Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling.

Slides:



Advertisements
Similar presentations
Anti-Unpacking techniques
Advertisements

I/O Unit.
Unit 4 Chapter-1 Multitasking. The Task State Segment.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Chapter 6 Limited Direct Execution
Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Architectural Support for Operating Systems. Announcements Most office hours are finalized Assignments up every Wednesday, due next week CS 415 section.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
8.7 Memory management Program E Program D System memory DOS INT 21, function 48H: Allocate Memory Specification: allocates a number of memory paragraphs.
Interrupt Processing Haibo Wang ECE Department
Chapter 7 Interupts DMA Channels Context Switching.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.
Introduction to Interrupts
OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)
Gursharan Singh Tatla Block Diagram of Intel 8086 Gursharan Singh Tatla 19-Apr-17.
1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Part 5: Anti-Reverse-Engineering Chapter 15: Anti-Disassembly Chapter 16: Anti-Debugging Chapter 17: Anti-Virtual Machine Techniques Chapter 18: Packing.
Micro-Computer Applications: Procedures & Interrupts Dr. Eng. Amr T. Abdel-Hamid ELECT 707 Fall 2011.
Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Windows PE files Infections and Heuristic Detection Nicolas BRULEZ / Digital River PACSEC '04.
Part 5: Anti-Reverse-Engineering
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
NT Kernel CS Spring Overview Interrupts and Exceptions: Trap Handler Interrupt Request Levels and IRT DPC’s, and APC’s System Service Dispatching.
INT- interrupt program execution 1. It decrements the sp by 2 and pushes the flag registers on the stack. 2. Decrement the sp by 2 and push the content.
CSNB374: Microprocessor Systems Chapter 5: Procedures and Interrupts.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Exceptional Control Flow Topics Exceptions except1.ppt CS 105 “Tour of the Black Holes of Computing”
Dec Hex Bin 14 E ORG ; FOURTEEN Interrupts In x86 PC.
15-410, S’ Hardware Overview Jan. 19, 2004 Dave Eckhardt Bruce Maggs L04_Hardware “Dude, what were you thinking?”
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
بسم الله الرحمن الرحيم MEMORY AND I/O.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edit9on Lecture 3 Chapter 1: Introduction Provided & Updated by Sameer Akram.
Introduction to Operating Systems
Operating System Debugging Support and How Win32 Debuggers Work
Interrupt Processing Sequence
Live Phishing Attack Authentication Activity from a Foreign Address.
Interrupts and interrupt responses
MICROPROCESSOR BASED SYSTEM DESIGN
Microprocessor and Assembly Language
Microprocessor Systems Design I
Anton Burtsev February, 2017
Assembly Language Programming Part 3
Interrupts In 8085 and 8086.
8086 Microprocessor.
Basic Microprocessor Architecture
Microprocessor and Assembly Language
Anti-Unpacking techniques
CS-401 Computer Architecture & Assembly Language Programming
Part 5: Anti-Reverse-Engineering
Anti-Unpacking techniques
Lecture Topics: 11/1 General Operating System Concepts Processes
Architectural Support for OS
Chapter 10 And, Finally... The Stack
Interrupt handling Explain how interrupts are used to obtain processor time and how processing of interrupted jobs may later be resumed, (typical.
Malware and the Windows API
Architectural Support for OS
Process.
Presentation transcript:

Lecture 10 Anti-debugger techniques

Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling –Debugger detection Behavior modification Crashing debugger Links – – – techniques-are-overratedhttp://rdist.root.org/2007/04/19/anti-debugger- techniques-are-overrated – ghttp:// g –

Modify Interrupts Overwrite Interrupt Vector of INT 1/3 to point to garbage code –INT 1 = Debug Single Step –INT 3 = Debug Breakpoint –Point to garbage so debugger crashes –Must skip instructions to counter Run long loop of INT 3 instructions –Slows down AV or debugging process –Must NOP out INT 3 to counter Turn off keyboard interrupts IN AL,20h OR AL,02 OUT AL,20 IN AL,20 AND AL, NOT 2 OUT AL,20

Modify interrupts Replace INT 1/3 with another valid interrupt Detect INT 1 tracing by stack inspection –INT 1 overwrites 6 bytes below SP with return values for IP, CS, and Flags PUSH AX POP AX DEC SP POP BX CMP AX,BX JNE CODE_IS_TRACED Force INT 1/INT 3 tracing to disable code –Hide critical value (i.e. decryption key) on stack directly without modifying stack pointer –Debugger will overwrite value if it runs

Protecting anti-debug code Use anti-debug routines as decryption key –Retrieve a byte from routines to modify decryption routine –Prevents AV and anti-debugger from “NOP”ing out your traps Running line –Hook INT 1 –Decrypt each instruction just before it is run –Re-encrypt each instruction just after it is run –Only one instruction at a time is decrypted in memory

Detection tricks IsDebuggerPresent() –Returns 0 if current process is not running in the context of a debugger –Searches PEB (Process Environment Block) for the field IsDebugged –CheckRemoteDebuggerPresent() checks if debugger is a separate, parallel process that is attached to process –Windows NT NTGlobalFlag for WindowsNT NtQueryInformationProcess –Can be easily bypassed with breakpoint scripts, patching of the IAT, or directly modifying the PEB

Detection tricks Detect presence of INT 41/INT 2dh –Used by Windows debugging interface Detect INT 68h hooking (SoftICE) Detect files and registry keys created by debugger –szOllyKey, szIsSICEKey –Attempt to create SoftICE driver to detect presence –Look for \system32\drivers\WINICE.dat –\\.\SICE, \\.\SIWDEBUG, etc.\\.\SICE\\.\SIWDEBUG Detect debug processes or hooks –Check for NTice service via OpenService() –OllyInvisible hooking of CsrGetProcessId –Olly HideDebugger detour modifications to OpenProcess() –Scan every running process and read out memory address 0x004B064B (where OllyDB stores some of its strings)

Detection tricks Scan and detect 0xCC opcode (int 3) Scan low memory for specific names installed by SoftICE such as “WINICE.BR”, “SOFTICE1” Examine timing –Use rdtsc to measure cycles –Measure system calls to detect virtualization or syscall hijacks Vmware, Sebek, UML, etc. VMEDetect using rdtsc trick –Debugger instruction stepping –Obfuscate calls to rdtsc by using trampoline within existing ntdll.dll (ReleaseBufferLocation()) Detecting VMware –Execute VMware backdoor I/O function call –Check location of IDT

Detection tricks Check registers and flags used for debug purposes –TRAP bit in EFLAGS register –DR0-DR7 Change registers in exception handler Set handler apriori and cause an error in code (divide by zero) When context switching to handler, debug registers saved on user stack Read and write these values –PEB ProcessHeap flag Execute exception with Trap flag set –No debugger = SEH will occur –Debugger = SEH will not occur Check PROCESSINFOCLASS for ProcessDebugPort or SYSTEMINFOCLASS for SystemDebuggerInformation

Crashing tricks (landmines) Exploit software errors in debuggers –Confuse LordPE and ProcDump dumping by reporting inconsistent process image size –Crash SoftICE with poorly formatted strings –Crash SoftICE with illegal form of instructions –Crash OllyDBG with format string vulnerability OutputDebugString() –Crash OllyDBG with bogus PE Headers

Confusion tricks OllyDBG does not handle instruction prefixes well –Insert prefix one byte before SEH –OllyDBG skips it, but SEH runs with no debugger OllyDBG mishandling INT 3 –Set an SEH before INT3 OllyDBG memory handling –PAGE_GUARD used as memory break-point –Set SEH and execute PAGE_GUARD exception With OllyDBG, goes to MemBpx and continues execution Without OllyDBG, SEH code executed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.