Listing 11.6 shows Defender’s entry point function. A quick scan of the func-
tion reveals one important property—the entry point is not a common runtime
library initialization routine. Even if you’ve never seen a runtime library ini-
tialization routine before, you can be pretty sure that it doesn’t end with a call
to IsDebuggerPresent. While we’re on that call, look at how EAXis being
XORed against itself as soon as it returns—its return value is being ignored! A
quick look in http://msdn.microsoft.comshows us that IsDebugger
Presentshould return a Boolean specifying whether a debugger is present or
not. XORing EAXright after this API returns means that the call is meaningless.
Anyway, let’s go back to the top of Listing 11.6 and learn something about
Defender, starting with a call to 402EA8. Let’s take a look at what it does.mf85n:00402EA8 sub_402EA8 proc near
.h3mf85n:00402EA8
.h3mf85n:00402EA8 var_4 = dword ptr -4
.h3mf85n:00402EA8
.h3mf85n:00402EA8 push ecx
.h3mf85n:00402EA9 mov eax, large fs:30h
.h3mf85n:00402EAF mov [esp+4+var_4], eax
.h3mf85n:00402EB2 mov eax, [esp+4+var_4]
.h3mf85n:00402EB5 mov eax, [eax+0Ch]
.h3mf85n:00402EB8 mov eax, [eax+0Ch]
.h3mf85n:00402EBB mov eax, [eax]
.h3mf85n:00402EBD mov eax, [eax+18h]
.h3mf85n:00402EC0 pop ecx
.h3mf85n:00402EC1 retn
.h3mf85n:00402EC1 sub_402EA8 endpThe preceding routine starts out with an interesting sequence that loads a
value from fs:30h. Generally in NT-based operating systems the fsregister
is used for accessing thread local information. For any given thread, fs:0
points to the local TEB (Thread Environment Block) data structure, which con-
tains a plethora of thread-private information required by the system during
runtime. In this case, the function is accessing offset +30. Luckily, you have
detailed symbolic information in Windows from which you can obtain infor-
mation on what offset +30 is in the TEB. You can do that by loading symbols
for NTDLL in WinDbg and using the DTcommand (for more information on
WinDbg and the DTcommand go to the Microsoft Debugging Tools Web page
at http://www.microsoft.com/whdc/devtools/debugging/default.mspx).
The structure listing for the TEB is quite long, so I’ll just list the first part of
it, up to offset +30, which is the one being accessed by the program.+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void380 Chapter 11