#1
|
|||
|
|||
x64 and anti-debugging
In reversing, anti-debugging tricks have always been a highly interesting matter. Since the migration towards x64 hardware and OS'es, some things have changed though.
The other day, I came across a x64 software which was always fake detecting debugging on a certain test system. Diving into the matter and circumventing all anti-debugging tricks under debugger, it worked fine. The reason of faillure outside debugger proved to be the well-known rep stos/movs trick. Code:
Example code t1 equ goodboy-badboy-2 new: db 0EBh,01,81h,0EBh,t1 ; cut // lea rsi,[new] lea rdi,[here] mov rdx,[rdi] mov rcx,3 here: rep movsw badboy: mov r9,30h lea r8,[DebugStatus] lea rdx,[DbgFoundText] xor rcx,rcx invoke MessageBox ; badboy! jmp Exit goodboy: mov r9,40h lea r8,[DebugStatus] lea rdx,[DbgNotFoundText] xor rcx,rcx invoke MessageBox ; goodboy! ; cut // The rep stos/movs trick does not need further explaining since everybody knows this one since 16 bit. However, be warned not to use it anymore on x64. For testing, I attached an exe. Single step it F7 (F8 on the messagebox call) and it will always detect you, however I'm sure that a small percentage -having the newest x64 CPU technology- will get fake detected outside debugger! Carpe Diem, lena151. |
The Following 5 Users Gave Reputation+1 to lena151 For This Useful Post: | ||
#2
|
||||
|
||||
Good to see u again
@lena151 : Good to see u again ..Miss u Sooooooooooooooooooooooo much .
I hope that u r will and ur family too . Good to see u write reverse again . I hope u still like write a tut for Newbie ...like me Thank in adv
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#3
|
||||
|
||||
Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today. Thank you, lena151. I think we need more information about RCE on x64. |
#4
|
||||
|
||||
Quote:
but Ahmadmansoor VS Lena no way . I think I still a child (Newbie) _____________ I have play with it ....and change some byte .. then Lol debugger detect for all time ....... . I now it is stupid work ...just I like fun .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#5
|
|||
|
|||
Quote:
Code:
if (detected) { MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK); } else { MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK); } |
#6
|
|||
|
|||
According to this blog
http://nezumi-lab.org/blog/?p=120 The prefetch bug no longer exists from Intel Core i7. |
#7
|
|||
|
|||
@ahmadmansour
I've DLed your code and I don't have any debugger on my system but it says debugger found. can you explain about it? p.s : I have windows7 64bit |
#8
|
|||
|
|||
Hi lena151,
Can you post external link? Cause my account has not sufficient privileges to download attachement... Thanks |
#9
|
|||
|
|||
Hi,
rep stos/movs trick works fine on my tests: - Windows Xp x64 - Windows 7 x64 Attached flash movie IDA live test... --- File: x64 Anti-single step.htm MD5: 91aad204fe61b3a46afb46eed4d1fda2 SHA1: 3c48deb7d8d6e21f8c6e63882615128d4b854baf CRC32: 95d4569f --- File: x64 Anti-single step.swf MD5: a9287a4f42a467f23290e7d284891132 SHA1: e9c2c931de3de7df9c2c735bc574d13cbca3292a CRC32: f97ee390 --- File: x64 Anti-single step.exe MD5: a2702aaf3844eaf3903cb563deaeda05 SHA1: 26bd720ec215754a8a140593cd3924d504ff173a CRC32: fd8fa22d --- File: x64 Anti-single step.i64 MD5: 667ce8eab62117c15f6f3679b9d63b0b SHA1: b7ce9f357930d7ca7bb4a74d9bd9c59b7a6aba22 CRC32: 8306cb3a --- |
The Following User Gave Reputation+1 to For This Useful Post: | ||
#10
|
|||
|
|||
It's not about the OS that you're running. It's about the chip.
|
#11
|
|||
|
|||
lena151, thank you for the nice tip.
Also thanks for all your tutorials, I very much enjoyed them. |
#12
|
SEH can be used as a powerful anti-debug trick, see attachment.
|
The Following User Gave Reputation+1 to arlequim For This Useful Post: | ||
ahmadmansoor (01-25-2011) |
#13
|
||||
|
||||
will be tested ...
Thanks arlequim
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#14
|
I see you are really interested on this subject, here is a little tricks for OllyDbg 1.10:
Code:
;bye OllyDbg 1.10 :)) .data byeolly qword -1 word 403Dh .code start: fld tbyte ptr ds:[byeolly] end start |
#15
|
Here is another good trick with DebugActiveProcess. Example in attachment
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Beginners Guide to Basic Linux Anti Anti Debugging Techniques | taos | General Discussion | 10 | 07-09-2005 05:55 |
Anti-Debugging ? ? | LOUZEW | General Discussion | 7 | 04-02-2005 18:38 |