Read this first: OllyDbg plugin: Catcha! v1.1 - Catcha anywhere
Nothing special :D Just write a trap function that call LoadLibrary() function...
Pros:
- We have an advantage that we don't have to call CreateRemoteThread() function.
Cons:
- Must pause target process to hook its EntryPoint :D.
In order to reach the target program EntryPoint, we call CEngine::EngineTrap() function below before resuming the target program to hook its EntryPoint and raise debug exception by INT3 instruction then we can attach to it.
///pAddress: the address inside target process (the EntryPoint in our case) that will be hooked with trap function.
VOID CEngine::EngineTrap(LPVOID pAddress)
{
HANDLE hProcess = NULL, hLibRemote = NULL;
UCHAR pEntryPointOpcodes[5] = {0,};
//Trap function opcodes
UCHAR pTrap[] = {0x50, // 0 - PUSH EAX ; Save EAX
0xB8, 0x00, 0x00, 0x00, 0x00, // 1 - MOV EAX,XXXXXXXX ; EAX = XXXXXXXX = pAddress
0xC6, 0x00, 0xFF, // 6 - MOV BYTE PTR DS:[EAX],0FF ;\
0xC6, 0x40, 0x01, 0xFF, // 9 - MOV BYTE PTR DS:[EAX+1],0FF ; |
0xC6, 0x40, 0x02, 0xFF, //13 - MOV BYTE PTR DS:[EAX+2],0FF ; | Restore original opcodes at pAddress
0xC6, 0x40, 0x03, 0xFF, //17 - MOV BYTE PTR DS:[EAX+3],0FF ; |
0xC6, 0x40, 0x04, 0xFF, //21 - MOV BYTE PTR DS:[EAX+4],0FF ;/
0x58, //25 - POP EAX ; Restore EAX
0xCC, //26 - INT3 ; Raise debug exception
0xE9, 0x00, 0x00, 0x00, 0x00 //27 - JMP YYYYYYYY ; YYYYYYYY = relative address value of pAddress
};
DWORD nOldProtect;
do {
//Open target process
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_ProcessInfo.m_nProcessId);
if (!hProcess) {
EngineLog("Error: CEngine::EngineTrap() -> ::OpenProcess()");
EngineError();
break;
}
//Allocate memory space inside target process for trap function
//hLibRemote = allocated virtual address inside target process
hLibRemote = ::VirtualAllocEx(hProcess,
NULL,
sizeof(pTrap),
MEM_COMMIT,
PAGE_READWRITE);
if (!hLibRemote) {
EngineLog("Error: CEngine::EngineTrap() -> ::VirtualAllocEx()");
EngineError();
break;
}
//Ensure that we can read/write/execute sizeof(pEntryPointOpcodes) bytes at pAddress
if (!::VirtualProtectEx(hProcess,
(LPVOID)(m_ProcessInfo.m_nImageBase + m_ProcessInfo.m_nAddressOfEntryPoint),
sizeof(pEntryPointOpcodes),
PAGE_EXECUTE_READWRITE,
&nOldProtect)) {
EngineLog("Error: CEngine::EngineTrap() -> ::VirtualProtectEx()");
EngineError();
break;
}
//Ensure that we can read/write/execute sizeof(pTrap) bytes at hLibRemote
if (!::VirtualProtectEx(hProcess,
(LPVOID)hLibRemote,
sizeof(pTrap),
PAGE_EXECUTE_READWRITE,
&nOldProtect)) {
EngineLog("Error: CEngine::EngineTrap() -> ::VirtualProtectEx()");
EngineError();
break;
}
//Save sizeof(pEntryPointOpcodes) bytes at pAddress in pEntryPointOpcodes
if (!::ReadProcessMemory(hProcess,
(LPVOID)(m_ProcessInfo.m_nImageBase + m_ProcessInfo.m_nAddressOfEntryPoint),
(LPVOID)pEntryPointOpcodes,
sizeof(pEntryPointOpcodes),
NULL)) {
EngineLog("Error: CEngine::EngineTrap() -> ::ReadProcessMemory()");
EngineError();
break;
}
//Repair trap function
//XXXXXXXX = pAddress
*(PDWORD)(pTrap + 2) = (DWORD)pAddress;
//Calculate value for JMP instruction
//YYYYYYYY = relative address value of pAddress
*(PDWORD)(pTrap + 28) = (DWORD)pAddress - ((DWORD)hLibRemote + sizeof(pTrap));
//Restore original opcodes at pAddress
pTrap[8] = pEntryPointOpcodes[0];
pTrap[12] = pEntryPointOpcodes[1];
pTrap[16] = pEntryPointOpcodes[2];
pTrap[20] = pEntryPointOpcodes[3];
pTrap[24] = pEntryPointOpcodes[4];
//Replace opcodes at pAddress with JMP instruction to trap function
pEntryPointOpcodes[0] = 0xE9;
//Calculate value for JMP instruction
*(PDWORD)(pEntryPointOpcodes + 1) = (DWORD)hLibRemote - ((DWORD)pAddress + sizeof(pEntryPointOpcodes));
//Write our codes into target process
if (!::WriteProcessMemory(hProcess,
pAddress,
(LPVOID)pEntryPointOpcodes,
sizeof(pEntryPointOpcodes),
NULL)) {
EngineLog("Error: CEngine::EngineHookEntryPoint() -> ::WriteProcessMemory()");
EngineError();
break;
}
if (!::WriteProcessMemory(hProcess,
(LPVOID)hLibRemote,
(LPVOID)pTrap,
sizeof(pTrap),
NULL)) {
EngineLog("Error: CEngine::EngineTrap() -> ::WriteProcessMemory()");
EngineError();
break;
}
}
while (FALSE);
::CloseHandle(hProcess);
EngineLog("Done: CEngine::EngineTrap()");
}
Besides, this function is also used to hook and trap at any address inside target process. It will be useful for attaching OllyDbg after bypassing some codes we are not interested in (e.g: anti-debugger codes :D). Because I don't have much time at this moment, I will add this option in next version of Catcha!.
mikado.
Catcha! v1.0
Coded by mikado @ vnsecurity, 4vn
Website: http://www.vnsecurity.net - http://www.4vn.org
Email: mikado[at]4vn[dot]org
[ About ]
Sometimes you don't know how to start a program correctly
from OllyDgb. Catcha! plugin will help you to attach to your
program automatically as soon as possible each time your
program runs (outside OllyDbg).
It works like Olly De-Attach Helper plugin:
http://www.openrce.org/downloads/details/185/Olly%20De-Attach%20Helper
Catcha! has more advantages than Olly De-Attach Helper.
It helps reversers not to miss many opcodes before attaching
target program.
Check it out! Have fun and feel free to contact me.
[ Instructions ]
- Copy Catcha!.dll and Catcha!.sys to OllyDbg plugin directory.
- First, select target program by chosing menu:
Plugins -> Catcha! -> Select Catcha! target.
- Run target program outside OllyDbg.
It will be attached in OllyDbg automatically as soon as possible.
- Press F9 to continue running program or,
right click on Disassembler window and chose Thread -> Main
on Popup menu to switch to program's main thread and continue
your debug session.
[ History ]
2007.07.06:
- Version 1.0 released.
[ Known bugs ]
1. Target program can only be attached automatically one time.
You have to restart OllyDbg in order for Catcha! to work correctly.
2. Only tested on Windows XP SP2. The kernel driver was built
on WinDDK with Windows XP Build Environment.
[ TODO ]
- Fix bug (1).
- Implement de-attach function without closing target program.
mikado.