Skip to content
/ WibuDebugHook Public

Injectable DLL that helps with debugging Wibu CodeMeter.

18 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mrexodia/WibuDebugHook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
WibuDebugHook
WibuDebugHook
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
WibuDebugHook.sln
WibuDebugHook.sln
 
 

Repository files navigation

WibuDebugHook

Injectable DLL that helps with debugging Wibu CodeMeter. Credits to TechLord for providing sample binaries!

A hollowed process is started with CreateProcessA, this is the relevant code:

DWORD __stdcall DebugLoop(int a1, int a2, char *a3, int a4)
{
  DWORD result; // eax@2
  int pid; // eax@3
  int hThread; // esi@12
  DEBUG_EVENT event; // [sp+4h] [bp-330h]@7
  CONTEXT ctx; // [sp+64h] [bp-2D0h]@12

  if ( !sub_404D80() )
    return -1;
  pid = sub_404FF2(a3);
  if ( !pid )
    return -2;
  if ( DebugActiveProcess(pid) )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( !WaitForDebugEvent(&event, 500) )
          ;
        if ( event.dwDebugEventCode == 1 )
          break;
        result = event.dwDebugEventCode - EXIT_PROCESS_DEBUG_EVENT;
        if ( event.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT )
          return result;
LABEL_27:
        ContinueDebugEvent(event.dwProcessId, event.dwThreadId, DBG_CONTINUE);
      }
      hThread = OpenThread(0x1FFFFF, 0, event.dwThreadId);
      ctx.ContextFlags = CONTEXT_ALL;
      GetThreadContext(hThread, &ctx);
      if ( event.u.Exception.ExceptionRecord.ExceptionCode > 0xC000001D )
      {
        if ( event.u.Exception.ExceptionRecord.ExceptionCode == 0xC0000094 )
        {
          ctx.Ebx = 7;
          goto LABEL_26;
        }
        if ( event.u.Exception.ExceptionRecord.ExceptionCode == 0xC0000096 )
        {
          ctx.Eip += 3;
          goto LABEL_26;
        }
      }
      else
      {
        if ( event.u.Exception.ExceptionRecord.ExceptionCode == 0xC000001D )
        {
          ctx.Eip += 2;
          goto LABEL_26;
        }
        if ( event.u.Exception.ExceptionRecord.ExceptionCode == 0x406D1388
          || event.u.Exception.ExceptionRecord.ExceptionCode == 0x80000003 )
        {
          goto LABEL_26;
        }
        if ( event.u.Exception.ExceptionRecord.ExceptionCode == 0xC0000005
          && (event.u.Exception.ExceptionRecord.NumberParameters != 2
           || event.u.Exception.ExceptionRecord.ExceptionInformation[1] >= 2
           && event.u.Exception.ExceptionRecord.ExceptionInformation[1] <= 6) )
        {
          ctx.Eip += 7;
LABEL_26:
          SetThreadContext(hThread, &ctx);
          CloseHandle2(hThread);
          goto LABEL_27;
        }
      }
      ContinueDebugEvent(event.dwProcessId, event.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
      CloseHandle2(hThread);
    }
  }
  return -3;
}

When debugging, DebugActiveProcess will fail, thus killing the process. This causes a check with OpenProcess to fail later. In addition to injecting this DLL (I use version.dll DLL hijacking), you can use the following ScyllaHide options to debug Wibu CodeMeter:

ScyllaHide

About

Injectable DLL that helps with debugging Wibu CodeMeter.

Resources

Readme
Activity

Stars

18 stars

Watchers

8 watching

Forks

11 forks
Report repository

Releases 1

v0.1 Latest
Jun 28, 2017

Packages

No packages published

Languages