Tyler Shields, profile picture
Uploaded byTyler Shields
1,402 views

Source Boston 2009 - Anti-Debugging A Developers Viewpoint

The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.

Embed presentation

Anti-Debugging A Developers Viewpoint March 13, 2008
Presenter Background Currently – Sr. Security Researcher for Veracode, Inc. Previously – Security Consultant - Symantec – Security Consultant - @Stake – Incident Response and Forensics Handler – US Government Wishes He Was – Infinitely Rich – Personal Trainer to hot Hollywood starlets – General all-around rockstar
What we will cover… Definition of Problem Statement and Terms Why Bother? – Isn’t this a futile effort? Standing On The Shoulders of Giants – Brief reference of anti-debugging Classes of Anti-Debugging Methods – The six styles of anti-debug fu Some Known Anti-Debugging Methods – Not enough time to cover them all
Problem Statement and Definition of Terms
Problem Statement Anti-debugging methods are consistently presented as machine code or assembly language constructs making knowledge transfer difficult and limiting widespread use of the techniques.
Let’s Do An Experiment Can you tell what the following code does in five seconds or less? Be Honest!
Assembly Dump push ebp mov ebp, esp loc_411400: ; CODE XREF: antidebug(void)+2Fj sub esp, 0C0h mov esi, esp push ebx push 0 ; uType push esi push offset aNoDebugger push edi push offset aNoDebuggerDete lea edi, [ebp+var_C0] push 0 ; hWnd mov ecx, 30h call ds:__imp__MessageBoxW@16 mov eax, 0CCCCCCCCh cmp esi, esp rep stosd j___RTC_CheckEsp mov esi, esp call ds:__imp__IsDebuggerPresent@0 loc_41141D: ; CODE XREF: antidebug(void)+4Ej cmp esi, esp pop edi call j___RTC_CheckEsp pop esi test eax, eax pop ebx jz short loc_411400 add esp, 0C0h mov esi, esp cmp ebp, esp push 0 ; uType call j___RTC_CheckEsp push offset Caption mov esp, ebp push offset Text pop ebp push 0 ; hWnd Retn call ds:__imp__MessageBoxW@16 antidebug@@YAXXZ endp cmp esi, esp call j___RTC_CheckEsp short loc_41141D
Assembly Dump
Assembly Dump – Highlight Important Bits var_C0 = byte ptr -0C0h call j___RTC_CheckEsp push ebp jmp short loc_41141D mov ebp, esp sub esp, 0C0h loc_411400: Push ebx mov esi, esp Push esi push 0 ; uType Push edi push offset aNoDebugger lea edi, [ebp+var_C0] push offset aNoDebuggerDete mov ecx, 30h push 0 ; hWnd mov eax, 0CCCCCCCCh call ds:__imp__MessageBoxW@16 Rep stosd cmp esi, esp mov esi, esp call j___RTC_CheckEsp Call ds:__imp__IsDebuggerPresent@0 loc_41141D: cmp esi, esp pop edi Callj___RTC_CheckEsp pop esi Test eax, eax pop ebx jz short loc_411400 add esp, 0C0h mov esi, esp cmp ebp, esp push 0 ; uType call j___RTC_CheckEsp push offset Caption mov esp, ebp push offset Text pop ebp push 0 ; hWnd Retn call ds:__imp__MessageBoxW@16 ?antidebug@@YAXXZ endp cmp esi, esp
Assembly Dump
How About In C if (IsDebuggerPresent()) { MessageBox(NULL, L"Debugger Detected Via IsDebuggerPresent", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L“No Debugger Detected“, L“No Debugger ", MB_OK); }
Definition of Terms Debugger (Debugging) – The act of detecting and removing bugs in an application. Anti-Debugging – Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process.
Definition of Terms Dumping – Dumping of a running process in memory to disk so that the image can be executed as a separate binary. Anti-Dumping – Technique that is used to inhibit the dumping of a running process from memory to disk
Definition of Terms Anti-Anti-Debugging – Techniques used to detect and bypass anti-debugging efforts Anti-Anti-Dumping – Techniques used to detect and bypass anti-dumping efforts. Anti-Anti-Anti-…. You get the picture
Why Bother? Isn’t this a futile effort
Why Should I Care? Protecting your intellectual property – Laws can’t possibly work Neither do EULA or other soft methods – Slow down subversion of software registration Cracking – Impede application feature and code theft Low cost – Short code segments equals quick implementation – Write a basic anti-debugging library for reuse
Why Should I Care? Raise the bar – Implement multiple layers of defense – Makes reversing an arduous task – It’s no longer as simple as a debugger + disassembler + time Malware analysis – Knowledge of anti-debugging techniques can help your incident response and analysis – Debug the random binary found on your accounting system – Implement IDS/IPS signatures in shorter timeframes Exercise the brain – Keeps the synapses firing – Implementation (and bypass) is FUN!
Standing On the Shoulders Of Giants A Brief Reference of Anti-Debugging
References Bania, P, “Antidebugging for the (m)asses - protecting the env.” Brulez, N., “Crimeware Anti-Reverse Engineering Uncovered” “Lord Julus”, “Anti-Debugger and Anti-Emulator Lair” Liston, T., and Skoudis, E., “ Thwarting Virtual Machine Detection” Bania, P., “Playing with RTDSC” Quist, D., Smith, V., “Detecting the Presence of Virtual Machines Using the Local Data Table” Omella, A. A., “Methods for Virtual Machine Detection” Tariq, T. B., “Detecting Virtualization” Rutkowska, J., " Red Pill... or how to detect VMM using (almost) one CPU instruction”
References Jackson, J., “An Anti-Reverse Engineering Guide” Falliere, N., “Windows Anti-Debug Reference” Gagnon, M. N., Taylor, S., and Ghosh, “Software Protection through Anti-Debugging” Ferrie, P., “Anti-Unpacker Tricks” OpenRCE: “Anti Reverse Engineering Techniques Database” Ferrie, P., “Attacks on More Virtual Machine Emulators” Brulez, N., “Anti-Reverse Engineering Uncovered”
Anti-Debugging Classes
Let’s Get Started
Let’s Get Started
Anti-Debugging Classes API Based Detection Process and Thread Block Detection Hardware and Register Based Detection Exception Based Detection Modified Code Based Detection Timing Based Detection
Anti-Debugging Classes API Based API Based Detection Detection – Using operating system supplied API calls to determine if a debugger exists and/or is attached to our code Process and Thread Block – No direct access of memory regions Detection – Relies upon documented and undocumented operating Hardware and system functions Register Based Detection Process and Thread Block Detection – Bypassing API calls and directly querying process and Exception Based thread information to determine discrepancies that Detection indicate the operation of a debugger Modified Code – When direct API calls just aren’t enough Based Detection – Avoids userland API hooking – Lower in the stack and closer to the OS results in more Timing Based difficult bypass Detection
Anti-Debugging Classes API Based Hardware and Register Based Detection Detection – Directly accessing CPU register information specifically debug registers to check for hardware breakpoints Process and Thread Block – No longer relies upon software differences for detection Detection – One step lower in the stack Hardware and Exception Based Detection Register Based Detection – Creating an exception that is handled differently depending on the debugging state of a process Exception Based Detection Modified Code Based Detection Timing Based Detection
Anti-Debugging Classes API Based Modified Code Based Detection Detection – Process understands what it *should* look like in memory Process and Thread Block – Compares the current picture against the excepted Detection picture Hardware and – Flags on differences Register Based Detection Timing Detection – Time calls used to determine execution deltas to be Exception Based compared against a reasonable threshold Detection – Primarily used to detect single stepping Modified Code – Can also be used to detect breakpoints within blocks of Based Detection code Timing Based Detection
API Anti-Debugging
Technology Background X86 Systems and Microsoft Windows Operating Systems – Windows 2000/XP/Vista Breakpoints – Software Breakpoints (Exceptions) Overwrites target location with INT03 (0xcc) Saves original opcode Backs up one operation, replaces original opcode, restarts – Hardware Breakpoints (Faults) Debug registers: 4 for addresses, one for control, and one for status Each of the first 4 can hold a memory address that causes a hardware fault when accessed Debug Registers (DR0 – DR7) Single Stepping – Trap Flag in processor is set – Any instruction will trigger a breakpoint when trap flag is set
API Anti-Debugging Pros – Generally easiest to implement – Easiest to understand – Short in length Cons – Easiest to understand – Relatively easy to bypass – Most frequently used
API Anti-Debugging FindWindow HANDLE ollyHandle = NULL; ollyHandle = FindWindow(L"OLLYDBG", 0); if (ollyHandle == NULL) { MessageBox(NULL, L"OllyDbg Not Detected", L"Not Detected", MB_OK); } else { MessageBox(NULL, L"Ollydbg Detected Via OllyDbg FindWindow()", L"OllyDbg Detected", MB_OK); } Registry Key Detection SOFTWAREMicrosoftWindows NTCurrentVersionAeDebug Debugger= exefileshellOpen with Olly&Dbgcommand dllfileshellOpen with Olly&Dbgcommand
API Anti-Debugging IsDebuggerPresent() Windows API if (IsDebuggerPresent()) { MessageBox(NULL, L"Debugger Detected Via IsDebuggerPresent", L"Debugger Detected", MB_OK); } CheckRemoteDebuggerPresent() Windows API CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbIsPresent); if (pbIsPresent) { MessageBox(NULL, L"Debugger Detected Via CheckRemoteDebuggerPresent", L"Debugger Detected", MB_OK); }
API Anti-Debugging OutputDebugString on Win2K and WinXP DWORD AnythingButTwo = 666; SetLastError(AnythingButTwo); OutputDebugString(L"foobar"); if (GetLastError() == AnythingButTwo) { MessageBox(NULL, L"Debugger Detected Via OutputDebugString", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
API Anti-Debugging NtQueryInformationProcess() Detection status = (_NtQueryInformationProcess) (-1, 7, &retVal, 4, NULL); printf("Status Code: %08X - DebugPort: %08X", status, retVal); if (retVal != 0) { MessageBox(NULL, L"Debugger Detected Via NtQueryInformationProcess ProcessDebugPort", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
API Anti-Debugging NtSetInformationThread lib = LoadLibrary(L"ntdll.dll"); _NtSetInformationThread = GetProcAddress(lib, "NtSetInformationThread"); (_NtSetInformationThread) (GetCurrentThread(), 0x11, 0, 0);
API Anti-Debugging Self Debugging with DebugActiveProcess pid = GetCurrentProcessId(); _itow_s((int)pid, (wchar_t*)&pid_str, 8, 10); wcsncat_s((wchar_t*)&szCmdline, 64, (wchar_t*)pid_str, 4); success = CreateProcess(path, szCmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); … success = DebugActiveProcess(pid); if (success == 0) { printf("Error Code: %dn", GetLastError()); MessageBox(NULL, L"Debugger Detected - Unable to Attach", L"Debugger Detected", MB_OK); } if (success == 1) MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
API Anti-Debugging ProcessDebugFlags hmod = LoadLibrary(L"ntdll.dll"); _NtQueryInformationProcess = GetProcAddress(hmod, "NtQueryInformationProcess"); status = (_NtQueryInformationProcess) (-1, 31, &debugFlag, 4, NULL); ProcessDebugObjectHandle status = (_NtQueryInformationProcess) (-1, 0x1e, &debugObject, 4, NULL); OllyDbg OutputDebugString() Format String Vulnerability OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s"), TEXT("%s%s%s%s%s%s%s%s%s%s%s") ); } __except (EXCEPTION_EXECUTE_HANDLER) { printf("Handled Exceptionn"); }
Exception Anti-Debugging
Technology Background Exceptions – Vectored Exception Handling Linked list of exceptions inserted before all other exceptions – Structured Exception Handling Linked list of exceptions setup on a functional basis – Unhandled Exception Filter A final catch all for exceptions to limit program crashes Debugger Interaction With Exceptions – First chance exceptions – Before Vectored Exception Handlers – Modify and return execution to process – Ignore and continue – Pass exception back to process for handling
Exception Based Anti-Debugging Pros – Slightly more complex – Sometimes more difficult to bypass (debugger doesn’t know how to ignore the exception) Cons – Slightly more complex – Sometimes trivial to bypass (debugger ignore exception) – Typically longer in length
Exception Anti-Debugging INT 2D, INT 0x03, 0xF1 (ICE Breakpoint), 0xCC Detection __try { __asm { int 2dh; // substitute int 3 or __emit 0xF1, 0xCC for other triggers } } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } if (flag != 1) MessageBox(NULL, L"Debugger Detected via int2d", L"Debugger Detected", MB_OK);
Exception Based Anti-Debugging kernel32!CloseHandle __try { CloseHandle(0x12345678); } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"Debugger Detected via kernel32!CloseHandle", L"Debugger Detected", MB_OK); } if (flag == 0) MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
Exception Anti-Debugging Single Step Detection (Trap Flag) __try { __asm { PUSHFD; //Saves the flag registers OR BYTE PTR[ESP+1], 1; // Sets the Trap Flag in EFlags POPFD; //Restore the flag registers NOP; // NOP } } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } if (flag == 0) MessageBox(NULL, L"Debugger Detected Via Trap Flag", L"Debugger Detected", MB_OK);
Exception Anti-Debugging OllyDbg Memory Breakpoint Detection memRegion = VirtualAlloc(NULL, 0x10000, MEM_COMMIT, PAGE_READWRITE); RtlFillMemory(memRegion, 0x10, 0xC3); success = VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD, &oldProt); myproc = (FARPROC) memRegion; success = 1; __try { myproc(); } __except (EXCEPTION_EXECUTE_HANDLER) { success = 0; MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
Exception Anti-Debugging Control C Vectored Exception Handling AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)exhandler); SetConsoleCtrlHandler((PHANDLER_ROUTINE)sighandler, TRUE); success = GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0); Using the CMPXCHG8B with the LOCK Prefix SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER) error); __asm { __emit 0xf0; __emit 0xf0; __emit 0xc7; __emit 0xc8; }
Process and Thread Block Anti-Debugging
Technology Background Process Environment Block (PEB) – Process Base Address – Heap Location – Memory Pointers – Global Flag – OS Version Information (Major/Minor) – isDebugged Flag – … Thread Information Block (TIB) – Thread ID – Process ID – Pointer to process PEB – Error Information – Exception Information – …
Process and Thread Block Anti-Debugging Pros – Direct to the process and thread information – Less chance of detection via hooking – Harder to bypass overall Cons – Requires use of undocumented structures – Requires understanding of runtime dynamic linking – More complex to understand
Process and Thread Block Anti-Debugging IsDebuggerPresent() Direct PEB Access status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB, sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten); if (status == 0 ) { if (pPIB.PebBaseAddress->BeingDebugged == 1) { MessageBox(NULL, L"Debugger Detected Using PEB!IsDebugged", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); PEB ProcessHeap Flag Debugger Detection base = (char *)pPIB.PebBaseAddress; procHeap = base+0x18; procHeap = *procHeap; heapFlag = (char*) procHeap+0x10; last = (DWORD*) heapFlag; if (*heapFlag != 0x00) { … Found a debugger }
Process and Thread Block Anti-Debugging NtGlobalFlag Debugger Detection status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB, sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten); value = (pPIB.PebBaseAddress); value = value+0x68; if (*value == 0x70) { MessageBox(NULL, L"Debugger Detected Using PEB!NTGlobalFlag", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
Process and Thread Block Anti-Debugging Vista TEB system DLL pointer strPtr = TIB+0xBFC; // Offset into the target structure delta = (int)(*strPtr) - (int)strPtr; // Ensure that string directly follows pointer if (delta == 0x04) { if (wcscmp(*strPtr, hookStr)==0) { // Compare to our known bad string MessageBox(NULL, L"Debugger Detected Via Vista TEB System DLL PTR", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); }
Hardware and Register Anti-Debugging
Hardware and Register Anti-Debugging Pros – Directly checks the hardware – Harder yet to bypass – Fairly easy to implement Cons – Not a whole lot of research in this area – Limited number of techniques available
Hardware Register Anti-Debugging Hardware Breakpoint Detection hnd = GetCurrentThread(); status = GetThreadContext(hnd, &ctx); if ((ctx.Dr0 != 0x00) || (ctx.Dr1 != 0x00) || (ctx.Dr2 != 0x00) || (ctx.Dr3 != 0x00) || (ctx.Dr6 != 0x00) || (ctx.Dr7 != 0x00)) { MessageBox(NULL, L"Debugger Detected Via DRx Modification/Hardware Breakpoint", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); }
Hardware Register Anti-Debugging Vmware sldt detection __asm { sldt ldt_info; } if ((ldt_info[0] != 0x00) && (ldt_info[1] != 0x00)) ldt_flag = 1;
Timing Based Anti-Debugging
Timing Based Anti-Debugging Pros – Super easy to implement – Conceptually easy to understand – Can monitor blocks or individual instructions Cons – Very easy to bypass – Can be spotted a mile away
Timing Based Anti-Debugging RDTSC Instruction Debugger Latency Detection i = __rdtsc(); j = __rdtsc(); if (j-i < 0xff) { MessageBox(NULL, L“No Debugger Detected Via RDTSC", L“No Debugger Detected", MB_OK); } else { MessageBox(NULL, L"Debugger Detected Via RDTSC", L"Debugger Detected", MB_OK); } NTQueryPerformanceCounter QueryPerformanceCounter(&li); QueryPerformanceCounter(&li2); if ((li2.QuadPart-li.QuadPart) > 0xFF) { GetTickCount Timing timeGetTime Timing
Paper Link http://www.veracode.com/images/ pdf/whitepaper_antidebugging.pdf
Questions
Contact Tyler Shields Sr. Security Researcher Veracode, Inc. tshields@veracode.com

More Related Content

PDF
Anti-Debugging - A Developers View
byTyler Shields
 
PDF
Anti Debugging
byn|u - The Open Security Community
 
PDF
Reverse engineering - Shellcodes techniques
byEran Goldstein
 
PPTX
Сканирование с использованием бэкслэша: подключаем интуицию
byPositive Hack Days
 
PDF
Tdd with python unittest for embedded c
byBenux Wei
 
PDF
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
byRouven Weßling
 
PPTX
exception handling in cpp
bygourav kottawar
 
PDF
Picking Mushrooms after Cppcheck
byAndrey Karpov
 
Anti-Debugging - A Developers View
byTyler Shields
 
Anti Debugging
byn|u - The Open Security Community
 
Reverse engineering - Shellcodes techniques
byEran Goldstein
 
Сканирование с использованием бэкслэша: подключаем интуицию
byPositive Hack Days
 
Tdd with python unittest for embedded c
byBenux Wei
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
byRouven Weßling
 
exception handling in cpp
bygourav kottawar
 
Picking Mushrooms after Cppcheck
byAndrey Karpov
 

What's hot

PPT
AUTOMATED TESTING USING PYTHON (ATE)
byYuvaraja Ravi
 
PDF
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
byPVS-Studio
 
PDF
Linux version of PVS-Studio couldn't help checking CodeLite
byPVS-Studio
 
PDF
We Continue Exploring Tizen: C# Components Proved to be of High Quality
byPVS-Studio
 
PDF
Why Windows 8 drivers are buggy
byAndrey Karpov
 
PDF
Windbg랑 친해지기
byJi Hun Kim
 
PDF
A fresh eye on Oracle VM VirtualBox
byPVS-Studio
 
PDF
Checking 7-Zip with PVS-Studio analyzer
byPVS-Studio
 
PDF
Valgrind
byaidanshribman
 
PDF
Valgrind overview: runtime memory checker and a bit more aka использование #v...
byMinsk Linux User Group
 
PPTX
Tranning-2
byAli Hussain
 
PDF
The Little Unicorn That Could
byPVS-Studio
 
PDF
Intel IPP Samples for Windows - error correction
byPVS-Studio
 
DOCX
Valgrind debugger Tutorial
byAnurag Tomar
 
PDF
C&cpu
byfeathertw
 
PDF
A Post About Analyzing PHP
byAndrey Karpov
 
PDF
Checking Clang 11 with PVS-Studio
byAndrey Karpov
 
PDF
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
byRigels Gordani
 
PDF
Valgrind tutorial
bySatabdi Das
 
PDF
Dive into exploit development
byPayampardaz
 
AUTOMATED TESTING USING PYTHON (ATE)
byYuvaraja Ravi
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
byPVS-Studio
 
Linux version of PVS-Studio couldn't help checking CodeLite
byPVS-Studio
 
We Continue Exploring Tizen: C# Components Proved to be of High Quality
byPVS-Studio
 
Why Windows 8 drivers are buggy
byAndrey Karpov
 
Windbg랑 친해지기
byJi Hun Kim
 
A fresh eye on Oracle VM VirtualBox
byPVS-Studio
 
Checking 7-Zip with PVS-Studio analyzer
byPVS-Studio
 
Valgrind
byaidanshribman
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
byMinsk Linux User Group
 
Tranning-2
byAli Hussain
 
The Little Unicorn That Could
byPVS-Studio
 
Intel IPP Samples for Windows - error correction
byPVS-Studio
 
Valgrind debugger Tutorial
byAnurag Tomar
 
C&cpu
byfeathertw
 
A Post About Analyzing PHP
byAndrey Karpov
 
Checking Clang 11 with PVS-Studio
byAndrey Karpov
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
byRigels Gordani
 
Valgrind tutorial
bySatabdi Das
 
Dive into exploit development
byPayampardaz
 

Similar to Source Boston 2009 - Anti-Debugging A Developers Viewpoint

PPTX
CarolinaCon 2009 Anti-Debugging
byTyler Shields
 
PPT
Reverse engineering20151112
byBordeaux I
 
PPTX
Advanced malware analysis training session4 anti-analysis techniques
byCysinfo Cyber Security Community
 
PDF
Dmitriy D1g1 Evdokimov - DBI Intro
byDefconRussia
 
PDF
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
byHackito Ergo Sum
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 
PDF
Basics of building a blackfin application
byPantech ProLabs India Pvt Ltd
 
PDF
EclipseCon 2011: Deciphering the CDT debugger alphabet soup
byBruce Griffith
 
PPTX
Introduction to Linux Exploit Development
byjohndegruyter
 
PDF
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
byHackito Ergo Sum
 
PDF
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
byWillem van Ketwich
 
PPT
Program development tools
byPantech ProLabs India Pvt Ltd
 
PPTX
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 
PDF
Memory management
byRajni Sirohi
 
PDF
Dmitriy evdokimov. light and dark side of code instrumentation
byYury Chemerkin
 
PPTX
Ss debuggers
bysweety enit
 
PPT
Debug(1).ppt
byHebaEng
 
PPTX
C++ and Assembly: Debugging and Reverse Engineering
bycorehard_by
 
PPTX
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
byPositive Hack Days
 
PDF
The walking 0xDEAD
byCarlos Garcia Prado
 
CarolinaCon 2009 Anti-Debugging
byTyler Shields
 
Reverse engineering20151112
byBordeaux I
 
Advanced malware analysis training session4 anti-analysis techniques
byCysinfo Cyber Security Community
 
Dmitriy D1g1 Evdokimov - DBI Intro
byDefconRussia
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
byHackito Ergo Sum
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 
Basics of building a blackfin application
byPantech ProLabs India Pvt Ltd
 
EclipseCon 2011: Deciphering the CDT debugger alphabet soup
byBruce Griffith
 
Introduction to Linux Exploit Development
byjohndegruyter
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
byHackito Ergo Sum
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
byWillem van Ketwich
 
Program development tools
byPantech ProLabs India Pvt Ltd
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 
Memory management
byRajni Sirohi
 
Dmitriy evdokimov. light and dark side of code instrumentation
byYury Chemerkin
 
Ss debuggers
bysweety enit
 
Debug(1).ppt
byHebaEng
 
C++ and Assembly: Debugging and Reverse Engineering
bycorehard_by
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
byPositive Hack Days
 
The walking 0xDEAD
byCarlos Garcia Prado
 

More from Tyler Shields

PDF
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
PPTX
Defending Behind the Mobile Device
byTyler Shields
 
PDF
Avoiding the Pandora Pitfall
byTyler Shields
 
PPTX
Social and Mobile and Cloud - OH MY!
byTyler Shields
 
PPTX
Social Media Basics: Security Loopholes with Twitter & Other Social Media
byTyler Shields
 
PDF
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
byTyler Shields
 
PDF
Shmoocon 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
Survey of Rootkit Technologies and Their Impact on Digital Forensics
byTyler Shields
 
PDF
Source Boston 2010 - The Monkey Steals the Berries Part Deux
byTyler Shields
 
PDF
Software Developers Forum 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
Raleigh ISSA 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
Static Detection of Application Backdoors
byTyler Shields
 
PDF
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
byTyler Shields
 
PDF
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
PDF
Owasp Ireland - The State of Software Security
byTyler Shields
 
PDF
More Apps More Problems
byTyler Shields
 
PDF
Dirty Little Secret - Mobile Applications Invading Your Privacy
byTyler Shields
 
PDF
IT Hot Topics - Mobile Security Threats at Every Layer
byTyler Shields
 
PDF
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
byTyler Shields
 
PDF
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
byTyler Shields
 
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
Defending Behind the Mobile Device
byTyler Shields
 
Avoiding the Pandora Pitfall
byTyler Shields
 
Social and Mobile and Cloud - OH MY!
byTyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
byTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
byTyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
byTyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
byTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
byTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
byTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
byTyler Shields
 
Static Detection of Application Backdoors
byTyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
byTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
Owasp Ireland - The State of Software Security
byTyler Shields
 
More Apps More Problems
byTyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
byTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
byTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
byTyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
byTyler Shields
 

Recently uploaded

PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
final.pdf
byomarbishtawi04
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
apidays New York 2025 | AI in Application Security
byapidays
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 

Source Boston 2009 - Anti-Debugging A Developers Viewpoint

  • 1.
    Anti-Debugging A Developers Viewpoint March 13, 2008
  • 2.
    Presenter Background Currently – Sr. Security Researcher for Veracode, Inc. Previously – Security Consultant - Symantec – Security Consultant - @Stake – Incident Response and Forensics Handler – US Government Wishes He Was – Infinitely Rich – Personal Trainer to hot Hollywood starlets – General all-around rockstar
  • 3.
    What we willcover… Definition of Problem Statement and Terms Why Bother? – Isn’t this a futile effort? Standing On The Shoulders of Giants – Brief reference of anti-debugging Classes of Anti-Debugging Methods – The six styles of anti-debug fu Some Known Anti-Debugging Methods – Not enough time to cover them all
  • 4.
  • 5.
    Problem Statement Anti-debugging methods are consistently presented as machine code or assembly language constructs making knowledge transfer difficult and limiting widespread use of the techniques.
  • 6.
    Let’s Do AnExperiment Can you tell what the following code does in five seconds or less? Be Honest!
  • 7.
    Assembly Dump push ebp movebp, esp loc_411400: ; CODE XREF: antidebug(void)+2Fj sub esp, 0C0h mov esi, esp push ebx push 0 ; uType push esi push offset aNoDebugger push edi push offset aNoDebuggerDete lea edi, [ebp+var_C0] push 0 ; hWnd mov ecx, 30h call ds:__imp__MessageBoxW@16 mov eax, 0CCCCCCCCh cmp esi, esp rep stosd j___RTC_CheckEsp mov esi, esp call ds:__imp__IsDebuggerPresent@0 loc_41141D: ; CODE XREF: antidebug(void)+4Ej cmp esi, esp pop edi call j___RTC_CheckEsp pop esi test eax, eax pop ebx jz short loc_411400 add esp, 0C0h mov esi, esp cmp ebp, esp push 0 ; uType call j___RTC_CheckEsp push offset Caption mov esp, ebp push offset Text pop ebp push 0 ; hWnd Retn call ds:__imp__MessageBoxW@16 antidebug@@YAXXZ endp cmp esi, esp call j___RTC_CheckEsp short loc_41141D
  • 8.
  • 9.
    Assembly Dump –Highlight Important Bits var_C0 = byte ptr -0C0h call j___RTC_CheckEsp push ebp jmp short loc_41141D mov ebp, esp sub esp, 0C0h loc_411400: Push ebx mov esi, esp Push esi push 0 ; uType Push edi push offset aNoDebugger lea edi, [ebp+var_C0] push offset aNoDebuggerDete mov ecx, 30h push 0 ; hWnd mov eax, 0CCCCCCCCh call ds:__imp__MessageBoxW@16 Rep stosd cmp esi, esp mov esi, esp call j___RTC_CheckEsp Call ds:__imp__IsDebuggerPresent@0 loc_41141D: cmp esi, esp pop edi Callj___RTC_CheckEsp pop esi Test eax, eax pop ebx jz short loc_411400 add esp, 0C0h mov esi, esp cmp ebp, esp push 0 ; uType call j___RTC_CheckEsp push offset Caption mov esp, ebp push offset Text pop ebp push 0 ; hWnd Retn call ds:__imp__MessageBoxW@16 ?antidebug@@YAXXZ endp cmp esi, esp
  • 10.
  • 11.
    How About InC if (IsDebuggerPresent()) { MessageBox(NULL, L"Debugger Detected Via IsDebuggerPresent", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L“No Debugger Detected“, L“No Debugger ", MB_OK); }
  • 12.
    Definition of Terms Debugger (Debugging) – The act of detecting and removing bugs in an application. Anti-Debugging – Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process.
  • 13.
    Definition of Terms Dumping – Dumping of a running process in memory to disk so that the image can be executed as a separate binary. Anti-Dumping – Technique that is used to inhibit the dumping of a running process from memory to disk
  • 14.
    Definition of Terms Anti-Anti-Debugging – Techniques used to detect and bypass anti-debugging efforts Anti-Anti-Dumping – Techniques used to detect and bypass anti-dumping efforts. Anti-Anti-Anti-…. You get the picture
  • 15.
    Why Bother? Isn’t thisa futile effort
  • 16.
    Why Should ICare? Protecting your intellectual property – Laws can’t possibly work Neither do EULA or other soft methods – Slow down subversion of software registration Cracking – Impede application feature and code theft Low cost – Short code segments equals quick implementation – Write a basic anti-debugging library for reuse
  • 17.
    Why Should ICare? Raise the bar – Implement multiple layers of defense – Makes reversing an arduous task – It’s no longer as simple as a debugger + disassembler + time Malware analysis – Knowledge of anti-debugging techniques can help your incident response and analysis – Debug the random binary found on your accounting system – Implement IDS/IPS signatures in shorter timeframes Exercise the brain – Keeps the synapses firing – Implementation (and bypass) is FUN!
  • 18.
    Standing On theShoulders Of Giants A Brief Reference of Anti-Debugging
  • 19.
    References Bania, P,“Antidebugging for the (m)asses - protecting the env.” Brulez, N., “Crimeware Anti-Reverse Engineering Uncovered” “Lord Julus”, “Anti-Debugger and Anti-Emulator Lair” Liston, T., and Skoudis, E., “ Thwarting Virtual Machine Detection” Bania, P., “Playing with RTDSC” Quist, D., Smith, V., “Detecting the Presence of Virtual Machines Using the Local Data Table” Omella, A. A., “Methods for Virtual Machine Detection” Tariq, T. B., “Detecting Virtualization” Rutkowska, J., " Red Pill... or how to detect VMM using (almost) one CPU instruction”
  • 20.
    References Jackson, J.,“An Anti-Reverse Engineering Guide” Falliere, N., “Windows Anti-Debug Reference” Gagnon, M. N., Taylor, S., and Ghosh, “Software Protection through Anti-Debugging” Ferrie, P., “Anti-Unpacker Tricks” OpenRCE: “Anti Reverse Engineering Techniques Database” Ferrie, P., “Attacks on More Virtual Machine Emulators” Brulez, N., “Anti-Reverse Engineering Uncovered”
  • 21.
  • 22.
  • 23.
  • 24.
    Anti-Debugging Classes API BasedDetection Process and Thread Block Detection Hardware and Register Based Detection Exception Based Detection Modified Code Based Detection Timing Based Detection
  • 25.
    Anti-Debugging Classes API Based API Based Detection Detection – Using operating system supplied API calls to determine if a debugger exists and/or is attached to our code Process and Thread Block – No direct access of memory regions Detection – Relies upon documented and undocumented operating Hardware and system functions Register Based Detection Process and Thread Block Detection – Bypassing API calls and directly querying process and Exception Based thread information to determine discrepancies that Detection indicate the operation of a debugger Modified Code – When direct API calls just aren’t enough Based Detection – Avoids userland API hooking – Lower in the stack and closer to the OS results in more Timing Based difficult bypass Detection
  • 26.
    Anti-Debugging Classes API Based Hardware and Register Based Detection Detection – Directly accessing CPU register information specifically debug registers to check for hardware breakpoints Process and Thread Block – No longer relies upon software differences for detection Detection – One step lower in the stack Hardware and Exception Based Detection Register Based Detection – Creating an exception that is handled differently depending on the debugging state of a process Exception Based Detection Modified Code Based Detection Timing Based Detection
  • 27.
    Anti-Debugging Classes API Based Modified Code Based Detection Detection – Process understands what it *should* look like in memory Process and Thread Block – Compares the current picture against the excepted Detection picture Hardware and – Flags on differences Register Based Detection Timing Detection – Time calls used to determine execution deltas to be Exception Based compared against a reasonable threshold Detection – Primarily used to detect single stepping Modified Code – Can also be used to detect breakpoints within blocks of Based Detection code Timing Based Detection
  • 28.
  • 29.
    Technology Background X86Systems and Microsoft Windows Operating Systems – Windows 2000/XP/Vista Breakpoints – Software Breakpoints (Exceptions) Overwrites target location with INT03 (0xcc) Saves original opcode Backs up one operation, replaces original opcode, restarts – Hardware Breakpoints (Faults) Debug registers: 4 for addresses, one for control, and one for status Each of the first 4 can hold a memory address that causes a hardware fault when accessed Debug Registers (DR0 – DR7) Single Stepping – Trap Flag in processor is set – Any instruction will trigger a breakpoint when trap flag is set
  • 30.
    API Anti-Debugging Pros – Generally easiest to implement – Easiest to understand – Short in length Cons – Easiest to understand – Relatively easy to bypass – Most frequently used
  • 31.
    API Anti-Debugging FindWindow HANDLE ollyHandle = NULL; ollyHandle = FindWindow(L"OLLYDBG", 0); if (ollyHandle == NULL) { MessageBox(NULL, L"OllyDbg Not Detected", L"Not Detected", MB_OK); } else { MessageBox(NULL, L"Ollydbg Detected Via OllyDbg FindWindow()", L"OllyDbg Detected", MB_OK); } Registry Key Detection SOFTWAREMicrosoftWindows NTCurrentVersionAeDebug Debugger= exefileshellOpen with Olly&Dbgcommand dllfileshellOpen with Olly&Dbgcommand
  • 32.
    API Anti-Debugging IsDebuggerPresent()Windows API if (IsDebuggerPresent()) { MessageBox(NULL, L"Debugger Detected Via IsDebuggerPresent", L"Debugger Detected", MB_OK); } CheckRemoteDebuggerPresent() Windows API CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbIsPresent); if (pbIsPresent) { MessageBox(NULL, L"Debugger Detected Via CheckRemoteDebuggerPresent", L"Debugger Detected", MB_OK); }
  • 33.
    API Anti-Debugging OutputDebugStringon Win2K and WinXP DWORD AnythingButTwo = 666; SetLastError(AnythingButTwo); OutputDebugString(L"foobar"); if (GetLastError() == AnythingButTwo) { MessageBox(NULL, L"Debugger Detected Via OutputDebugString", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
  • 34.
    API Anti-Debugging NtQueryInformationProcess()Detection status = (_NtQueryInformationProcess) (-1, 7, &retVal, 4, NULL); printf("Status Code: %08X - DebugPort: %08X", status, retVal); if (retVal != 0) { MessageBox(NULL, L"Debugger Detected Via NtQueryInformationProcess ProcessDebugPort", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
  • 35.
    API Anti-Debugging NtSetInformationThread lib = LoadLibrary(L"ntdll.dll"); _NtSetInformationThread = GetProcAddress(lib, "NtSetInformationThread"); (_NtSetInformationThread) (GetCurrentThread(), 0x11, 0, 0);
  • 36.
    API Anti-Debugging SelfDebugging with DebugActiveProcess pid = GetCurrentProcessId(); _itow_s((int)pid, (wchar_t*)&pid_str, 8, 10); wcsncat_s((wchar_t*)&szCmdline, 64, (wchar_t*)pid_str, 4); success = CreateProcess(path, szCmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); … success = DebugActiveProcess(pid); if (success == 0) { printf("Error Code: %dn", GetLastError()); MessageBox(NULL, L"Debugger Detected - Unable to Attach", L"Debugger Detected", MB_OK); } if (success == 1) MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
  • 37.
    API Anti-Debugging ProcessDebugFlags hmod = LoadLibrary(L"ntdll.dll"); _NtQueryInformationProcess = GetProcAddress(hmod, "NtQueryInformationProcess"); status = (_NtQueryInformationProcess) (-1, 31, &debugFlag, 4, NULL); ProcessDebugObjectHandle status = (_NtQueryInformationProcess) (-1, 0x1e, &debugObject, 4, NULL); OllyDbg OutputDebugString() Format String Vulnerability OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s"), TEXT("%s%s%s%s%s%s%s%s%s%s%s") ); } __except (EXCEPTION_EXECUTE_HANDLER) { printf("Handled Exceptionn"); }
  • 38.
  • 39.
    Technology Background Exceptions – Vectored Exception Handling Linked list of exceptions inserted before all other exceptions – Structured Exception Handling Linked list of exceptions setup on a functional basis – Unhandled Exception Filter A final catch all for exceptions to limit program crashes Debugger Interaction With Exceptions – First chance exceptions – Before Vectored Exception Handlers – Modify and return execution to process – Ignore and continue – Pass exception back to process for handling
  • 40.
    Exception Based Anti-Debugging Pros – Slightly more complex – Sometimes more difficult to bypass (debugger doesn’t know how to ignore the exception) Cons – Slightly more complex – Sometimes trivial to bypass (debugger ignore exception) – Typically longer in length
  • 41.
    Exception Anti-Debugging INT2D, INT 0x03, 0xF1 (ICE Breakpoint), 0xCC Detection __try { __asm { int 2dh; // substitute int 3 or __emit 0xF1, 0xCC for other triggers } } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } if (flag != 1) MessageBox(NULL, L"Debugger Detected via int2d", L"Debugger Detected", MB_OK);
  • 42.
    Exception Based Anti-Debugging kernel32!CloseHandle __try { CloseHandle(0x12345678); } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"Debugger Detected via kernel32!CloseHandle", L"Debugger Detected", MB_OK); } if (flag == 0) MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
  • 43.
    Exception Anti-Debugging SingleStep Detection (Trap Flag) __try { __asm { PUSHFD; //Saves the flag registers OR BYTE PTR[ESP+1], 1; // Sets the Trap Flag in EFlags POPFD; //Restore the flag registers NOP; // NOP } } __except (EXCEPTION_EXECUTE_HANDLER) { flag = 1; MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } if (flag == 0) MessageBox(NULL, L"Debugger Detected Via Trap Flag", L"Debugger Detected", MB_OK);
  • 44.
    Exception Anti-Debugging OllyDbgMemory Breakpoint Detection memRegion = VirtualAlloc(NULL, 0x10000, MEM_COMMIT, PAGE_READWRITE); RtlFillMemory(memRegion, 0x10, 0xC3); success = VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD, &oldProt); myproc = (FARPROC) memRegion; success = 1; __try { myproc(); } __except (EXCEPTION_EXECUTE_HANDLER) { success = 0; MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
  • 45.
    Exception Anti-Debugging ControlC Vectored Exception Handling AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)exhandler); SetConsoleCtrlHandler((PHANDLER_ROUTINE)sighandler, TRUE); success = GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0); Using the CMPXCHG8B with the LOCK Prefix SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER) error); __asm { __emit 0xf0; __emit 0xf0; __emit 0xc7; __emit 0xc8; }
  • 46.
    Process and ThreadBlock Anti-Debugging
  • 47.
    Technology Background ProcessEnvironment Block (PEB) – Process Base Address – Heap Location – Memory Pointers – Global Flag – OS Version Information (Major/Minor) – isDebugged Flag – … Thread Information Block (TIB) – Thread ID – Process ID – Pointer to process PEB – Error Information – Exception Information – …
  • 48.
    Process and ThreadBlock Anti-Debugging Pros – Direct to the process and thread information – Less chance of detection via hooking – Harder to bypass overall Cons – Requires use of undocumented structures – Requires understanding of runtime dynamic linking – More complex to understand
  • 49.
    Process and ThreadBlock Anti-Debugging IsDebuggerPresent() Direct PEB Access status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB, sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten); if (status == 0 ) { if (pPIB.PebBaseAddress->BeingDebugged == 1) { MessageBox(NULL, L"Debugger Detected Using PEB!IsDebugged", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); PEB ProcessHeap Flag Debugger Detection base = (char *)pPIB.PebBaseAddress; procHeap = base+0x18; procHeap = *procHeap; heapFlag = (char*) procHeap+0x10; last = (DWORD*) heapFlag; if (*heapFlag != 0x00) { … Found a debugger }
  • 50.
    Process and ThreadBlock Anti-Debugging NtGlobalFlag Debugger Detection status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB, sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten); value = (pPIB.PebBaseAddress); value = value+0x68; if (*value == 0x70) { MessageBox(NULL, L"Debugger Detected Using PEB!NTGlobalFlag", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK); }
  • 51.
    Process and ThreadBlock Anti-Debugging Vista TEB system DLL pointer strPtr = TIB+0xBFC; // Offset into the target structure delta = (int)(*strPtr) - (int)strPtr; // Ensure that string directly follows pointer if (delta == 0x04) { if (wcscmp(*strPtr, hookStr)==0) { // Compare to our known bad string MessageBox(NULL, L"Debugger Detected Via Vista TEB System DLL PTR", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); } } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); }
  • 52.
  • 53.
    Hardware and RegisterAnti-Debugging Pros – Directly checks the hardware – Harder yet to bypass – Fairly easy to implement Cons – Not a whole lot of research in this area – Limited number of techniques available
  • 54.
    Hardware Register Anti-Debugging Hardware Breakpoint Detection hnd = GetCurrentThread(); status = GetThreadContext(hnd, &ctx); if ((ctx.Dr0 != 0x00) || (ctx.Dr1 != 0x00) || (ctx.Dr2 != 0x00) || (ctx.Dr3 != 0x00) || (ctx.Dr6 != 0x00) || (ctx.Dr7 != 0x00)) { MessageBox(NULL, L"Debugger Detected Via DRx Modification/Hardware Breakpoint", L"Debugger Detected", MB_OK); } else { MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK); }
  • 55.
    Hardware Register Anti-Debugging Vmware sldt detection __asm { sldt ldt_info; } if ((ldt_info[0] != 0x00) && (ldt_info[1] != 0x00)) ldt_flag = 1;
  • 56.
  • 57.
    Timing Based Anti-Debugging Pros – Super easy to implement – Conceptually easy to understand – Can monitor blocks or individual instructions Cons – Very easy to bypass – Can be spotted a mile away
  • 58.
    Timing Based Anti-Debugging RDTSC Instruction Debugger Latency Detection i = __rdtsc(); j = __rdtsc(); if (j-i < 0xff) { MessageBox(NULL, L“No Debugger Detected Via RDTSC", L“No Debugger Detected", MB_OK); } else { MessageBox(NULL, L"Debugger Detected Via RDTSC", L"Debugger Detected", MB_OK); } NTQueryPerformanceCounter QueryPerformanceCounter(&li); QueryPerformanceCounter(&li2); if ((li2.QuadPart-li.QuadPart) > 0xFF) { GetTickCount Timing timeGetTime Timing
  • 59.
  • 60.
  • 61.
    Contact Tyler Shields Sr. SecurityResearcher Veracode, Inc. tshields@veracode.com