In the event that everything works, the string is changed to ‘ CPU -’. However, since the pages are no longer executable, OllyDbg crashes on DEP-enabled systems. Then it calls the user32 SetWindowText() function, which sends a message to OllyDbg. It calls the kernel32 VirtualProtect() function to write-enable the memory region, but it only sets the read/write attribute and not the executable bit. The block attempts to intercept the routine that displays the ‘[CPU-’ string.
The other routine hides OllyDbg’s caption. If it is, then the block simply returns, as in the case of the SystemModuleInformation class. Interestingly, the block also contains a check for the SystemInfoBufferSize being 11 bytes long. The use of this option causes an error in OllyDbg on other platforms. This behaviour is a bug because no error code is returned.įurther, the block contains code that is specific to the 32-bit version of Windows Vista, using a specific service call which uses the TEB->Wow32Reserved field.
That block intercepts any attempt to call the ntdll NtQuerySystemInformation() function with the SystemModuleInformation class, and simply returns when such a call is made.
The value that is assigned to EDX is a pointer to the dynamically allocated block of memory. This change is instantly recognizable in Windows NT or Windows 2000, since the code is normally LEA EDX, DWORD PTR SS: / INT 2E. MagicHideOllyDbg saves the debuggee’s original ntdll NtQuerySystemInformation() function code to a dynamically allocated block of memory, then replaces it with the Windows XP-style code: MOV EDX, xxxxxxxx / CALL DWORD PTR DS. One of the newly introduced routines intercepts the ntdll NtQuerySystemInformation() function. In addition, two new routines have been introduced. The other routine is different because the order of the options checking has been changed. Three more routines are different from HideOD thanks to a different compiler setting which has produced slightly different, but functionally equivalent code. Since no such API exists in Windows, the protection against the OllyDbg OutputDebugStringA exploit is not enabled. The bug is in the OutputDebugStringA code, which has been renamed to ‘OutDebugStringA’. One routine is different from HideOD because it contains an introduced bug. In fact, the autorun option still calls itself HideOD. All but five of the important routines are byte-for-byte identical to HideOD. MagicHideOllyDbg is a shameless theft of code from the HideOD plug-in.
0 kommentar(er)
