Breaking Protections in .NET

Breaking Protections
+0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB . .
It s obvious that the first line is accessing the Process Environment Block through the TEB. The PEB is the process-information data structure in Windows, just like the TEB is the thread information data structure. In address 00402EB5 the program is accessing offset +c in the PEB. Let s look at what s in there. Again, the full definition is quite long, so I ll just print the beginning of the definition.
+0x000 +0x001 +0x002 +0x003 +0x004 +0x008 +0x00c . . InheritedAddressSpace : UChar ReadImageFileExecOptions : UChar BeingDebugged : UChar SpareBool : UChar Mutant : Ptr32 Void ImageBaseAddress : Ptr32 Void Ldr : Ptr32 _PEB_LDR_DATA
In this case, offset +c goes to the _PEB_LDR_DATA, which is the loader information. Let s take a look at this data structure and see what s inside.
+0x000 +0x004 +0x008 +0x00c +0x014 +0x01c +0x024 Length : Uint4B Initialized : UChar SsHandle : Ptr32 Void InLoadOrderModuleList : _LIST_ENTRY InMemoryOrderModuleList : _LIST_ENTRY InInitializationOrderModuleList : _LIST_ENTRY EntryInProgress : Ptr32 Void
This data structure appears to be used for managing the loaded executables within the current process. There are several module lists, each containing the currently loaded executable modules in a different order. The function is taking offset +c, which means that it s going after the InLoadOrder ModuleList item. Let s take a look at the module data structure, LDR_DATA_TABLE_ENTRY, and try to understand what this function is looking for.
The following definition for LDR_DATA_TABLE_ENTRY was produced using the DT command in WinDbg. Some Windows symbol files actually contain data structure definitions that can be dumped using that command. All you need to do is type DT ModuleName!* to get a list of all available names, and then type DT ModuleName!StructureName to get a nice listing of its members!
+0x000 +0x008 +0x010 +0x018 +0x01c +0x020 +0x024 +0x02c +0x034 +0x038 +0x03a +0x03c +0x03c +0x040 +0x044 +0x044 +0x048 +0x04c InLoadOrderLinks : _LIST_ENTRY InMemoryOrderLinks : _LIST_ENTRY InInitializationOrderLinks : _LIST_ENTRY DllBase : Ptr32 Void EntryPoint : Ptr32 Void SizeOfImage : Uint4B FullDllName : _UNICODE_STRING BaseDllName : _UNICODE_STRING Flags : Uint4B LoadCount : Uint2B TlsIndex : Uint2B HashLinks : _LIST_ENTRY SectionPointer : Ptr32 Void CheckSum : Uint4B TimeDateStamp : Uint4B LoadedImports : Ptr32 Void EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT PatchInformation : Ptr32 Void
After getting a pointer to InLoadOrderModuleList the function appears to go after offset +0 in the first module. From looking at this structure, it would seem that offset +0 is part of the LIST_ENTRY data structure. Let s dump LIST_ENTRY and see what offset +0 means.
+0x000 Flink +0x004 Blink : Ptr32 _LIST_ENTRY : Ptr32 _LIST_ENTRY
Offset +0 is Flink, which probably stands for forward link . This means that the function is hard-coded to skip the first entry, regardless of what it is. This is quite unusual because with a linked list you would expect to see a loop no loop, the function is just hard-coded to skip the first entry. After doing that, the function simply returns the value from offset +18 at the second entry. Offset +18 in _LDR_DATA_TABLE_ENTRY is DllBase. So, it would seem that all this function is doing is looking for the base of some DLL. At this point it would be wise to load Defender.EXE in WinDbg, just to take a look at the loader information and see what the second module is. For this, you use the !dlls command, which dumps a (relatively) user-friendly view of the loader data structures. The l option makes the command dump modules in their load order, which is essentially the list you traversed by taking InLoadOrderModuleList from PEB_LDR_DATA.
0:000> !dlls -l 0x00241ee0: C:\Documents and Settings\Eldad Eilam\Defender.exe Base 0x00400000 EntryPoint 0x00404232 Size 0x00008000 Flags 0x00005000 LoadCount 0x0000ffff TlsIndex 0x00000000 LDRP_LOAD_IN_PROGRESS LDRP_ENTRY_PROCESSED
