, and went onto the API's and put a BP before DllMain call, that way when the offender DLL got called, the process was still being executed! the only difference is the DLL got loaded. It's one of my other "Quick and Dirty ways" of doing things :D Also since I'm working on x64DBG I used ScyllaHide to continue further progress... keep on reading to see how I executed everything.

1. Download PC Hunter (attached below for your convenience ;D) and extract it somewhere comfortable.

2. Open it up and you will see something like this:

41B6PZk.png

3. At the navigation tabs shown above, select "Ring3 Hooks".

4. You will now have a view like this:

k6r0UHq.png

(if there is nothing hooked at the default loaded tab, which is "Message Hook" then you will have it empty just like me, otherwise if you got something hooked, make sure it's not a WM_KEYBOARD hooked, might be a malware xD also check on Ring0 Hooks.)

5. Click the "Process Hook" tab:

mECPVT2.png

6. Now look for your process and right click its name and select "Scan" like so:

euUJ3Io.png

7. Now PC Hunter will scan the process for active hooks, and it will display them all in the list view at our right side:

D2fgt12.png

8. Now just Right click and select Restore All... or if you had problems and/or your process exited/terminated abruptly while restoring all, just be selective and try one by one, I know it can be tedious, but at least it works... Most of the times you will be able to "Restore All".

 

Good, now we should have our process ready to continue loading... Now just remove all BP's at API Monitor (remember Step 0?) and resume execution... at this point your program should be running, normally.... Now Just go to x64DBG and in Plugins, go to ScyllaHide -> (remember to use Themida Preset) -> Attach to Process, and just use the little Pick Tool thingy, drag and drop it to your process and click attach!

If you followed up everything, you shall be at the DbgBreakIn on attach, just resume execution in x64DBG and viola! you have successfully bypassed the so Fearful, Themida's Anti-Attach!

 

Credits & References:

Rohitab: for making API Monitor a great tool.

XueTr: for making PC Hunter free.

PCHunter_free.zip

 

 

  • Like 3


8 Comments


Recommended Comments

Teddy Rogers

Posted

I wasn't aware PCHunter was still being developed?

Ted.

Share this comment


Link to comment
On 5/26/2016 at 8:24 AM, Teddy Rogers said:

I wasn't aware PCHunter was still being developed?

Ted.

Hey Ted!

Mmm frankly me neither :D  I just grabbed this from his website and it works flawlessly, also the latest post was back from 2013, so I guess that's the final version, there is a Pro version version though :D 

Share this comment


Link to comment
tonyweb

Posted (edited)

Thank you for this post :)

Is it possible that (at least some of) those hooks are placed by Comodo (I saw the cmdAgent process in your screenshot)? You didn't write if you tried to disable (or uninstall ?!?) Comodo and see if you could attach by using ScyllaHide only ... so I'm wondering if it could be just a "man-in-the-middle" issue :D 

I know nothing about Themida so my words could be totally nonsense ;)

Best Regards,
Tony

Edited by tonyweb (see edit history)

Share this comment


Link to comment
0xNOP

Posted (edited)

On 6/2/2016 at 2:58 AM, tonyweb said:

Thank you for this post :)

Is it possible that (at least some of) those hooks are placed by Comodo (I saw the cmdAgent process in your screenshot)? You didn't write if you tried to disable (or uninstall ?!?) Comodo and see if you could attach by using ScyllaHide only ... so I'm wondering if it could be just a "man-in-the-middle" issue :D 

I know nothing about Themida so my words could be totally nonsense ;)

Best Regards,
Tony

Hello there Tony!

True as you said, possibly Comodo being an Anti Malware software it may try to hook and prevent malicious activity on processes for example, prevent hooks from ScyllaHide, etc, etc.. However bypassing already hooked hooks using PC Hunter made it all easier to work with :D In the end, we all know that one of the focused points in reverse engineering is to find the shortest and most reliable way for us to "fix" something for us :D 

 

Thanks for your comment and sorry for late response :D 

Best Regards,

0xNOP

Edited by 0xNOP (see edit history)
  • Like 1

Share this comment


Link to comment
tonyweb

Posted

@0xNOP

Hi 0xNOP, yeah ... as you said, it's useful to find a way to make something work without changing your "environment configuration" :)
I heard about PC Hunter, but never used it ... maybe it's time to take a closer look to it ;)

Thanks for your answer.

Best Regards,
Tony

  • Like 1

Share this comment


Link to comment
John Rodrix

Posted (edited)

Hey bro 

I need help I want to know about calculate checksum  bytes :(

I have checksum sword value but I need to calculate checksum bytes

Edited by akash (see edit history)

Share this comment


Link to comment
John Rodrix

Posted

2 minutes ago, akash said:

Hey bro 

I need help I want to know about calculate checksum  bytes :(

I have checksum sword value but I need to calculate checksum bytes

Need Help or asm to auto generate checksum bytes :(

Share this comment


Link to comment
15 minutes ago, akash said:

Hey bro 

I need help I want to know about calculate checksum  bytes :(

I have checksum sword value but I need to calculate checksum bytes

 

 

11 minutes ago, akash said:

Need Help or asm to auto generate checksum bytes :(

Sorry bro, can't help you there, Don't even know what you're asking for.

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×