tag:blogger.com,1999:blog-339475298517145715.post7039425664255890814..comments2023-02-21T01:58:48.719-08:00Comments on RE: Instrumentationcallback and advanced debuggingeverdoxhttp://www.blogger.com/profile/06025628791110660606noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-339475298517145715.post-70491387275903290342013-04-20T06:32:41.454-07:002013-04-20T06:32:41.454-07:00Nice find, everdox. I played with the "Instru...Nice find, everdox. I played with the "InstrumentationCallback" once before, but this was only for being an anti-Debug trick since it requires a privilege held by almost all debuggers which is automatically passed to child processes i.e. debuggees.<br /><br />I reversed the "NtSetInformationProcess" and found out the following which might help:<br /><br />1) The "ProcessInformationLength" must be 0x8<br /><br />2) The calling Process must be holding the "SeDebugPrivilege" privilege for the call to succeed. #Anti-Debug Trick here.<br /><br />3) The supplied "Instrumentation Callback" address must be canonical. Wouldn't it be for this check, executing SYSRET later would cause a #GP.<br /><br />4) In case you are calling the "NtSetInformationProcess" function to set the "Instrumentation Callback" of another process, the process handle must have the "PROCESS_SET_INFORMATION" access right.<br /><br />5) The Calling process and the target process must be both Wow64 or both Native64. Otherwise, an error STATUS_NOT_SUPPORTED will be returned.<br /><br />6) In case of Wow64 Processes, the call ends up filling the "InstrumentationCallback" field of the 32Bit PEB (at offset 0x254), while in case of Native64 processes, the call ends up filling the "InstrumentationCallback" field of the target process's _KPROCESS object and setting the "instrumented" bit of each thread's _DISPATCHER_HEADER. <br /><br />I am now using that as both ANTI-DEBUG + REDIRECTION trick, here it is.<br />http://pastebin.com/9TqRGsM5<br />POC:<br />http://goo.gl/iyvSl<br /><br />Nice Blog by the way.waliedhttps://www.blogger.com/profile/18278414703959705421noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-7889555081529583602013-03-22T06:55:52.812-07:002013-03-22T06:55:52.812-07:00It could be, but not that I have seen. It could be, but not that I have seen. everdoxhttps://www.blogger.com/profile/06025628791110660606noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-84869528580320888722013-03-22T01:55:57.510-07:002013-03-22T01:55:57.510-07:00WAW, this is quite powerfull !!! It works just lik...WAW, this is quite powerfull !!! It works just like a SYSRET hook, really fun !<br /><br />I did not find any information about this technique on the Internet, I don't understand why (well, okay, this is not undocumented).<br /><br />Is this used by legitimate Microsoft processes in the wild ?Unknownhttps://www.blogger.com/profile/04350241520550033386noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-11363022840549332202013-03-21T12:45:41.728-07:002013-03-21T12:45:41.728-07:00hi,
yes you are correct, the linear address of th...hi,<br /><br />yes you are correct, the linear address of the callback is meant to be in user-space.<br /><br />for a system call, once the callback is reached it means the system service has finished it's execution, just as if you were reaching the return address following a syscall. So from there you would do whatever it is your tool does before branching to the actual return address. Like log it, manipulate return buffers, etc :)everdoxhttps://www.blogger.com/profile/06025628791110660606noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-89451608686322405192013-03-21T04:41:30.784-07:002013-03-21T04:41:30.784-07:00Hi ! I do have several questions :
- does the call...Hi ! I do have several questions :<br />- does the callback set into IntrumentationCallback is in ring0 or in the process (ring3) space ? I believe it is in ring3, am I correct ?<br />- once the callback is reached, does it have to go back to the kernel (if is in ring3 ?) ? Can it perform manipulation on a SYSCALL output or just be used in a code-coverage purpose ?<br /><br />Thanks :)Unknownhttps://www.blogger.com/profile/04350241520550033386noreply@blogger.com