Perhaps some of you already known, some may not. This bug is not yet widely known, so I blog it here much as documentation purpose.
This bug was originally found by the flatassembler community. Later then it made its way to the Themida developers, whom have included this anti-ollydbg trick in their protector.
———————————————————————————————————-
A random discovery
http://board.flatassembler.net/topic.php?t=5820
Source Code + Exe
http://www.mediafire.com/?404jwzfmmvm
You think what documented on Microsoft website is exactly how the Windows loader works? Think again. In this blog I will crash your disassembler/debugger by modifying some fields in the PE header.
IMAGE_FILE_HEADER.NumberOfRvaAndSizes
In pecoff_v8.doc it says NumberOfRvaAndSizes contains the number of data directories we have. But Windows loader just ignores it when you have a value larger than 0×10 bytes. When it is less than 0×10 bytes Windows loader will just skip over some of the data directories. You can use this trick to strip some bytes out of your executable file.
Let say we have something like this.
Originally posted on rootkit.com
http://www.rootkit.com/blog.php?newsid=640
——————————————————————————————
This method was discovered when I was doing some random debugging. Sudden idea came to my mind when I inject some DLL into olly-debugged process. Olly log traced that one thread was created and terminated. Then I thought since the DLL loading takes place in user-mode, why cant I prevent it from loading by hooking some function ?
So I put a bp on kernel32.LoadLibraryA() and inject DLL again. ollydbg halted. I traced the stack frame to one function in kernel32.dll. I inject some DLL again, and yet I traced to the same function.
My sense tell me that is the function I’m looking for. So I began coding and hook that function. Voila, now Winject reports DLL-injection failed. But wait, our job is not done yet.
After more debugging I found that my hook was preventing the our own thread from creating too. So I need a method to distinguish rogue thread from our own thread.
Finally, I found a method used by Piotr Bania to prevent shellcode execution. He used VirtualProtect() to determine whether a code is rouge or not. Usually shellcode is injected as a result of stack-overflow or any other memory-based leak. These memory should be writable. If any pointer is pointing to a writable memory section, we can conclude that it is altered by the shellcode.
Yet, this method has a flaw. Most packer and protector modifies PE and mark the image as writable (to decompress or decrypt the content) and doesn’t bother to restore them. It would raise false alarm when we use VirtualProtect() to check the protection. So I thought of a better solution.
I used VirtualQuery() to check for memory type. Usually when we create a thread, it should point to code within the image. (marked by loader as MEM_IMAGE) Any VirtualAllocEx() allocated memory would not have that flag set.
——————————————————————————————
Trypanophobia
http://code.google.com/p/opcode0×90/source/browse/trunk/snippets/Trypanophobia/
——————————————————————————————
Coming soon – Stopping SetWindowsHookEx() injection. 
Something to start my blog with. This thing is made months ago, and overwhelming loads of coursework kept me from further updating it. Anyway, I made this much like a POC of my new idea on simulating key strokes, so dont nag about lack of features.
So what about it?
Currently it has the most common botting functions, auto-clicker, auto-loot, auto-attack and auto-pot, and it (supposed to) works on all versions of MapleStory. Feel free to comment anything here if you have questions, ideas or found a bug (!).
Behind the scene
It doesnt use any driver! No SendInput() or whatsoever.
Again another simple idea, I made a simple pattern finder to find the address of codes, very much similar to AV engine. I did the same thing to all other codes, therefore MSPro is version-independent, since it is able to find the addresses each time it is loaded. (see SigSeek.inc for source code)
Current Issues
Trying to figure out a fix for this… Since WndProc() is invoked from a different thread, overwhelming torrents of WM_LBUTTONDBLCLK message might cause reenterency problem and corrupt MapleStory. So, use AC with care.
Your PC is probably lagging. MSPro keeps potting until your HP is more than the alarm level. If you lag when MSPro is potting, your HP value is not updated and MSPro keeps potting thinking your HP is dangerously low. So it “spams” pot.
——————————————————————————————
MSPro v4 Beta 5
http://filexoom.com/files/2007/3/27/65350/MSPro%20v4%20Beta%205.zip
SigSeek.inc
http://code.google.com/p/opcode0×90/source/browse/trunk/snippets/SigSeek.inc
You are currently browsing the Opcode0x90's Blog blog archives for April, 2007.
 | Kenneth Xu on Patch for AppLocale |
 | Score on KiFastSystemCall Hook |
| SamuelPhotos Blog … on Patch for AppLocale | |
 | Minexew on MinGW bugs under Windows … |
 | James on Patch for AppLocale |
