Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   x64 and anti-debugging (https://forum.exetools.com/showthread.php?t=12726)

lena151 04-06-2010 02:34

x64 and anti-debugging
 
1 Attachment(s)
In reversing, anti-debugging tricks have always been a highly interesting matter. Since the migration towards x64 hardware and OS'es, some things have changed though.

The other day, I came across a x64 software which was always fake detecting debugging on a certain test system. Diving into the matter and circumventing all anti-debugging tricks under debugger, it worked fine. The reason of faillure outside debugger proved to be the well-known rep stos/movs trick.

Code:

Example code

        t1 equ goodboy-badboy-2
        new: db 0EBh,01,81h,0EBh,t1

  ; cut //

        lea rsi,[new]
        lea rdi,[here]
        mov rdx,[rdi]
        mov rcx,3
  here:
        rep movsw
  badboy:
        mov r9,30h
        lea r8,[DebugStatus]
        lea rdx,[DbgFoundText]
        xor rcx,rcx
        invoke MessageBox                        ; badboy!
        jmp Exit
  goodboy:
        mov r9,40h
        lea r8,[DebugStatus]
        lea rdx,[DbgNotFoundText]
        xor rcx,rcx
        invoke MessageBox                        ; goodboy!

  ; cut //


The rep stos/movs trick does not need further explaining since everybody knows this one since 16 bit. However, be warned not to use it anymore on x64. For testing, I attached an exe. Single step it F7 (F8 on the messagebox call) and it will always detect you, however I'm sure that a small percentage -having the newest x64 CPU technology- will get fake detected outside debugger!

Carpe Diem,

lena151.

ahmadmansoor 04-06-2010 04:17

Good to see u again
 
@lena151 : Good to see u again :eek: ..Miss u Sooooooooooooooooooooooo much ;) .
I hope that u r will and ur family too .
Good to see u write reverse again .
I hope u still like write a tut for Newbie ...like me :rolleyes:

Thank in adv

ZeNiX 04-06-2010 09:51

Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today.

Thank you, lena151.
I think we need more information about RCE on x64.

ahmadmansoor 04-07-2010 03:06

1 Attachment(s)
Quote:

Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today.
:D nice one ZeNiX ....
but Ahmadmansoor VS Lena no way .
I think I still a child (Newbie) :rolleyes:

_____________
I have play with it ....and change some byte :rolleyes: ..
then Lol debugger detect for all time ....... :D .
I now it is stupid work ...just I like fun .

remal 04-07-2010 10:38

Quote:

Originally Posted by ahmadmansoor (Post 67536)
I have play with it ....and change some byte :rolleyes: ..
then Lol debugger detect for all time ....... :D .

What did you change? To something like this?

Code:

if (detected) {
MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK);
} else {
MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK);
}


remal 04-13-2010 10:03

According to this blog

http://nezumi-lab.org/blog/?p=120

The prefetch bug no longer exists from Intel Core i7.

netseeker 05-20-2010 06:12

@ahmadmansour
I've DLed your code and I don't have any debugger on my system but it says debugger found.

can you explain about it?

p.s : I have windows7 64bit

STRELiTZIA 05-22-2010 18:20

Hi lena151,
Can you post external link? Cause my account has not sufficient privileges to download attachement... Thanks

STRELiTZIA 05-25-2010 13:02

1 Attachment(s)
Hi,
rep stos/movs trick works fine on my tests:
- Windows Xp x64
- Windows 7 x64

Attached flash movie IDA live test...

---
File: x64 Anti-single step.htm
MD5: 91aad204fe61b3a46afb46eed4d1fda2
SHA1: 3c48deb7d8d6e21f8c6e63882615128d4b854baf
CRC32: 95d4569f
---
File: x64 Anti-single step.swf
MD5: a9287a4f42a467f23290e7d284891132
SHA1: e9c2c931de3de7df9c2c735bc574d13cbca3292a
CRC32: f97ee390
---
File: x64 Anti-single step.exe
MD5: a2702aaf3844eaf3903cb563deaeda05
SHA1: 26bd720ec215754a8a140593cd3924d504ff173a
CRC32: fd8fa22d
---
File: x64 Anti-single step.i64
MD5: 667ce8eab62117c15f6f3679b9d63b0b
SHA1: b7ce9f357930d7ca7bb4a74d9bd9c59b7a6aba22
CRC32: 8306cb3a
---

remal 05-25-2010 19:31

It's not about the OS that you're running. It's about the chip.

atomix 10-13-2010 04:50

lena151, thank you for the nice tip. :)

Also thanks for all your tutorials, I very much enjoyed them.

arlequim 01-25-2011 06:49

1 Attachment(s)
SEH can be used as a powerful anti-debug trick, see attachment.

ahmadmansoor 01-25-2011 16:40

will be tested ...
Thanks arlequim

arlequim 01-26-2011 03:30

Quote:

Originally Posted by ahmadmansoor (Post 71174)
will be tested ...
Thanks arlequim

I see you are really interested on this subject, here is a little tricks for OllyDbg 1.10:

Code:

;bye OllyDbg 1.10 :))
.data
byeolly qword -1
word 403Dh
.code
start:
fld tbyte ptr ds:[byeolly]
end start

Dunno if it works, let me know. Bye! ;)

arlequim 01-26-2011 04:17

1 Attachment(s)
Here is another good trick with DebugActiveProcess. Example in attachment ;)


All times are GMT +8. The time now is 22:04.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX