x64 and anti-debugging
1 Attachment(s)
In reversing, anti-debugging tricks have always been a highly interesting matter. Since the migration towards x64 hardware and OS'es, some things have changed though.
The other day, I came across a x64 software which was always fake detecting debugging on a certain test system. Diving into the matter and circumventing all anti-debugging tricks under debugger, it worked fine. The reason of faillure outside debugger proved to be the well-known rep stos/movs trick. Code:
Example code The rep stos/movs trick does not need further explaining since everybody knows this one since 16 bit. However, be warned not to use it anymore on x64. For testing, I attached an exe. Single step it F7 (F8 on the messagebox call) and it will always detect you, however I'm sure that a small percentage -having the newest x64 CPU technology- will get fake detected outside debugger! Carpe Diem, lena151. |
Good to see u again
@lena151 : Good to see u again :eek: ..Miss u Sooooooooooooooooooooooo much ;) .
I hope that u r will and ur family too . Good to see u write reverse again . I hope u still like write a tut for Newbie ...like me :rolleyes: Thank in adv |
Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today. Thank you, lena151. I think we need more information about RCE on x64. |
1 Attachment(s)
Quote:
but Ahmadmansoor VS Lena no way . I think I still a child (Newbie) :rolleyes: _____________ I have play with it ....and change some byte :rolleyes: .. then Lol debugger detect for all time ....... :D . I now it is stupid work ...just I like fun . |
Quote:
Code:
if (detected) { |
According to this blog
http://nezumi-lab.org/blog/?p=120 The prefetch bug no longer exists from Intel Core i7. |
@ahmadmansour
I've DLed your code and I don't have any debugger on my system but it says debugger found. can you explain about it? p.s : I have windows7 64bit |
Hi lena151,
Can you post external link? Cause my account has not sufficient privileges to download attachement... Thanks |
1 Attachment(s)
Hi,
rep stos/movs trick works fine on my tests: - Windows Xp x64 - Windows 7 x64 Attached flash movie IDA live test... --- File: x64 Anti-single step.htm MD5: 91aad204fe61b3a46afb46eed4d1fda2 SHA1: 3c48deb7d8d6e21f8c6e63882615128d4b854baf CRC32: 95d4569f --- File: x64 Anti-single step.swf MD5: a9287a4f42a467f23290e7d284891132 SHA1: e9c2c931de3de7df9c2c735bc574d13cbca3292a CRC32: f97ee390 --- File: x64 Anti-single step.exe MD5: a2702aaf3844eaf3903cb563deaeda05 SHA1: 26bd720ec215754a8a140593cd3924d504ff173a CRC32: fd8fa22d --- File: x64 Anti-single step.i64 MD5: 667ce8eab62117c15f6f3679b9d63b0b SHA1: b7ce9f357930d7ca7bb4a74d9bd9c59b7a6aba22 CRC32: 8306cb3a --- |
It's not about the OS that you're running. It's about the chip.
|
lena151, thank you for the nice tip. :)
Also thanks for all your tutorials, I very much enjoyed them. |
1 Attachment(s)
SEH can be used as a powerful anti-debug trick, see attachment.
|
will be tested ...
Thanks arlequim |
Quote:
Code:
;bye OllyDbg 1.10 :)) |
1 Attachment(s)
Here is another good trick with DebugActiveProcess. Example in attachment ;)
|
All times are GMT +8. The time now is 22:04. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX