Presentation is loading. Please wait.

Presentation is loading. Please wait.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

Published byAriel Hoston Modified over 9 years ago

Similar presentations

Presentation on theme: "RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer."— Presentation transcript:

1 RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer

2 RECON2008 Overview The Problem: Anti-debugging Helikaon: How it works Demo Nuts and Bolts Debugger Output This and That Future Work Summary

3 RECON2008 The Problem: Anti-debugging Linux OS is not immune to malware and viruses Protect their IP Why custom debugger? –COTS debuggers, such as GDB and IDA Pro, are detected in Linux utilizing a variety of anti-debugging techniques –Often interesting to break protections, why reproduce every time

4 RECON2008 The Problem: Anti-debugging Traditional Ring-3 debuggers (GDB and IDA Pro) need to register with the OS to begin debugging a user application They need to handle signals such as a SIGTRAP to handle an INT 3, and are easily detectable due to Linux debuggers needing to use ‘ptrace’ to debug a binary Using the Helikaon debugger, registration with the OS is not required Checks for ptrace, signal, INT 3’s, and hardware debug register use are circumvented

5 RECON2008 Helikaon “Helikaon” — a stealthy Linux-driver- based debugger that will aid the engineer in debugging a running executable

6 RECON2008 Feature Comparison Chart User Debuggers (gdb, IDA Pro) Helikaon Debugger Caught by Registration-based Debugger Checks (e.g. Ptrace(), signal()) YesNo Uses INT 3's and Debug Registers for Breakpoints YesNo Caught by Single-stepping ChecksYesNo Caught by IDT ChecksYesNo Reading /proc/self/statYesNo Caught by Exception HandlersYesNo Parent-child DebuggingYesNo Timing checksYesNo Caught by User App Signature Detection YesNo

7 RECON2008 How is it stealthy? Helikaon injects a jump at runtime from kernel land into a user space running process rather than using standard debugger breakpoints like “INT 3” or DR0-DR7 hardware registers Using Helikaon to inject jumps to reroute code allows the debugger to have command of the running executable at a particular address Since the driver’s injections are dynamic, the code remains unmodified after its run is completed and injected jumps are removed immediately after they are used

8 RECON2008 Anti-debug Example

9 RECON2008 GDB Detected Disassembled program run through GDB debugger shows debugger detected

10 RECON2008 IF Debugger undetected Add a breakpoint in the Helikaon Driver @ 0x80481D8

11 RECON2008 Running Helikaon View execution state (via registers etc) “No Debugger present or CC detected or signal detected”

12 RECON2008 Done at Runtime Inject jumps to reroute code allows the Helikaon debugger to have command of running exe Breakpoints on packed code Code remains unmodified on file

13 RECON2008 Nuts and Bolts The driver needs three things before being compiled and loaded: 1.Breakpoint address 2.Slack space address (could use startup code space) 3.Return address of a Syscall such as ‘uname’

14 RECON2008 Nuts and Bolts Cont. The chosen Syscall should be one that executes early, say in startup code, like the Syscall to ‘uname’

15 RECON2008 Why uname - Linux Kernel User Process Linux Kernel int 80

16 RECON2008 Hook Kernel via syscalls User Process Linux Kernel int 80 Helikaon Driver

17 RECON2008 Hooking process

18 RECON2008 Hooked uname Where the fun begins

19 RECON2008 Putting it together Helikaon Driver tasks 1. Hook the Syscalls ‘uname’ and ‘fdatasync’ – (could be other Syscall instead). User Process Runs 1. Syscall ‘uname’ executed in startup code. Helikaon Driver tasks 1.Hooked Syscall ‘uname’ rerouted to driver (previous slide) 2.Save off stolen bytes (where the breakpoint will go). 3.From hooked Syscall inject a “JMP slackspace” into the running process where you want to add the breakpoint. 4.Copy breakpoint handler code into slack space. Breakpoint Hit – User Process tasks 1.When EIP hits the “JMP slackspace” control will pass to slack space (handler code). 2.Handler code – push registers on stack. 3.Handler code – interrupt (generates Syscall ‘fdatasync’ – already hooked Syscall :). Helikaon Driver tasks – hooked ‘fdatasync’ 1.Print the registers from hooked Syscall fdatasync. 2.Replace stolen bytes in user process. 3.Optional: Modify registers or print memory. 4.Returns back to User Process. User Process tasks 1.Still in slack space – Pop all registers that were pushed on stack. 2.Jump back were breakpoint was (stolen bytes have been replaced). 3.Continue execution.

20 RECON2008 Putting it Together Cont. uname() Linux Kernel int 80 User Process Startup Main() BP (Jmp inserted) push regs fdatasync() Pop regs (10) Jmp BP Addr (11) Slack space Hooked syscalls Helikaon Hooked_uname() Steal bytes (2) Add BP Add Handler Code Hooked_fdatasync() Print regs (7) Replace stolen bytes Return to Slack (9) (1) (3) (4) int 80 (6) (5) (8)

21 1

22 RECON2008 Uname executed

23 RECON2008 Break Point Hit 0x80481D8 JMP 0x8049650 Move stack pointer in EBX so I can deref. Register values

24 RECON2008 This and That Encrypted code that becomes decrypted in memory could make a system call Looped code – Replace stolen bytes in slack then JMP [bpAddr + 5] Could reroute every instruction (instruction tracing)

25 RECON2008 Summary Software that prevents a reverse engineer from dynamic analysis through means of anti-debugging measures can be thwarted using Helikaon Debugger Utilizes ‘int 80’ to the reverse engineer’s advantage

26 RECON2008 Future Work Ability to reroute instructions in other drivers GUI front end controlled by user Utilize shared memory instead of slack space or clean up better in slack space

27 RECON2008 Contact Jason Raber Team Lead - Reverse Engineer 937-427-7085 jraber@rri-usa.org

Download ppt "RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)

Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’

Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?

Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.

Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
OllyDbg Debuger.

OllyDbg Debuger.
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
Embedded Systems Principle of Debugger. Reference Materials kl.de/avr_projects/arm_projects/#winarmhttp://www.siwawi.arubi.uni-

Embedded Systems Principle of Debugger. Reference Materials kl.de/avr_projects/arm_projects/#winarmhttp://
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
System Calls 1.

System Calls 1.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Micro-Computer Applications: Procedures & Interrupts Dr. Eng. Amr T. Abdel-Hamid ELECT 707 Fall 2011.

Micro-Computer Applications: Procedures & Interrupts Dr. Eng. Amr T. Abdel-Hamid ELECT 707 Fall 2011.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.

Similar presentations

Ads by Google