Anti Debugging


Published on

null Delhi Chapter - August 2013 Meet

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Anti Debugging

  1. 1. ANTI|DEBUGGING By Adwiteeya Agrawal
  2. 2. REVERSE ENGINEERING • Definition “Software reverse engineering is about opening up a program’s “box,” and looking inside. “
  3. 3. PROGRAMMERS vs REVERSERS Logic Code Executable Logic Code
  4. 4. Example : Code Written Ideally , the else block should never be executed since the value of var1 is not changed.
  5. 5. After Disassembling We can easily modify the binary to execute the else loop.
  6. 6. Problem ? • A Google search for “Crack Torrent” returns 200 million results and “Software Crack” around 45M. • Reversing is extensively used to develop cracks for proprietary software.
  7. 7. Possible Solutions • Anti-Debugging (Detecting how a process is different from when it is being debbugged and when its run.) • Code Obfuscation(Encryption, pseudo execution flow, logic) • However : The end result after exploring the various options available is that we cannot totally prevent software reverse engineering however we can slow down the process for a dedicated reverse engineer.
  8. 8. Anti - Debugging • Anti Debugging is done acknowledging the fact that when a process is being debugged it is going to have a set of properties that would be different from when it is not debugged. • Anti-debugging requires a thorough understanding of the environment in which the program would be run.
  9. 9. Does Anti - Debugging help ? Example : CCleaner Software Vendors Software Crackers Malware Analysts
  10. 10. Types API Based Detection Techniques Direct structure access Exception Handling Based Detection
  11. 11. API Based Anti|Debugging (11 Techniques)
  12. 12. 1.FindWindow API • Scans memory for a process with the particular class name. { hnd = FindWindow("OLLYDBG", 0); } • “OLLYDBG” is the class name for all windows that would be created and have the same callback function. • “0” scans irrespective of WindowName. • Returns a handle if successful • Spy++ utility can be used to enumerate the ClassName. • DEMO - spy++
  13. 13. Spy++ on OllyDbg
  14. 14. 2. Registry Value • RegOpenKeyEx and RegQueryValueEx open a registry key and retrieve its value respectively KEY Function HKEY_CLASSES_ROOTexefileshellOpen with OllyDbg Specifies the menu for opening an exe file with OllyDbg with a right click HKEY_CLASSES_ROOTexefileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbg Specifies the menu for opening a dll file with OllyDbg with a right click HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo ws NTCurrentVersionAeDebugDebugger Path to default Debugger
  15. 15. 3. IsDebuggerPresent API • Looks for the BeingDebugged flag inside the PEB. • Extremely simple to use and thwart. • { IsDebuggerPresent() } returns true if the process is being debugged false otherwise. • Can be done manually • Assembly dump :
  16. 16. 4. CheckRemoteDebuggerPresent API • Function : Detects if a Debug Port has been set. • Can be used for a “remote” process but is used locally mostly. • Locally : CheckRemoteDebuggerPresent(GetCurrentProcess(),&pblsPresent) ; • Remotely for a PID 2800 { hndle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2800); CheckRemoteDebuggerPresent(hndle,&pblsPresent); }
  17. 17. 5.OutputDebugString API Set Random Value for ERROR Call OutputDebugString with any string Check Value Of ERROR If(No Change) : Debugger Present Else : No Debugger Works in XP.
  18. 18. Debug String Display in OllyDbg
  19. 19. Run Time Dynamic Linking LoadLibrary Handle to dll received GetProcAddress Address of exported function Call Example : ntdll.dll Ex : NTSetInformationThread, NTQueryInformationProcess
  20. 20. 6. ZwSetInformationThread Function • Use run-time dynamic linking to get the address of ZwSetInformationThread. • Make the Call • (_ZwSetInformationThread)(GetCurrentThread(),0×11,0,0); • GetCurrentThread : Pseudo handle for the current thread • 0x11 : ThreadHideFromDebugger , 17 in THREADINFOCLASS enum. • 0 : Pointer of value that is to be set • 0 : Size of the value. • Different Approached followed.
  21. 21. 7. DebugActiveProcess based Self Debugging • Theoretically a process can be debugged only by One Debugger. • Working : Create a child process Child Process attempts to debug parent If Error : Debugger Detected
  22. 22. 8. OllyDbg Format String Vulnerability for Debugger Messages • More like a vulnerability based detection • The internal function that handles the input from OutputDebugString does so without using the correct number of format specifiers, allowing a user to supply their own format specifiers. • OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s%s% s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")); • Similar vulnerability based detection can be modeled around various vulnerabilities, Reference :
  23. 23. 9. NTQueryInformationProcess to detect ProcessDebugPort • Run-time dynamic linking to get the pointer to NTqueryInformationProcess • Make the call with PROCESSINFOCLASS = 0x07 • NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); • The 0x07 value is the process debug port. • Debug Port is used for communication of Debug_Event between ring 3 and the kernel • If set the process is being debugged.
  24. 24. • private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, . . . ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, MaxProcessInfoClass };
  25. 25. 10. ProcessDebugFlags using NTQueryInformationProcess 11. ProcessDebugObject using NTQueryInformationProcess •Run-time Dynamic Linking to get address of NTQuertInformationProcess Function. •Make the call with PROCESSINFOCLASS 0x1F. •If Set Debugger is present. •Run-time dynamic linking to get the address •Call with PROCESSINFOCLASS 0x1E •If set debugger is present
  26. 26. • private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, . . . ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessResourceManagement, . . . ProcessRevokeFileHandles, MaxProcessInfoClass };
  27. 27. Exception Based Anti|Debugging (9 Techniques)
  28. 28. Exceptions | Windows First Chance VEH SEH Last Chance Unhandled 1st • EXCEPTION_DEBUG_EVENT VEH • VEH SEH • SEH, per thread, FS:0 LC • Process Suspend UE • UnhandledExceptionFilter • System Final Handler
  29. 29. Exception Handlers typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD* ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD, *PEXCEPTION_RECORD; typedef struct _EXCEPTION_POINTERS { PEXCEPTION_RECORD ExceptionRecord; PCONTEXT ContextRecord; } EXCEPTION_POINTERS, *PEXCEPTION_POINTERS; LONG CALLBACK ExceptionHandler( __in PEXCEPTION_POINTERS ExceptionInformation);
  30. 30. 1. INT 3 Break Point Exception. • The INT 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler. • To set INT3 breakpoint, a debugger replaces first byte of the 80x86 command by 0xCC • Type : EXCEPTION_BREAKPOINT to the Debugger • When manually inlined then the process would just halt at the next instruction if run in a Debugger(thereby not triggering your catch block) or return 0x80000003 status code if run without a debugger.
  31. 31. 2. INT 2D Exception • Int 2Dh is used by ntoskrnl.exe to interact with kernel debugging system but we can use it also in user-mode or from ring 3 as well since the call will eventually filter to a ring 3 debugger if no kernel debugger exists. • When int 2Dh is called the system will skip one byte after the interrupt, leading to opcode scission. • Behaves exactly like int 3 • Based on weather our catch block is executed or not we declare presence of a debugger.
  32. 32. 3. 0xF1 ICE Break Point • This is identical to the functioning of 0xcc except the fact the this uses two bytes 0xCD 0x3C to insert the breakpoint. 4. TWO byte INT 3 breakpoint. •One of the Intel's undocumented instruction, opcode 0xF1. •Executing this instruction will generate a SINGLE_STEP exception. •The debugger will think it is the normal exception generated by executing the instruction with the SingleStep bit set in the Flags registers.
  33. 33. 5. Close Handle API call • The CloseHandle function throws an exception, if an invalid handle is provided. • The logic behind detection with Close Handle function is the opposite to the ones used in INT3 or INT 2D exception based debugger detection. • Exception is only thrown when in a debugger • Usually in debugging sessions it is a common practice that the exception is passed to the application
  34. 34. 6. Trap Flag exception based detection • The EFLAGS is a 32-bit register used as a collection of bits representing Boolean values to store the results of operations and the state of the processor. • By in-lining ASM we can modify the EFLAGS register. • First bit of the second byte that is TF or the trap flag. If this flag is set the execution halts after executing the current instruction. • Also called as the single step exception
  35. 35. EGLAGS Register
  36. 36. 7. Memory breakpoint based detection • If a memory breakpoint is set up, any access to the page in which the breakpoint exists, would result in the exception and the process would halt. Allocate some 5mb Fill with RET Make it a GUARD PAGE Pointer to the PAGE Call the Pointer Detect Error
  37. 37. Technically VirtualAlloc(NULL, 0x500000, MEM_COMMIT, PAGE_READWRITE); RtlFillMemory(memRegion, 0x10, 0xC3); VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD, &oldProt); myproc = (FARPROC) memRegion myproc(); Detect Error ProcessExplorer:Demo
  38. 38. Hack that ?
  39. 39. 8. Control C VEH • If a console process is being debugged for a CTRL+C signals, the system generates a DBG_CONTROL_C exception. • If a debugger is not present CTRL+C event would require a console control handler. • The CCH is executed if the debugger is not present. • However if the debugger is present and it passes the exception to the application we can still detect it by adding a vectored exception handler. ;)
  40. 40. 9. INVALID OPCODE exception based debugging • Invalid OPCODE can be formed by manually editing bytes. • F0 0F C7 C8 popularly known as the "Pentium F00F bug.“ • This evaluates to LOCK CMPXCHNG8B EAX • OPCODE since a LOCK on CMPXCHNG8B cannot be applied with the destination operand as a register • Now, before this OPCODE is executed an exception is created ILLEGAL_INSTRUCTION (C000001D) • we define an UnhandledExceptionFilter ,only executed when the program is not being debugged. So even if the debugger passes the exception to the application there isnt any handler. ;)
  41. 41. Direct Structure Access Based Anti|Debugging (4 Techniques)
  42. 42. Direct isDebuggerPressent via PEB • In this method we manually do what the isdebuggerpresent function call does. • Run-Time Dynamic Linking to call NTQueryInformationProcess with PROCESSINFOCLASS set to ProcessBasicInformation = 0. • typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; • Access ProcessExecutionBlock via PPEB (pointer) to check BeingDebbugedFlag.
  43. 43. PEB |Structure typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PVOID Reserved8[312]; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; pPIB.PebBaseAddress->BeingDebugged
  44. 44. ProcessHeapFlag Debugger Detection Heap Header User Allocation Heap Header User Allocation Tail Checking Pattern Heap Extra Multiple of 16 bytes16 bytes 16 bytes Multiple of 16 bytes 16 bytes 16–31 bytes DEBUGGERWithout With { HEAP } { /HEAP } •In order to tell this to the OS before creating the HEAP two flags are set. “Flags” and “ForceFlags” •Present at the offset 0x14 and 0x18 for windows XP. •PEBbase address + Offset to HEAPbaseAddress + Flag offset.
  45. 45. typedef struct _HEAP { HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; PHEAP Heap; . . . ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; WORD SegmentAllocatorBackTraceIndex; WORD Reserved; LIST_ENTRY UCRSegmentList; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; . . HEAP_COUNTERS Counters; HEAP_TUNING_PARAMETERS TuningParameters; } HEAP, *PHEAP;
  46. 46. NTGlobalFlag Debugger Detection • NTGlobalFlag is a DWORD value present at the offset 0x68 from the PEB base address. • When inside a debugger the following flags are set by the operating system : FLG_HEAP_ENABLE_TAIL_CHECK (0x10) FLG_HEAP_ENABLE_FREE_CHECK(0x20) FLG_HEAP_VALIDATE_PARAMETERS(0x40) • This equals to 0x70. We detect the value by the similar method and judge if a debugger is present or not.
  47. 47. and many more…  • Quick Discussion on minor. • And MOST importantly if I have reached this slide :D • THANK YOU NULL !