deadhacker.com

Bugger The Debugger, Pre Interaction Debugger Code Execution
By Brett Moore, CTO Security-Assessment.com. 10 pages of text, 3 of which are code.

This paper describes a method to construct a binary which can run code before control is passed to a debugger. The method requires changing the PE header of an executable to reference your own dll. This could be your own DLL or you could create a malicious version of kernel32.dll. In both cases you will need to edit the import PE header section to reference your DLL. In the case of using a kernel32.dll copy you must change the name of the dll to a unique name and replace the import reference in the PE headers for kernel32.dll to that of your DLL.

The document describes how to impliment both methods, including how to create your own malicious version of kernel32.dll. Edit a copy of kernel32.dll to construct on injection of your own code:

7C598934 FF 15 4C 13 57 7C call dword ptr ds:[7C57134Ch]
7C59893A FF 55 08 call dword ptr [ebp+8]
7C59893D 50 push eax
7C59893E EB 27 jmp 7C598967
7C598940 8B 45 EC mov eax,dword ptr [ebp-14h]

With

7C598934 FF 15 4C 13 57 7C call dword ptr ds:[7C57134Ch]
7C59893A 8B 5D 08 mov ebx,[ebp+08]
7C59893D 66 BB 00 10 mov bx,1000h
7C59893E FF E3 jmp ebx
7C598940 8B 45 EC mov eax,dword ptr [ebp-14h]

The mov bx,1000h sets the place for the start of your malicious code. The document also describes how construct the referenced code so that after injecting itself it reloads the original kernel32.dll should any other DLL’s need to import their own instances of kernel32 functions.