 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
SKAN
Joined: 26 Dec 2005
Posts: 5880
|
 Posted: Mon Mar 03, 2008 9:15 am Post subject: |
 |
|
Thanks for the clarification, Azerty.  |
|
| Back to top |
|
 |
Guest
|
| Posted: Mon Mar 03, 2008 9:22 am Post subject: |
|
|
| Azerty wrote: | | There's no SuspendProcess() in Windows... |
Yes there is one (:undocumented), but I suppose that's series of SuspendThread's in reality. |
|
| Back to top |
|
|
Joy2DWorld
Joined: 04 Dec 2006
Posts: 422
Location: Galil, Israel
|
| Posted: Mon Mar 03, 2008 5:23 pm Post subject: |
|
|
likley am missing something...
but,
doesn't seem to work...
the compiled code example debugs & shows memory just like any other compiled AHK...
_________________
Joyce Jamce |
|
| Back to top |
|
|
dandy
Joined: 09 May 2007
Posts: 45
|
| Posted: Mon Mar 03, 2008 10:05 pm Post subject: |
|
|
please someone post an example of integration with already made scripts.
thanks |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5880
|
| Posted: Tue Mar 04, 2008 12:20 am Post subject: |
|
|
| dandy wrote: | | an example of integration with already made script |
It is as simple as adding 9 lines to the top of any script as demonstrated below:
| Code: | x := RegisterCallback( "AttachDetected" )
m := DllCall( "Kernel32\GetModuleHandle", Str,"ntdll.dll" )
a := DllCall( "Kernel32\GetProcAddress", UInt,m, Str,"DbgUiRemoteBreakin" )
DllCall( "kernel32\VirtualProtect", UInt,a, UInt,1, UInt,0x40, UIntP,o )
NumPut( 0xe9, a+0, 0, "UChar" ) , NumPut( (x-5-a), a+1, 0, "Int" )
DllCall( "kernel32\VirtualProtect", UInt,a, UInt,1, UInt,o, UIntP,o )
AttachDetected() {
ExitApp
}
/*
Crazy Scripting : Dingbat Flipper 45L
http://www.autohotkey.com/forum/viewtopic.php?t=18794
*/
Gui, +AlwaysOnTop
Gui,Font,s28, Webdings
Loop 36
Ix:=A_Index, Ch.=Chr(158+Ix) "|" Chr(158+Ix) ((Ix<36) ? "|" : "")
Sort,Ch,D| Random
X:=10, Y:=10, R:=1, C:=1, Ix:=1
Loop,Parse,Ch,|
{
Gui,Add,Button,x%X% y%Y% w46 h46 vB%Ix% gMainProcedure
X:=X+50, C:=C+1, Ix:=Ix+1
If (C>9)
R:=R+1, C:=1, Y:=Y+50, X:=10
}
Gui,Font,S8 Bold,Tahoma
Gui,Margin,10,10
Gui,Add,StatusBar
e:=SB_SetParts(75,75,250), CL:=0, FL:=0, A_Time:=SubStr(A_Now,1,8)
Gui,Show,,Dingbat Flipper 45L
SetTimer,GameTimer,1000
Return ; [ End of Auto-Execute Section ]
F2::ReLoad
MainProcedure: ; [ Main Procedure ]
iNo:=Substr(A_GuiControl,2,2)
If (iNo!=S1 and iNo!=S2 and AR!=1) {
e:=GuiC(N,"B" iNo,GetF(Ch,iNo)), S0:=S1, S1:=S2, S2:=iNo, e:=GuiC(N,"B" S0), AR:=1
If ( GetF(Ch,S1) == GetF(Ch,S2) ) ; == is used for case sensitive matching
e:=GuiC("Disable","B" S1), e:=GuiC("Disable","B" S2), S1:=0, S2:=0, FL:=FL+1
CL:=CL+1, AR:=0, SB_SetText("`tClicks: " CL,1), SB_SetText("`tFlips: " FL "/36",2)
IfEqual,FL,36, Gui,Show,,GAME OVER! Press <F2> to play again
} Return
GameTimer: ; [ Game Timer ]
If (WinActive("Dingbat Flipper 45L") And CL>0) {
A_Time+=1,S
FormatTime,MMSS,%A_Time%,mm:ss
SB_SetText("`t" MMSS,4)
} Return
GetF(Str="",Fld=1) { ; GetField()
Loop,Parse,Str,|
IfEqual,A_Index,%Fld%, Return,A_LoopField
}
GuiC(P1="",P2="",P3="") { ; GuiControl()
GuiControl,%P1%, %P2%,%P3%
}
GuiClose:
ExitApp |
I chose to exit app when "Attach" detected.
You may choose, er.. like shutdown, to slow down the script kiddie.
|
|
| Back to top |
|
|
dandy
Joined: 09 May 2007
Posts: 45
|
| Posted: Tue Mar 04, 2008 12:24 am Post subject: |
|
|
| thanks skan! |
|
| Back to top |
|
|
Joy2DWorld
Joined: 04 Dec 2006
Posts: 422
Location: Galil, Israel
|
| Posted: Tue Mar 04, 2008 1:57 am Post subject: |
|
|
again, likely am missing something very basic,
but not sure what the code is supposed to be doing to 'protect' your script.
in my XP sp2,
can freely attach debug, search prog. memory, debug dissemble, etc. ..
what is it that am not supposed to be able to do exactly ?
(the ntdll.dll 'exploit' involved here seems known not to work also in w2k)
more helpful (if even) (still fundamentally flawed) approach maybe (?) :
| Code: | comment $
---------------------------------------------------
Debugger "On-Attach" detection method
---------------------------------------------------
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com
All rights reserved!
Disclaimer
----------
Author takes no responsibility for any actions with provided
informations or codes. The copyright for any material created by the
author is reserved. Any duplication of codes or texts provided here
in electronic or printed publications is not permitted without the
author's agreement.
Info
----
This code presents pretty effective and nasty debugger "on attach"
detection. When debugger (every which uses debug apis) attach to the
target process NtContinue function is executed, this acts BEFORE
debugger stops on DebugBreak, so we have the ability to do some
nasty things while debugger is still loading the process, i think
you know what possibilities it gives.
So here it comes, have fun:
$
include my_macro.inc
@get_api_addr "NTDLL.DLL","NtContinue"
xchg ebx,eax
call a1
dd 0
a1: push PAGE_READWRITE
push 5
push ebx
@callx VirtualProtect
@check 0,"Error: cannot deprotect the region!"
lea edi,_NtContinue_b
mov ecx,0Fh
mov esi,ebx
rep movsb
lea eax,_NtContinue
mov edi,ebx
call make_jump
@debug "attach debugger to me now!",MB_ICONINFORMATION
exit: mov byte ptr [flag],1
push 0
@callx ExitProcess
make_jump:
pushad
mov byte ptr [edi],0E9h
sub eax,edi
sub eax,5
mov dword ptr [edi+1],eax
popad
ret
flag db 0
_NtContinue: pushad
cmp byte ptr [flag],0
jne we_q
@debug "Debugger found!",MB_ICONERROR
we_q: popad
_NtContinue_b: db 0Fh dup (0)
comment $
77F5B638 > B8 20000000 MOV EAX,20
77F5B63D BA 0003FE7F MOV EDX,7FFE0300
77F5B642 FFD2 CALL EDX
77F5B644 C2 0800 RETN 8
$
end start
|
_________________
Joyce Jamce |
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2558
Location: Australia, Qld
|
| Posted: Fri Mar 07, 2008 5:23 am Post subject: |
|
|
When I tried the DbgUiRemoteBreakin method, it didn't exactly detect the debugger, but it did cause AutoHotkey to crash. 
There is one major flaw with any scripted protection measure:
At some point during the script load process, the entire script is in memory in text form. In other words, the script can be extracted from memory before it runs.
The workaround is to implement protection at a lower level.
Modifying AutoHotkey to protect against debuggers would likely require that the source code of the modifications be released. Would this apply to custom executable packers? I think not.
It should be fairly simple to replace upx with some other executable packer. There are packers which already implement anti-debugging and other protection measures. |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5880
|
| Posted: Fri Mar 07, 2008 9:40 am Post subject: |
|
|
| lexiKos wrote: | | When I tried the DbgUiRemoteBreakin method, it didn't exactly detect the debugger, but it did cause AutoHotkey to crash. |
Works for me in XP SP2, did not try it in Vista though.
Does it work for anybody else ?
|
|
| Back to top |
|
|
sheep34654
Guest
|
| Posted: Fri Mar 07, 2008 11:29 am Post subject: |
|
|
Can someone give me a name of a debugger for me to download and test with?
Unrelated note: can you use debuggers to get any source of any program, as long as it hasn't got protection against it?
So far my friend has decompiled 2 commercial AHK scripts, and mine. |
|
| Back to top |
|
|
ManaUser
Joined: 24 May 2007
Posts: 901
|
| Posted: Fri Mar 07, 2008 11:56 am Post subject: |
|
|
| sheep34654 wrote: | | Unrelated note: can you use debuggers to get any source of any program, as long as it hasn't got protection against it? |
No, normal programs do not contain the actual source code like "compiled" AutoHotkey scripts do. |
|
| Back to top |
|
|
sheep23543
Guest
|
| Posted: Fri Mar 07, 2008 12:13 pm Post subject: |
|
|
| I don't understand, if it doesn't contain the source it's not the same program. If it's converted to machine code (is that it?), shouldn't it be just as easy to convert it back? |
|
| Back to top |
|
|
Guest
|
| Posted: Sat Mar 08, 2008 5:11 am Post subject: |
|
|
| SKAN wrote: | Works for me in XP SP2, did not try it in Vista though.
Does it work for anybody else ? |
It depends on which one used. The original one posted here is likely to crash the app via stack corruption.
| Quote: | | the author forgot that ExitProcess requires one parameter |
|
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2558
Location: Australia, Qld
|
| Posted: Sat Mar 08, 2008 7:45 am Post subject: |
|
|
I used the version in SKAN's post, under | SKAN wrote: | | It is as simple as adding 9 lines to the top of any script as demonstrated below: |
AttachDetected() does not even execute. AutoHotkey crashes as soon as the debugger attaches.
Of course, whether it crashes or calls AttachDetected() is irrelevant, since as I pointed out, you can start the compiled script's executable in a debugger and extract the source code without ever running the actual script.
| sheep23543 wrote: | | If it's converted to machine code (is that it?), shouldn't it be just as easy to convert it back? |
Basically, no. It isn't easy, unless the program is written in something like a .NET language... |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5880
|
| Posted: Wed Mar 12, 2008 7:38 am Post subject: Skan! |
|
|
<<
E-Mail discussion between SKAN and Adam
| Quote: | from "A.N Suresh Kumar" <arian[dot]suresh[]gmail[]com> hide details Mar 4 (3 days ago)
to adam
date Mar 4, 2008 4:22 PM
subject RE: KaKeeware AntiAttach
mailed-by gmail.com
Dear Mr.Adam,
We are trying to adapt you code for AutoHotkey scripting language and we are unsuccessful in a manner
that OLLYDBG is able to read our PROCESS' memory before our script can react to DbgUiRemoteBreakin
Can you please take a look into our topic and post any suggestions ?
This is the link : http://www.autohotkey.com/forum/viewtopic.php?t=28823
Thank you.
--
SKAN - Suresh Kumar A N
Chennai - INDIA |
| Quote: | from "Adam" <Adam> hide details Mar 5 (2 days ago)
to "A.N Suresh Kumar" <arian[dot]suresh[]gmail[]com>
date Mar 5, 2008 2:48 AM
subject Re: KaKeeware AntiAttach
Hey Suresh,
It looks like it has been sorted already .
I see the post with the code included.
if I can add 5 cents, there's no point of hiding it this way anyway
there are a lot of tools that can dump the processes (you don't need ollydbg to do it): see lordpe, pe tools, winhex, etc.
my trick is simple; and since it's simple, it's easy to bypass
A. |
| Quote: | from "A.N Suresh Kumar" <arian[dot]suresh[]gmail[]com> hide details Mar 5 (2 days ago)
to "Adam" <Adam>
date Mar 5, 2008 1:49 PM
subject Re: KaKeeware AntiAttach
mailed-by gmail.com
Dear Adam,
Thanks for taking time to reply. I highly appreciate that.
| Quote: | It looks like it has been sorted already .
I see the post with the code included. |
We have a problem with that code. Before our script could react with AttachDetected(), the entire process memory would have already been copied by Olly. I guess, nothing much can be done about this. But AutoHotkey is basically a Windows automation language and we enough power to deal with any (user) process. for example, to kill explorer one line is enough
Process, Close, explorer.exe
Is there a way to detect and retrieve which Process ( I need the Process ID / or Process.exe ) made the attach ?
I can think of some primitive / hard method, like:
If my process memory had a unique string like: TheQuickBrownFoxJumpsOverTheLazyDog then the debugger would have that in memory ?
I am thinking of making a list of process, open each of them, and search their memory for that particular string and if found, I can kill them.
Additionally, I can retrieve the Process' command line extract path from it, seek and destroy any dump files if neccessary. Would this work ?
Also I can start two instances of my script and they can keep communicating to each other. May one of them can detect it quick enough when the other one is being attached ?
Our developer, Chris Mallet has already made it very hard to decrypt and extract the script from the exe, but being an Interpreted language, an entire AutoHotkey script is available in memory as text. I am aware a Pro can ultimately bypass our safety measures, but here, we are trying to make things really hard for a "Script Kiddie" who can easily extract a script directly from memory ( as on today )
We either need to close our script quick enough or atleast terminate the Debugger.
We have methods where we can call/execute inline ASM ( machine code included as text )
Here is the relevant link: http://www.autohotkey.com/forum/viewtopic.php?p=135302#135302
I would highly appreciate any kind of pointers ..
Many thanks.
Best Regards, |
| Quote: | from "Adam" <Adam> hide details Mar 6 (22 hours ago)
to "A.N Suresh Kumar" <arian[dot]suresh[]gmail[]com>
date Mar 6, 2008 2:23 AM
subject Re: KaKeeware AntiAttach
Hi Suresh,
The scenario you described is debugger-independent.
Basically, what happens is that your script is encrypted/hidden in a file, but is decrypted in memory once the process that interpretes the script is launched.
Olly, or any debugger doesn't copy the memory. It just makes the process that it attaches itself to, start sending information about events happening within a process to debugger. And since it's a debugger, it has an access to the address space of the interpreter that executes the script.
So, if you want to hide the script, you need to hide it in memory, not in the file only. Pros or script-kiddies can easily use any tool available to extract this script from the memory. There are really a lot of tools available and it's very easy to write your own. So, I wouldn't go this way.
Since you are targetting script kiddies only, I think you can quite easily make their life harder
just obfuscate
the easiest way is to obfuscate script during the compilation phase i.e. replace all the names with meaningless junk,
replace procedures with meaningles names as well and modify interpreter to interpret these obfuscated names.
it will likely stop script kiddies, but pros will find a way to understand the script
another solution would be to encrypt the part of the script that is not executed at a time
you could also shatter the script all over the place so it would be difficult to put it together
another way would be to wipe out memory for these parts of the scripts that will no longer be used, once they were interpreted (like initizalization) sth like "interpret&wipe"
finally, you could think of converting the script to a byte code and carry only a byte code within the executable
hth
A. |
| Quote: | from "A.N Suresh Kumar" <arian[dot]suresh[]gmail[]com> hide details 9:08 pm (4 hours ago)
to "Adam" <Adam>
date Mar 6, 2008 9:08 PM
subject Re: KaKeeware AntiAttach
mailed-by gmail.com
Dear Adam,
Many thanks for the insights. You have been a great help.
Do you mind if I post our mails in AutoHotkey forum? ( I will mask the email ids ).
These info would be useful for the members.
Best Regards,
--
SKAN - Suresh Kumar A N
Chennai - INDIA
|
::End::
>> |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
