Dark Byte Site Admin Reputation: 458 Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Fri Mar 20, 2015 1:16 pm Post subject: Unhiding threads from the debugger |
|
|
Some games protect themselves by hiding certain threads from the debugger.
When that happens, and a breakpoint is hit, the debugger won't receive the breakpoint exception and can't handle it. Therefore, the exception goes unhandled, and if the game doesn't handle it (it could but most games won't) the whole application will terminate.
One often used way to bypass this issue, is to hook the creation of the game and prevent it from hiding in the first place. Or using a different way of debugging. But today I'll show you an 'easy' to use method to unhide such threads after they have been hidden.
This involves knowing the layout of the EThread of the windows version you're on. More specifically, the location of the CrossThreadFlags field, and possible the bit position of HideFromDebugger. (which is usually bit 2 from what i've seen)
For this example i'll go with windows 7 build 6.1.7601. In here bit 2 of offset 0x450 of the EThread structure contains the flag for hidefromdebugger
Tip for other operating systems, or a way to automate the lookup: the exported function PsIsThreadTerminating ( in ce known under the exported symbol kernel_PsIsThreadTerminating ) references that offset. So just disassemble it to get the offset
Code: |
local FLAGS_OFFSET=0x450 --adjust this to your windows version
--first we enable kernelmode access
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
--then reopen the process in case it was opened with usermode access:
openProcess(getOpenedProcessID()) --reopen with kernel access
--now create a list of threads
local list=createStringlist()
getThreadlist(list) --fills a stringlist with the threadid's
local i
for i=0, list.count-1 do
local tid=tonumber('0x'..list[i])
--for every thread we get the EThread address
local PEThread=dbk_getPEThread(tid)
local PEThread_Flags=PEThread+FLAGS_OFFSET
--then we check if the hidefromdebugger bit is set
local flags=readBytes(PEThread_Flags,1)
if bAnd(flags,4)==4 then --test bit 4 (adjust if your windows has it at a different position)
--and if so, we remove that bit
print("Thread "..list[i].." is hiding from the debugger. Unhiding it")
flags=bAnd(flags,0xfb) --unset bit 4
writeBytes(PEThread_Flags, flags)
end
end
--some cleanup
list.destroy()
print("Done") --and done
|
now when this lua script gets executed it will go through all the threads of the target process, and unset the hidefromdebugger flag where it's present
tips for enhancement: As I mentioned, you can disassemble kernel_PsIsSystemThread to get the offset, and alternatively, you could call NtSetInformationThread(threadhandle, ThreadHideFromDebugger(17), NULL, 0);
on multiple threads/processes and see if you can pinpoint the flags register that way by looking at the differences(keep in mind, eflags changes constantly, so filter out the fields that change when the field hasn't changed, but that's basic me scanning)
Or you could keep a database of windows build numbers and offsets _________________ Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Tue Mar 01, 2016 4:11 pm; edited 1 time in total
|
|