tag:blogger.com,1999:blog-339475298517145715.post4882422252487491723..comments2023-02-21T01:58:48.719-08:00Comments on RE: Tricky and powerful anti-tracing mechanisms with BTF and LBReverdoxhttp://www.blogger.com/profile/06025628791110660606noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-339475298517145715.post-13833411529880268622014-03-04T13:55:13.692-08:002014-03-04T13:55:13.692-08:00int counter=0;
LONG WINAPI MyFilter(_EXCEPTION_PO...int counter=0;<br /><br />LONG WINAPI MyFilter(_EXCEPTION_POINTERS *ExceptionInfo)<br />{<br /> if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION)<br /> {<br /> ExceptionInfo->ContextRecord->Dr7 |= 0x200;<br /> ExceptionInfo->ContextRecord->Eip+=2;<br /> }<br /> if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)<br /> {<br /> counter++;<br /> }<br /> return -1;<br />}<br /><br /><br /><br />int main(int argc, _TCHAR* argv[])<br />{<br /> SetUnhandledExceptionFilter(MyFilter);<br /> _asm<br /> {<br /> xor eax,eax<br /> mov eax,[eax]<br /> pushfd<br /> or dword ptr [esp],0x100<br /> popfd<br /> xor eax,eax<br /> xor eax,eax<br /> xor eax,eax<br /> }<br /> printf("%d\n",counter);<br /> getchar();<br /> return 0;<br />}<br /><br />As mov dr7, smth - is a privileged instruction and can be called only from kernelspace I used several methods to secretly set BTF bit in dr7. One of these methods - involving structured exception handling - is above. In this case TF works as usual - the single step exception is raised at one of xor eax,eax instructions - but there are no branches!<br />Other two methods - involving VEH and SetThreadContext - do not work too.<br />What have i missed: what is wrong in the code example above.<br />Thanks, in advance.Anonymoushttps://www.blogger.com/profile/01076409526831127765noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-83449929398775567382014-03-03T10:34:21.677-08:002014-03-03T10:34:21.677-08:00Please read this http://www.codeproject.com/Articl...Please read this http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing<br /><br />Source code is as simple as setting the relevant DR7 bits for the task. As of 8.1 this functionality (using dr7 to play with debug_ctl) still exists.everdoxhttps://www.blogger.com/profile/06025628791110660606noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-32090867802240662132014-03-02T12:53:28.277-08:002014-03-02T12:53:28.277-08:00It seems to me, that BTF and LBR Dr7 backdoor don&...It seems to me, that BTF and LBR Dr7 backdoor don't exist on modern versions of Windows (Windows 7, Windows 8). Can you supply me some source codes? May be i've missed something important.Thanks, in advance.Anonymoushttps://www.blogger.com/profile/01076409526831127765noreply@blogger.comtag:blogger.com,1999:blog-339475298517145715.post-21798073828283425662013-12-21T05:22:11.797-08:002013-12-21T05:22:11.797-08:00Great, Thanks !Great, Thanks !VnSpl0ithttps://www.blogger.com/profile/02589518377434744671noreply@blogger.com