ANTI|DEBUGGING

By

Adwiteeya Agrawal

REVERSE ENGINEERING

• Definition

“Software reverse engineering is about opening up a

program’s “box,” and looking inside. “

PROGRAMMERS vs REVERSERS

Logic

Code

Executable

Logic

Code

Example : Code Written

Ideally , the else block should never be executed since the value of var1 is not changed.

After Disassembling

We can easily modify the binary to execute the else loop.

Problem ?

• A Google search for “Crack Torrent” returns 200 million results and “Software Crack” around 45M.

• Reversing is extensively used to develop cracks for proprietary software.

Possible Solutions

• Anti-Debugging (Detecting how a process is different from when it is being debbugged and when its run.)

• Code Obfuscation(Encryption, pseudo execution flow, logic)

• However : The end result after exploring the various options available is that we cannot totally prevent software reverse engineering however we can slow down the process for a dedicated reverse engineer.

Anti - Debugging

• Anti Debugging is done acknowledging the fact that when a process is being debugged it is going to have a set of properties that would be different from when it is not debugged.

• Anti-debugging requires a thorough understanding of the environment in which the program would be run.

Does Anti - Debugging help ?

Example : CCleaner

Software Vendors

Software Crackers

Malware Analysts

Types

API Based Detection

Techniques

Direct structure access

Exception Handling

Based Detection

API Based Anti|Debugging

(11 Techniques)

1.FindWindow API

• Scans memory for a process with the particular class name.

{ hnd = FindWindow("OLLYDBG", 0); }

• “OLLYDBG” is the class name for all windows that would be created and

have the same callback function.

• “0” scans irrespective of WindowName.

• Returns a handle if successful

• Spy++ utility can be used to enumerate the ClassName.

• DEMO - spy++

Spy++ on OllyDbg

2. Registry Value

• RegOpenKeyEx and RegQueryValueEx open a registry key and retrieve its value respectively

KEY Function

HKEY_CLASSES_ROOT\exefile\shell\Open with OllyDbg

Specifies the menu for

opening an exe file with

OllyDbg with a right click

HKEY_CLASSES_ROOT\exefile\shell\Open with

OllyDbg\command

Path to OllyDbg

HKEY_CLASSES_ROOT\dllfile\shell\Open with OllyDbg

Specifies the menu for

opening a dll file with OllyDbg

with a right click

HKEY_CLASSES_ROOT\dllfile\shell\Open with

OllyDbg\command

Path to OllyDbg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo

ws NT\CurrentVersion\AeDebug\Debugger

Path to default Debugger

3. IsDebuggerPresent API

• Looks for the BeingDebugged flag inside the PEB. • Extremely simple to use and thwart.

• { IsDebuggerPresent() } returns true if the process is being

debugged false otherwise.

• Can be done manually

• Assembly dump :

4. CheckRemoteDebuggerPresent API

• Function : Detects if a Debug Port has been set. • Can be used for a “remote” process but is used locally mostly. • Locally :

CheckRemoteDebuggerPresent(GetCurrentProcess(),&pblsPresent);

• Remotely for a PID 2800 { hndle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2800);

CheckRemoteDebuggerPresent(hndle,&pblsPresent); }

5.OutputDebugString API

Set Random Value for ERROR

Call OutputDebugString with any string

Check Value Of ERROR

If(No Change) : Debugger Present

Else : No Debugger

Works in XP.

Debug String Display in OllyDbg

Run Time Dynamic Linking

LoadLibrary Handle to dll

received GetProcAddress

Address of exported function

Call

Example : ntdll.dll

Ex : NTSetInformationThread, NTQueryInformationProcess

6. ZwSetInformationThread Function • Use run-time dynamic linking to get the address of

ZwSetInformationThread.

• Make the Call

• (_ZwSetInformationThread)(GetCurrentThread(),0×11,0,0);

• GetCurrentThread : Pseudo handle for the current thread

• 0x11 : ThreadHideFromDebugger , 17 in THREADINFOCLASS enum.

• 0 : Pointer of value that is to be set

• 0 : Size of the value.

• Different Approached followed.

7. DebugActiveProcess based Self Debugging

• Theoretically a process can be debugged only by One Debugger.

• Working :

Create a child process

Child Process attempts to

debug parent

If Error : Debugger Detected

8. OllyDbg Format String Vulnerability for Debugger Messages

• More like a vulnerability based detection

• The internal function that handles the input from OutputDebugString does so without using the correct number of format specifiers, allowing a user to supply their own format specifiers.

• OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"));

• Similar vulnerability based detection can be modeled around various vulnerabilities, Reference : http://waleedassar.blogspot.in

9. NTQueryInformationProcess to detect ProcessDebugPort

• Run-time dynamic linking to get the pointer to NTqueryInformationProcess

• Make the call with PROCESSINFOCLASS = 0x07

• NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength );

• The 0x07 value is the process debug port.

• Debug Port is used for communication of Debug_Event between ring 3 and the kernel

• If set the process is being debugged.

• private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, . . . ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, MaxProcessInfoClass };

10. ProcessDebugFlags using NTQueryInformationProcess

11. ProcessDebugObject using NTQueryInformationProcess

•Run-time Dynamic Linking to get address of NTQuertInformationProcess Function. •Make the call with PROCESSINFOCLASS 0x1F. •If Set Debugger is present.

•Run-time dynamic linking to get the address •Call with PROCESSINFOCLASS 0x1E •If set debugger is present

• private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, . . . ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessResourceManagement, . .

. ProcessRevokeFileHandles, MaxProcessInfoClass };

Exception Based Anti|Debugging

(9 Techniques)

Exceptions | Windows

First Chance

VEH

SEH

Last Chance

Unhandled

1st • EXCEPTION_DEBUG_EVENT

VEH • VEH

SEH • SEH, per thread, FS:0

LC • Process Suspend

UE

• UnhandledExceptionFilter

• System Final Handler

Exception Handlers

typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD* ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD, *PEXCEPTION_RECORD;

typedef struct _EXCEPTION_POINTERS { PEXCEPTION_RECORD ExceptionRecord; PCONTEXT ContextRecord; } EXCEPTION_POINTERS, *PEXCEPTION_POINTERS;

LONG CALLBACK ExceptionHandler( __in PEXCEPTION_POINTERS ExceptionInformation);

1. INT 3 Break Point Exception.

• The INT 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler.

• To set INT3 breakpoint, a debugger replaces first byte of the 80x86 command by 0xCC

• Type : EXCEPTION_BREAKPOINT to the Debugger

• When manually inlined then the process would just halt at the next instruction if run in a Debugger(thereby not triggering your catch block) or return 0x80000003 status code if run without a debugger.

2. INT 2D Exception

• Int 2Dh is used by ntoskrnl.exe to interact with kernel debugging system but we can use it also in user-mode or from ring 3 as well since the call will eventually filter to a ring 3 debugger if no kernel debugger exists.

• When int 2Dh is called the system will skip one byte after the interrupt, leading to opcode scission.

• Behaves exactly like int 3

• Based on weather our catch block is executed or not we declare presence of a debugger.

3. 0xF1 ICE Break Point

• This is identical to the functioning of 0xcc except the fact the this uses two bytes 0xCD 0x3C to insert the breakpoint.

4. TWO byte INT 3 breakpoint.

•One of the Intel's undocumented instruction, opcode 0xF1. •Executing this instruction will generate a SINGLE_STEP exception. •The debugger will think it is the normal exception generated by executing the instruction with the SingleStep bit set in the Flags registers.

5. Close Handle API call

• The CloseHandle function throws an exception, if an invalid handle is provided.

• The logic behind detection with Close Handle function is the opposite to the ones used in INT3 or INT 2D exception based debugger detection.

• Exception is only thrown when in a debugger

• Usually in debugging sessions it is a common practice that the exception is passed to the application

6. Trap Flag exception based detection

• The EFLAGS is a 32-bit register used as a collection of bits representing

Boolean values to store the results of operations and the state of the processor.

• By in-lining ASM we can modify the EFLAGS register.

• First bit of the second byte that is TF or the trap flag. If this flag is set the execution halts after executing the current instruction.

• Also called as the single step exception

EGLAGS Register

7. Memory breakpoint based detection

• If a memory breakpoint is set up, any access to the page in which the breakpoint exists, would result in the exception and the process would halt.

Allocate some 5mb

Fill with RET

Make it a GUARD PAGE Pointer to the PAGE

Call the Pointer

Detect Error

Technically

VirtualAlloc(NULL, 0x500000, MEM_COMMIT, PAGE_READWRITE);

RtlFillMemory(memRegion, 0x10, 0xC3);

VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD,

&oldProt);

myproc = (FARPROC) memRegion

myproc();

Detect Error

ProcessExplorer:Demo

Hack that ?

8. Control C VEH

• If a console process is being debugged for a CTRL+C signals, the system generates a DBG_CONTROL_C exception.

• If a debugger is not present CTRL+C event would require a console control handler.

• The CCH is executed if the debugger is not present.

• However if the debugger is present and it passes the exception to the application we can still detect it by adding a vectored exception handler. ;)

9. INVALID OPCODE exception based debugging

• Invalid OPCODE can be formed by manually editing bytes.

• F0 0F C7 C8 popularly known as the "Pentium F00F bug.“

• This evaluates to LOCK CMPXCHNG8B EAX

• OPCODE since a LOCK on CMPXCHNG8B cannot be applied with the destination operand as a register

• Now, before this OPCODE is executed an exception is created ILLEGAL_INSTRUCTION (C000001D)

• we define an UnhandledExceptionFilter ,only executed when the program

is not being debugged. So even if the debugger passes the exception to the application there isnt any handler. ;)

Direct Structure Access Based Anti|Debugging

(4 Techniques)

Direct isDebuggerPressent via PEB

• In this method we manually do what the isdebuggerpresent function call does.

• Run-Time Dynamic Linking to call NTQueryInformationProcess with PROCESSINFOCLASS set to ProcessBasicInformation = 0.

• typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION;

• Access ProcessExecutionBlock via PPEB (pointer) to check BeingDebbugedFlag.

PEB |Structure

typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PVOID Reserved8[312]; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; pPIB.PebBaseAddress->BeingDebugged

ProcessHeapFlag Debugger Detection

Heap Header User Allocation

Heap Header User Allocation Tail Checking Pattern Heap Extra

Multiple of 16 bytes 16 bytes

16 bytes Multiple of 16 bytes 16 bytes 16–31 bytes

DEBUGGER Without

With

{ HEAP }

{ /HEAP }

•In order to tell this to the OS before creating the HEAP two flags are set. “Flags” and “ForceFlags” •Present at the offset 0x14 and 0x18 for windows XP. •PEBbase address + Offset to HEAPbaseAddress + Flag offset.

typedef struct _HEAP { HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; PHEAP Heap; . . . ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; WORD SegmentAllocatorBackTraceIndex; WORD Reserved; LIST_ENTRY UCRSegmentList; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; . . HEAP_COUNTERS Counters; HEAP_TUNING_PARAMETERS TuningParameters; } HEAP, *PHEAP;

NTGlobalFlag Debugger Detection

• NTGlobalFlag is a DWORD value present at the offset 0x68 from the PEB base address.

• When inside a debugger the following flags are set by the operating system : FLG_HEAP_ENABLE_TAIL_CHECK (0x10) FLG_HEAP_ENABLE_FREE_CHECK(0x20) FLG_HEAP_VALIDATE_PARAMETERS(0x40)

• This equals to 0x70. We detect the value by the similar method and judge if a debugger is present or not.

and many more…

• Quick Discussion on minor.

• And MOST importantly if I have reached this slide :D

• THANK YOU NULL !