Jump to content
Tuts 4 You

StrongOD


snoopy

Recommended Posts

Posted

Hey guys,

Anyone having the source code to StrongOD plugin for Olly?

Or can anyone tell me what Kernelmode option is doing when using the StrongOD plugin.

I am in the middle of developing my own plugin that actually works on Win7 or Win8 so far most (read all)

Olly plugins are failing on the new Windows versions.

best regards

Snoopy

Posted

The source will probably never be released for a plugin like that.

Far better option would be to read Peter Ferrie's papers on antidebugs and write a plugin from scratch to combat each of those.

  • 2 weeks later...
Posted

I've started writing my own plugin following the anti-debug reference from Peter Ferrie.

What I am facing is the following:

I am playing with the CloseHandle anti-debug trick where either an invalid handle is being thrown to NtClose API which throws an exception

INVALID_HANDLE exception.

Now the problem I am facing is the fact that with IDA Stealth plugin the anti-debug trick is perfectly defeated on XP, but refuses to work on Windows 7.

So I downloaded the source code of the plugin:

// skip KiRaiseUserExceptionDispatcher for INVALID_HANDLE exceptions

void __declspec(naked) NTAPI KiRaiseUserExceptionDispatcherHook()

{

__asm

{

pushf

push eax

// get current exception code from PEB

mov eax, fs:[0x18]

mov eax, [eax+0x1A4]

cmp eax, 0xC0000008

jnz call_orig

pop eax

popf

ret

call_orig:

pop eax

popf

jmp [origKiRaiseUED]

}

}

Code is pretty simple where it checks the Process Environment Block for the exception code INVALID_HANDLE.

Can anyone explain to me why Windows 7 is so different to XP, as on XP it's working fine but on Windows 7 it refuses to work.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...