6/14/2014
Debugging ring 3 part of PE/PE+ loader
Reverse engineering & programming blog Home Posts archive Crackmes tutorials Source codes Articles
Debugging ring 3 part of PE/PE+ loader January 31, 2013 / ReWolf posted in assembly, programming, reverse engineering, source code, WoW64, x64 / 4 Comments Someone may ask what is the purpose of debugging PE loader, here are a few reasons: checking why executable is not loaded properly (imports, TLS, other initialization related issues) looking for some hidden features (e.g. LdrpCheckNXCompatibility) plain curiosity Of course debugging ring 3 part of PE/PE+ loader can reveal only part of the truth, for the second part (or rather first part if I want to be strict) there is MiCreateImageFileMap function inside ntoskrnl (source code of this function can be found in Windows Research Kernel: \base\ntos\mm\creasect.c, it is a bit old, but most of the stuff hasn’t changed much). In this short article I’ll cover only x86 and x64 of ring 3 part. Ring 3 entry point for the new process (and also thread) is located in NTDLL, it is exported as LdrInitializeThunk, more information about this callback can be found at Skywing’s blog: http://www.nynaeve.net/?p=205. Basically above post inspired me to think about some other method to debug process initialization. It was few years ago and I came with a very simple idea (flawed, as it turned out lately when I got back to this project). Initial concept looked like this: Create process with dwCreationFlags set to CREATE_SUSPENDED Allocate one temporary page in the new process (VirtualAllocEx) inject small shellcode which will check PEB.BeingDebugged field in the loop and in case of debugger detection loop will end and int3 will be executed Redirect LdrInitializeThunk to the shellcode Resume process Attach favourite debugger I was using this scenario and it was sufficient at that time, however it was sometimes failing. Recently I got back to this and finally found the reason. There is a race condition, because during debugger attachment system http://blog.rewolf.pl/blog/?p=463
1/5