snoopy Posted March 8, 2012 Posted March 8, 2012 Hey guys,Anyone having the source code to StrongOD plugin for Olly?Or can anyone tell me what Kernelmode option is doing when using the StrongOD plugin.I am in the middle of developing my own plugin that actually works on Win7 or Win8 so far most (read all)Olly plugins are failing on the new Windows versions.best regardsSnoopy
Loki Posted March 9, 2012 Posted March 9, 2012 The source will probably never be released for a plugin like that.Far better option would be to read Peter Ferrie's papers on antidebugs and write a plugin from scratch to combat each of those.
snoopy Posted March 20, 2012 Author Posted March 20, 2012 I've started writing my own plugin following the anti-debug reference from Peter Ferrie.What I am facing is the following:I am playing with the CloseHandle anti-debug trick where either an invalid handle is being thrown to NtClose API which throws an exceptionINVALID_HANDLE exception.Now the problem I am facing is the fact that with IDA Stealth plugin the anti-debug trick is perfectly defeated on XP, but refuses to work on Windows 7.So I downloaded the source code of the plugin:// skip KiRaiseUserExceptionDispatcher for INVALID_HANDLE exceptionsvoid __declspec(naked) NTAPI KiRaiseUserExceptionDispatcherHook(){ __asm { pushf push eax // get current exception code from PEB mov eax, fs:[0x18] mov eax, [eax+0x1A4] cmp eax, 0xC0000008 jnz call_orig pop eax popf retcall_orig: pop eax popf jmp [origKiRaiseUED] }}Code is pretty simple where it checks the Process Environment Block for the exception code INVALID_HANDLE.Can anyone explain to me why Windows 7 is so different to XP, as on XP it's working fine but on Windows 7 it refuses to work.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now