Jump to content
Tuts 4 You

(Help Request) - Change Windows Build version


madskillz

Recommended Posts

Hi

System - Windows 7 OS version 6.1 build 7601

I want to change the build version for the anti-debug reason.

How to do it?  

What I have tried - RegEdit, Imagecfg, hex edit, nothing works all get reverted on restart by startup repair or without the startup repair also.

Regards

Link to comment

The process environment block holds your OS information that can be accessed easily by the target you are trying to hide from. 

Major, Minor, Build, CSDVersion, PlatformId, along with subsystem information are all in the PEB. You could try overwriting it there and seeing if that helps.

Link to comment

And how do I modify this?

For example, VMProtect binary loaded on Ollydbg, what do I do?

Thanks

--------------------------------

The latest scyllahide does not hide the PEB ??  Peb.h any modification required ?

 

Edited by madskillz
Link to comment

If you don't know how to change build number in PEB manually, you can use xjun's SharpOD plugin which hides debugger from VMProtect. It's somewhere on the forum.

Xjun's plugin should also work for latest VMProtect where changing build number might not be enough.

  • Like 2
Link to comment
On 31/1/2018 at 7:21 AM, madskillz said:

Hi

System - Windows 7 OS version 6.1 build 7601

I want to change the build version for the anti-debug reason.

How to do it?  

What I have tried - RegEdit, Imagecfg, hex edit, nothing works all get reverted on restart by startup repair or without the startup repair also.

Regards

hi, it goes like this: load your target in ollydbg, press G fs:[30] in command bar. At that memory location + 2 bytes you should read 0x01 if debugger is attached or 0x00 if debugger isn't attached (or you have installed an anti-debug plugin). This is BeingDebugged flag. It tells you are in the right track. At that base address (pointed by fs:[30]) add 0xA4 and you should read OSMajorVersion, and at 0xAC you should read OSBuildNumber. Change these last two parameters to any random number and you should be good to go. _PEB is a per-process structure so it won't affect anything else. I would tell you also to try ollydbg stolystruct plugin to quickly find all of this but its outdated and you could end up modifying a different member of the _PEB struct, although it is worth trying too since you are using win7. Remember _PEB has evolved slightly throughout  the years. In  any case, such changes have been fully described and its always good to have this handy reference: _PEB Evolution. If you wish to go on the automated track then use Xjun SharpOD plugin as Kao suggested. Version published in this forum has a bug where the child process has a bigger PID than explore.exe. I think this has been corrected in latest version but I can't confirm since I don't have access to Chinese forums. I tried to correct this myself but the main function of the driver in that plugin is VM'ed with lots and lots of VM handlers, way beyond my wildest dreams of passion, calm and patience for debugging. Best regards.

Edited by Aesculapius
typos correction
  • Like 2
Link to comment
  • 2 weeks later...
On 2/2/2018 at 6:32 PM, kao said:

If you don't know how to change build number in PEB manually, you can use xjun's SharpOD plugin which hides debugger from VMProtect. It's somewhere on the forum.

Xjun's plugin should also work for latest VMProtect where changing build number might not be enough.

Yup knew about this plugin, but after reading your blog wanted to do it manually. 

On 2/3/2018 at 10:21 PM, Aesculapius said:

hi, it goes like this: load your target in ollydbg, press G fs:[30] in command bar. At that memory location + 2 bytes you should read 0x01 if debugger is attached or 0x00 if debugger isn't attached (or you have installed an anti-debug plugin). This is BeingDebugged flag. It tells you are in the right track. At that base address (pointed by fs:[30]) add 0xA4 and you should read OSMajorVersion, and at 0xAC you should read OSBuildNumber. Change these last two parameters to any random number and you should be good to go. _PEB is a per-process structure so it won't affect anything else. I would tell you also to try ollydbg stolystruct plugin to quickly find all of this but its outdated and you could end up modifying a different member of the _PEB struct, although it is worth trying too since you are using win7. Remember _PEB has evolved slightly throughout  the years. In  any case, such changes have been fully described and its always good to have this handy reference: _PEB Evolution. If you wish to go on the automated track then use Xjun SharpOD plugin as Kao suggested. Version published in this forum has a bug where the child process has a bigger PID than explore.exe. I think this has been corrected in latest version but I can't confirm since I don't have access to Chinese forums. I tried to correct this myself but the main function of the driver in that plugin is VM'ed with lots and lots of VM handlers, way beyond my wildest dreams of passion, calm and patience for debugging. Best regards.

Thank you will practice this on many samples and see if I can get it done correctly.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...