10

During an analysis, I have found a call to ZwContinue. The executable file first gets the address of ntdll.NtContinue and stores it in the EAX register.

After I step over the following assembly line, 

  CALL EAX      ; ntdll.ZwContinue

then OllyDbg (v1.10) terminates the process.

I have found out that this is a kind of anti-debugging mechanism but I could not figure out how to defeat it.

Is there any plugin which I can use or any other helpful trick?

Smi
  • 136
  • 1
  • 2
  • 9
user3097712
  • 1,541
  • 1
  • 25
  • 44

2 Answers2

10

ntdll!ZwContinue takes the same parameters than ntdll!NtContinue, that is the following :

NTSTATUS NTAPI 
NtContinue (
  IN PCONTEXT ThreadContext,
  IN BOOLEAN  RaiseAlert
);

You can read the "Eip" field in the PCONTEXT structure, put a breakpoint on this address, and press Run to reach your breakpoint and continue your analysis.

If you want to try Olly 2.01, it has a nice feature for this particular case : "Decode as structure" in the Dump Window.

Decode as structure

Decoded

Community
  • 1
Spl3en
  • 608
  • 3
  • 12
  • thanks for your answer. To set a BP at EIP in PCONTEXT, do I have to find the EIP value in the hex window, or how can I achieve that in ollydbg v1.10 ? – user3097712 May 05 '15 at 20:37
  • @user3097712 I don't know another way than doing it manually on OllyDBG 1.10. – Spl3en May 06 '15 at 07:38
  • ollydbg 1,10 alt+f1 -> bp [[esp+4] + 0xb8 ] when broken on ntdll!Nt/ZwContinue will set a break on PContext->Eip in x86 – blabb May 07 '15 at 18:10
  • 1
    From user mode NtContinue is in fact identical to ZwContinue. More of these Nt*/Zw* pairs exist and they are usually the primary system services. In kernel mode these functions also exist, but differ. One of them (don't remember which) will have access checks in place when called from user mode, whereas the other is meant to be used from a kernel mode caller exclusively. – 0xC0000022L Jul 10 '18 at 08:17
7

Check the context argument to NtContinue (first arg). NtContinue works as an anti-debug by potentially clearing DR7 or breaking out of single stepping by clearing the trap flag, then returning to the IP specified in the context, after applying the register state.

everdox
  • 271
  • 1
  • 4
  • 2
    While the other answer describes how to get around it, this one explains much better what's going on under the hood. – 0xC0000022L Jul 10 '18 at 08:18