Advertisement
krot

Antidebugging by Piotr Bania

Jun 27th, 2018
404
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.        ---------------------------------------------------
  2.     Antidebugging for (m)asses - protecting the env.
  3.        ---------------------------------------------------
  4.      written by Piotr Bania <bania.piotr@gmail.com>
  5.  
  6.          [___ http://pb.specialised.info ___]
  7.  
  8.   -----------------
  9.    0. DISCLAIMER
  10.   -----------------
  11.  
  12.     Author takes no responsibility for any actions with provided information
  13.         or codes. The copyright for any material created by the author is reserved.
  14.         Any duplication of codes or texts provided here in electronic or printed
  15.     publications (including compiled code) is not permitted without the author's
  16.     agreement.
  17.  
  18.  
  19.  -----------------
  20.   I. INTRODUCTION
  21.  -----------------
  22.  
  23.     The number of computer hackers/crackers has reached a very high level recently.
  24.     Currently it is very hard to develop product which will be secure against
  25.     those type of people, to be const-stricto it is surely impossible. However,
  26.     why not make their dirty work harder and give them some more, so lets take a
  27.     look of few new antidebugging methods/techniques.
  28.     On the other hand it can help malware/virus researchers understand
  29.     and analyse latest bad stuff. Enjoy!
  30.  
  31.     NOTE: Following examples were created/researched/tested on windows xp box
  32.     it is possible that they will not work on other windows systems.
  33.  
  34.  -----------------
  35.   II. EXAMPLES
  36.  -----------------
  37.  
  38.        ----------------------
  39.     [+] Example 01h
  40.        ----------------------
  41.  
  42.     Affects (works on): All so-called SEH debuggers (tested on Ollydbg and Windbg).
  43.      
  44.     Note: Following example requires administrator privileges for well known
  45.     reasons. In fact it doesn't affects scale of its severity much, because
  46.     administrator privileges are required to use some debugger features, so
  47.     if one wants to use all debug stuff it needs to run as admin.
  48.  
  49.     Generally after researching few things inside windows kernel, I found that it is
  50.     possible to open CSRSS.EXE (client server runtime process - system process),
  51.     while application is being debugged. Have a look at this code (I believe it will make it
  52.     hell easier to understand):
  53.  
  54.     ----// SNIP SNIP //---------------------------------------------------------
  55.    
  56.     push <CSRSS_PID>        ; pid
  57.     push 0              ; Inheritable = FALSE
  58.     push 0C3Ah          ; access flags=CREATE_THREAD|VM_OPERATION|VM_READ|VM_WRITE
  59.                     ; \ |QUERY_INFORMATION|800
  60.     @callx OpenProcess
  61.     test eax,eax
  62.     jz @we_are_not_debugged
  63.  
  64.     @evil_me:           ; <- execution flows here when debugger is attached
  65.     int 3
  66.  
  67.     @we_are_not_debugged:       ; well no SEH debugger detected or not enough privileges
  68.  
  69.     ----// SNIP SNIP //---------------------------------------------------------
  70.  
  71.     Like I said before when application is debugged it is able to open CSRSS.EXE and it this
  72.     case OpenProcess will not fail (of course I guess I don't have to remind you about
  73.     privileges). What's more, look at the rights which we have used to open target process,
  74.     *yuck* - debugged application has full control of CSRSS.EXE! The last thing I have figured
  75.     out that a special native API exists exported by ntdll used to grab pid of CSRSS named as
  76.     CsrGetProcessId.
  77.  
  78.     (microsoft windows xp sp1 output)
  79.     E:\asm>find ntdll.dll CsrGetProcessId
  80.     ------------------------------------------------------------
  81.         Little GetProcAddress Utility
  82.         coded by Piotr Bania <bania.piotr@gmail.com>
  83.     ------------------------------------------------------------
  84.     * ntdll.dll base addr at: 0x77F50000
  85.       + CsrGetProcessId has address: 0x77F5EF76
  86.     ------------------------------------------------------------
  87.  
  88.     If you don't want to execute CsrGetProcessId you can emulate it
  89.     (address hard coded for microsoft windows xp sp1), like this example shows:
  90.  
  91.     ----// SNIP SNIP //---------------------------------------------------------
  92.     mov eax,077FC46A4h      ; ntdll variable where CSRSS pid is stored
  93.     xchg eax,[eax]          ; EAX=now CSRSS pid
  94.     ----// SNIP SNIP //---------------------------------------------------------   
  95.  
  96.  
  97.     Following example (when debugged) causes BSOD because its creating a thread inside of
  98.     client server runtime process at not existing location:
  99.  
  100.    
  101.     ----// SNIP SNIP //---------------------------------------------------------
  102.     mov eax,077F5EF76h
  103.     call eax            ; execute CsrGetProcessId, returns CSRSS pid
  104.  
  105.     push eax
  106.     push 0
  107.     push 0C3Ah
  108.     @callx OpenProcess      ; open CSRSS process
  109.     test eax,eax       
  110.     jz exit             ; opening failed
  111.  
  112.  
  113.     call a
  114.     dd 0
  115.     a:
  116.     push 0
  117.     push 0
  118.     push 0
  119.     push 1234567h           ; yep, it doesn't exist...
  120.     push 0
  121.     push 0
  122.     push eax
  123.     @callx CreateRemoteThread   ; creates a thread inside of process, *BSOD*
  124.  
  125.     exit:
  126.     push 0
  127.     @callx ExitProcess
  128.     ----// SNIP SNIP //---------------------------------------------------------
  129.  
  130.    
  131.     Well I hope you enjoyed this one, so lets think about another example.
  132.  
  133.  
  134.        ----------------------
  135.     [+] Example 02h
  136.        ----------------------
  137.  
  138.     The XP series provides magic API called CheckRemoteDebuggerPresent (well generally it
  139.     provides a lot of new debug features), and like the name suggests it is used to check if
  140.     debugger is present.
  141.  
  142.  
  143.     E:\asm>find kernel32.dll CheckRemoteDebuggerPresent
  144.     ------------------------------------------------------------
  145.         Little GetProcAddress Utility
  146.         coded by Piotr Bania <bania.piotr@gmail.com>
  147.     ------------------------------------------------------------
  148.     * kernel32.dll base addr at: 0x77E60000
  149.       + CheckRemoteDebuggerPresent has address: 0x77EB582B
  150.     ------------------------------------------------------------
  151.  
  152.     Few words from MSDN about this function:
  153.     (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
  154.     \ debugactiveprocessstop.asp)
  155.  
  156.     ----
  157.     CheckRemoteDebuggerPresent
  158.  
  159.     The CheckRemoteDebuggerPresent function determines whether the specified process
  160.     is being debugged.
  161.  
  162.     BOOL CheckRemoteDebuggerPresent(
  163.       HANDLE hProcess,
  164.       PBOOL pbDebuggerPresent
  165.     );
  166.  
  167.     Parameters
  168.     hProcess        - [in] Handle to the process.
  169.     pbDebuggerPresent   - [in, out] Pointer to a variable that the function sets to
  170.                 - TRUE if the specified process is being debugged, or FALSE otherwise.
  171.  
  172.     Return Values
  173.     If the function succeeds, the return value is nonzero.
  174.     If the function fails, the return value is zero. To get extended error information,
  175.     call GetLastError.
  176.     ----
  177.  
  178.     And here is a little code for this example:
  179.  
  180.     ----// SNIP SNIP //---------------------------------------------------------
  181.  
  182.     push offset is_present      ; our variable
  183.     push -1             ; process handle
  184.     mov eax,077EB582Bh
  185.     call eax            ; execute CheckRemoteDebuggerPresent
  186.  
  187.     mov eax,dword ptr [is_present]
  188.     test eax,eax
  189.     jz @we_are_not_debugged     ; no debugger found
  190.  
  191.     @we_are_debugged:       ; execution flows here when debugger is attached
  192.     int 3      
  193.    
  194.     is_present  dd 0   
  195.  
  196.     ----// SNIP SNIP //---------------------------------------------------------
  197.    
  198.  
  199.     Or if you prefer emulated way (by using NtQueryInformationProcess):
  200.  
  201.     E:\asm>find ntdll.dll NtQueryInformationProcess
  202.     ------------------------------------------------------------
  203.         Little GetProcAddress Utility
  204.         coded by Piotr Bania <bania.piotr@gmail.com>
  205.     ------------------------------------------------------------
  206.     * ntdll.dll base addr at: 0x77F50000
  207.       + NtQueryInformationProcess has address: 0x77F5BDD8
  208.     ------------------------------------------------------------
  209.      
  210.     And here comes a little emulation example:
  211.  
  212.     ----// SNIP SNIP //---------------------------------------------------------
  213.  
  214.     lea eax,our_process_handle
  215.     push eax
  216.     mov ebx,esp
  217.     push 0
  218.     push 4
  219.     push ebx
  220.     push 7
  221.     push dword ptr [eax]
  222.     mov eax,077F5BDD8h
  223.     call eax                ; execute NtQueryInformationProcess
  224.     pop ecx
  225.     test eax,eax
  226.     jl exit
  227.  
  228.     cmp ecx,0
  229.     jge @we_are_not_debugged
  230.  
  231.     int 3                   ; yes we are debugged!
  232.  
  233.  
  234.     @we_are_not_debugged:           ; no debugger detected
  235.     exit:
  236.     push 0
  237.     @callx ExitProcess
  238.  
  239.     our_process_handle          dd -1
  240.    
  241.     ----// SNIP SNIP //---------------------------------------------------------
  242.  
  243.     Now lets turn the page to another 3rd example.
  244.  
  245.  
  246.        ----------------------
  247.     [+] Example 03h
  248.        ----------------------  
  249.    
  250.    
  251.     Many times Softice/D* users terminates debugged program by using "r eip ExitProcess"
  252.     or by assembling direct jump/call to ExitProcess api in this example I will demonstrate
  253.     how to detect debugger when such action/actions occurs.
  254.  
  255.     Well this thing can be done in many ways like patching ExitProcess with jmp to
  256.     our procedure and so on, however it can be defeated easily and it is not so stealthy.
  257.     I'm going to show you an example for this technique.
  258.  
  259.     Protecting region of ExitProcess by VirtualProtect (for known reasons dirty and not
  260.     perfect), what is even more funny it causes Break-on-access exception in Olly in
  261.     current version there is no option to bypass it :)) (of course I believe you
  262.     know how to rewrite it for catching olly)
  263.  
  264.    
  265.        Schema how this example works:
  266.        I.   STAGE - Setup SEH frame which will catch PAGE_GUARD exception
  267.     II.  STAGE - Change access protection of >ExitProcess to PAGE_GUARD
  268.     III. STAGE - If debugger action will be found we will end in SEH frame
  269.                  with marker variable set to zero, otherwise it will be set
  270.                  to 1 (good flag).
  271.     IV.  STAGE - display message box
  272.  
  273.  
  274.        NOTES: After STATUS_PAGE_GUARD exception the PAGE_GUARD access protection
  275.            of ExitProcess is turned off. Better thing then variable marker?
  276.            Yes you can try random keys stored in registers and so on
  277.            then you can compare it in SEH frame (context structure)
  278.  
  279.    
  280.        ----// SNIP SNIP //---------------------------------------------------------
  281.     mov ebx,077E79863h              ; ExitProcess addr
  282.  
  283.         push offset seh_handler     ;setup SEH frame
  284.        push dword ptr fs:[0]
  285.        mov dword ptr fs:[0],esp
  286.  
  287.        push offset old_protect
  288.        push PAGE_EXECUTE_READ OR PAGE_GUARD
  289.        push 1
  290.        push ebx
  291.         @callx VirtualProtect       ; give it PAGE_GUARD protection
  292.  
  293.  
  294.        push 0
  295.        push offset m1
  296.        push offset m1
  297.        push 0
  298.        @callx MessageBoxA
  299.                     ; attach debugger and give "r eip ExitProcess"
  300.                     ; of course it must be done after protecting
  301.                     ; ExitProcess
  302.  
  303.        exit:
  304.         mov dword ptr [marker],1    ; marker set to 1
  305.        push 0
  306.         @callx ExitProcess         
  307.  
  308.  
  309.        seh_handler:
  310.         pop     dword ptr fs:[0]    ; remove SEH frame
  311.         pop eax
  312.  
  313.         cmp byte ptr [marker],1     ; is this our call?
  314.        je exit
  315.  
  316.        push 0
  317.        push offset m2
  318.        push offset m2
  319.        push 0
  320.         @callx MessageBoxA      ; we are debugged...
  321.        jmp exit
  322.  
  323.         m2              db "Ups im being debugged :)",0
  324.         m1              db "Attach debugger now and change eip to ExitProcess!",0
  325.  
  326.         marker              db 0
  327.         old_protect         dd 0
  328.        
  329.  
  330.            ----// SNIP SNIP //---------------------------------------------------------    
  331.        
  332.    
  333.  
  334.  ---------------------
  335.   III. OUTRO(DUCTION)
  336.  ---------------------
  337.  
  338.     This is seems to be the end of this short article, I have plenty more ideas but
  339.     not enough time to write them all here. Anyway I hope you enjoyed the stuff
  340.     I have provided here, if you have any questions drop me a mail.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement