Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling.

Published byBenedict Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling."— Presentation transcript:

1 Lecture 10 Anti-debugger techniques

2 Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling –Debugger detection Behavior modification Crashing debugger Links –http://www.textfiles.com/virus/adebgtut.txthttp://www.textfiles.com/virus/adebgtut.txt –http://anti-debugging.qarchive.orghttp://anti-debugging.qarchive.org –http://rdist.root.org/2007/04/19/anti-debugger- techniques-are-overratedhttp://rdist.root.org/2007/04/19/anti-debugger- techniques-are-overrated –http://www.openrce.org/reference_library/anti_reversin ghttp://www.openrce.org/reference_library/anti_reversin g –http://reconstructer.orghttp://reconstructer.org

3 Modify Interrupts Overwrite Interrupt Vector of INT 1/3 to point to garbage code –INT 1 = Debug Single Step –INT 3 = Debug Breakpoint –Point to garbage so debugger crashes –Must skip instructions to counter Run long loop of INT 3 instructions –Slows down AV or debugging process –Must NOP out INT 3 to counter Turn off keyboard interrupts IN AL,20h OR AL,02 OUT AL,20 IN AL,20 AND AL, NOT 2 OUT AL,20

4 Modify interrupts Replace INT 1/3 with another valid interrupt Detect INT 1 tracing by stack inspection –INT 1 overwrites 6 bytes below SP with return values for IP, CS, and Flags PUSH AX POP AX DEC SP POP BX CMP AX,BX JNE CODE_IS_TRACED Force INT 1/INT 3 tracing to disable code –Hide critical value (i.e. decryption key) on stack directly without modifying stack pointer –Debugger will overwrite value if it runs

5 Protecting anti-debug code Use anti-debug routines as decryption key –Retrieve a byte from routines to modify decryption routine –Prevents AV and anti-debugger from “NOP”ing out your traps Running line –Hook INT 1 –Decrypt each instruction just before it is run –Re-encrypt each instruction just after it is run –Only one instruction at a time is decrypted in memory

6 Detection tricks IsDebuggerPresent() –Returns 0 if current process is not running in the context of a debugger –Searches PEB (Process Environment Block) for the field IsDebugged –CheckRemoteDebuggerPresent() checks if debugger is a separate, parallel process that is attached to process –Windows NT NTGlobalFlag for WindowsNT NtQueryInformationProcess –Can be easily bypassed with breakpoint scripts, patching of the IAT, or directly modifying the PEB

7 Detection tricks Detect presence of INT 41/INT 2dh –Used by Windows debugging interface Detect INT 68h hooking (SoftICE) Detect files and registry keys created by debugger –szOllyKey, szIsSICEKey –Attempt to create SoftICE driver to detect presence –Look for \system32\drivers\WINICE.dat –\\.\SICE, \\.\SIWDEBUG, etc.\\.\SICE\\.\SIWDEBUG Detect debug processes or hooks –Check for NTice service via OpenService() –OllyInvisible hooking of CsrGetProcessId –Olly HideDebugger detour modifications to OpenProcess() –Scan every running process and read out memory address 0x004B064B (where OllyDB stores some of its strings)

8 Detection tricks Scan and detect 0xCC opcode (int 3) Scan low memory for specific names installed by SoftICE such as “WINICE.BR”, “SOFTICE1” Examine timing –Use rdtsc to measure cycles –Measure system calls to detect virtualization or syscall hijacks Vmware, Sebek, UML, etc. VMEDetect using rdtsc trick –Debugger instruction stepping –Obfuscate calls to rdtsc by using trampoline within existing ntdll.dll (ReleaseBufferLocation()) Detecting VMware –Execute VMware backdoor I/O function call –Check location of IDT

9 Detection tricks Check registers and flags used for debug purposes –TRAP bit in EFLAGS register –DR0-DR7 Change registers in exception handler Set handler apriori and cause an error in code (divide by zero) When context switching to handler, debug registers saved on user stack Read and write these values –PEB ProcessHeap flag Execute exception with Trap flag set –No debugger = SEH will occur –Debugger = SEH will not occur Check PROCESSINFOCLASS for ProcessDebugPort or SYSTEMINFOCLASS for SystemDebuggerInformation

10 Crashing tricks (landmines) Exploit software errors in debuggers –Confuse LordPE and ProcDump dumping by reporting inconsistent process image size –Crash SoftICE with poorly formatted strings –Crash SoftICE with illegal form of instructions –Crash OllyDBG with format string vulnerability OutputDebugString() –Crash OllyDBG with bogus PE Headers

11 Confusion tricks OllyDBG does not handle instruction prefixes well –Insert prefix one byte before SEH –OllyDBG skips it, but SEH runs with no debugger OllyDBG mishandling INT 3 –Set an SEH before INT3 OllyDBG memory handling –PAGE_GUARD used as memory break-point –Set SEH and execute PAGE_GUARD exception With OllyDBG, goes to MemBpx and continues execution Without OllyDBG, SEH code executed

Download ppt "Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling."

Similar presentations

Anti-Unpacking techniques

Anti-Unpacking techniques
I/O Unit.

I/O Unit.
Unit 4 Chapter-1 Multitasking. The Task State Segment.

Unit 4 Chapter-1 Multitasking. The Task State Segment.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.

Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.

Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
8.7 Memory management Program E Program D System memory DOS INT 21, function 48H: Allocate Memory Specification: allocates a number of memory paragraphs.

8.7 Memory management Program E Program D System memory DOS INT 21, function 48H: Allocate Memory Specification: allocates a number of memory paragraphs.
Interrupt Processing Haibo Wang ECE Department

Interrupt Processing Haibo Wang ECE Department
Chapter 7 Interupts DMA Channels Context Switching.

Chapter 7 Interupts DMA Channels Context Switching.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.

Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
Introduction to Interrupts

Introduction to Interrupts
OllyDbg Debuger.

OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
Gursharan Singh Tatla professorgstatla@gmail.com Block Diagram of Intel 8086 Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 19-Apr-17.

Gursharan Singh Tatla Block Diagram of Intel 8086 Gursharan Singh Tatla 19-Apr-17.
1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.

1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

Similar presentations

Ads by Google