|
x64 and anti-debugging
1 Attachment(s)
In reversing, anti-debugging tricks have always been a highly interesting matter. Since the migration towards x64 hardware and OS'es, some things have changed though.
The other day, I came across a x64 software which was always fake detecting debugging on a certain test system. Diving into the matter and circumventing all anti-debugging tricks under debugger, it worked fine. The reason of faillure outside debugger proved to be the well-known rep stos/movs trick. Code:
Example codeThe rep stos/movs trick does not need further explaining since everybody knows this one since 16 bit. However, be warned not to use it anymore on x64. For testing, I attached an exe. Single step it F7 (F8 on the messagebox call) and it will always detect you, however I'm sure that a small percentage -having the newest x64 CPU technology- will get fake detected outside debugger! Carpe Diem, lena151. |
Good to see u again
@lena151 : Good to see u again :eek: ..Miss u Sooooooooooooooooooooooo much ;) .
I hope that u r will and ur family too . Good to see u write reverse again . I hope u still like write a tut for Newbie ...like me :rolleyes: Thank in adv |
Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today. Thank you, lena151. I think we need more information about RCE on x64. |
1 Attachment(s)
Quote:
but Ahmadmansoor VS Lena no way . I think I still a child (Newbie) :rolleyes: _____________ I have play with it ....and change some byte :rolleyes: .. then Lol debugger detect for all time ....... :D . I now it is stupid work ...just I like fun . |
Quote:
Code:
if (detected) { |
According to this blog
http://nezumi-lab.org/blog/?p=120 The prefetch bug no longer exists from Intel Core i7. |
@ahmadmansour
I've DLed your code and I don't have any debugger on my system but it says debugger found. can you explain about it? p.s : I have windows7 64bit |
Hi lena151,
Can you post external link? Cause my account has not sufficient privileges to download attachement... Thanks |
1 Attachment(s)
Hi,
rep stos/movs trick works fine on my tests: - Windows Xp x64 - Windows 7 x64 Attached flash movie IDA live test... --- File: x64 Anti-single step.htm MD5: 91aad204fe61b3a46afb46eed4d1fda2 SHA1: 3c48deb7d8d6e21f8c6e63882615128d4b854baf CRC32: 95d4569f --- File: x64 Anti-single step.swf MD5: a9287a4f42a467f23290e7d284891132 SHA1: e9c2c931de3de7df9c2c735bc574d13cbca3292a CRC32: f97ee390 --- File: x64 Anti-single step.exe MD5: a2702aaf3844eaf3903cb563deaeda05 SHA1: 26bd720ec215754a8a140593cd3924d504ff173a CRC32: fd8fa22d --- File: x64 Anti-single step.i64 MD5: 667ce8eab62117c15f6f3679b9d63b0b SHA1: b7ce9f357930d7ca7bb4a74d9bd9c59b7a6aba22 CRC32: 8306cb3a --- |
It's not about the OS that you're running. It's about the chip.
|
lena151, thank you for the nice tip. :)
Also thanks for all your tutorials, I very much enjoyed them. |
1 Attachment(s)
SEH can be used as a powerful anti-debug trick, see attachment.
|
will be tested ...
Thanks arlequim |
Quote:
Code:
;bye OllyDbg 1.10 :)) |
1 Attachment(s)
Here is another good trick with DebugActiveProcess. Example in attachment ;)
|
This code is intended to crash Ollydbg, or cause a silent exit ?
-Fyyre Quote:
|
Quote:
If i gather other anti debug codes, i will post then on this thread, be sure. Bye! |
Code:
fld tbyte ptr ds:[byeolly] |
Hi,
Searched on the forum to not duplicate post, last reference was on previous version, so here: OllyDbg plugin Stealth64 1.3 Quote:
http://tuts4you.com/download.php?view.2425 Regards, Evilcry |
The FPU bug causes OllyDbg to crash when disassembling that part of the code.
It's caused by using the wrong mask, so the exception is not hidden. Most of the patches don't fix the problem (just needs to change the mask) - they change the instruction or do other silly things. |
| All times are GMT +8. The time now is 04:06. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX