security research repository of nathan andrew fain / cyphunk

Bugger The Debugger

Bugger The Debugger, Pre Interaction Debugger Code Execution
By Brett Moore, CTO 10 pages of text, 3 of which are code.

This paper describes a method to construct a binary which can run code before control is passed to a debugger. The method requires changing the PE header of an executable to reference your own dll. This could be your own DLL or you could create a malicious version of kernel32.dll. In both cases you will need to edit the import PE header section to reference your DLL. In the case of using a kernel32.dll copy you must change the name of the dll to a unique name and replace the import reference in the PE headers for kernel32.dll to that of your DLL.

The document describes how to impliment both methods, including how to create your own malicious version of kernel32.dll. Edit a copy of kernel32.dll to construct on injection of your own code:

7C598934 FF 15 4C 13 57 7C call dword ptr ds:[7C57134Ch]
7C59893A FF 55 08 call dword ptr [ebp+8]
7C59893D 50 push eax
7C59893E EB 27 jmp 7C598967
7C598940 8B 45 EC mov eax,dword ptr [ebp-14h]


7C598934 FF 15 4C 13 57 7C call dword ptr ds:[7C57134Ch]
7C59893A 8B 5D 08 mov ebx,[ebp+08]
7C59893D 66 BB 00 10 mov bx,1000h
7C59893E FF E3 jmp ebx
7C598940 8B 45 EC mov eax,dword ptr [ebp-14h]

The mov bx,1000h sets the place for the start of your malicious code. The document also describes how construct the referenced code so that after injecting itself it reloads the original kernel32.dll should any other DLL’s need to import their own instances of kernel32 functions.

Published by

2 responses to “Bugger The Debugger”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s