Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-03-2018, 00:42
HarrySpoofer HarrySpoofer is offline
Friend
 
Join Date: Jul 2018
Posts: 25
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 6
Thanks Rcvd at 20 Times in 8 Posts
HarrySpoofer Reputation: 4
Anti-debugging techniques for a hypervisor debugger

What anti-debugging techniques would a hypervisor debugger be vulnerable to ?

IMO a debugger that is a hypervisor can intercept the rdtsc instruction and most timing based anti-debugging techniques.

Am I missing anything?
Reply With Quote
  #2  
Old 08-03-2018, 00:57
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
You mean like to debug an entire operating system?
Or to debug an app inside an operating system (kinda like edge now runs in win 10)?

How about trying some convoluted means of time measurement, for example,
lock a Mutex and than try to lock it again with a call that times out after 1sec or so.
And than always compare the result to what you get from the rdtsc.

i.e. try to compare different timing sources, unless you would debug the entire os and modify all timing sources to keep them in sync that would be a way to detect something is wrong.

Of cause comparing against a server time would also be an option but well that needs a network connection.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
niculaita (08-03-2018)
  #3  
Old 08-03-2018, 01:03
HarrySpoofer HarrySpoofer is offline
Friend
 
Join Date: Jul 2018
Posts: 25
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 6
Thanks Rcvd at 20 Times in 8 Posts
HarrySpoofer Reputation: 4
The hypervisor would have to envelop the entire OS to be tight and effective, wouldn't it? Like the famous Blue Pill...
Then, using OS structures, a single process could be singled out for debugging, so the experience is not too slow.

Indeed, with a network connection a timing based anti-debugging technique could be made.

What about, non-timing based techniques?
Could IO MMU and hardware be exploited?
Reply With Quote
  #4  
Old 08-03-2018, 01:22
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
> Could IO MMU and hardware be exploited?

Hmm...
I think that would strongly depend on how your anti-debugging technique ties into the operating system. Without ring 0 access you are limited to no hardware access and only a limited set of opcodes.

So assuming that your protected application is just that, a user space application, other that a Hardware dongle or Server I don't think there is any way.

If your application however comes with a driver than possibly there is a way, although I wouldn't know of hand how this way looks.

But, if you are virtualizing an entire OS with your victim application, why use hardware virtualization and risk the application having a shot at detecting something?

There were virtual machines long before there was Intel VT and AMD Pacifica, I remember Connectix virtual PC later M$ virtual PC, although this was before 64bit became mainstream.
Anyhow I don't see a reason why one couldn't make a new virtual machine software which runs a 64bit OS but does not require hardware support that is runs on the host as a boring user mode process. That is of cause except that fact that its performance would be worse may be much worse of cause. But for debugging that wouldn't matter much I guess.


So ultimately the only way to go would be to try to detect being run in a VM at all and than denying to run.

However if said VM software would be intended to be a Debuging host I think there would be no reliable way to detect being run in it which couldn't be bypassed by some minor update to the VM software.
Reply With Quote
  #5  
Old 08-03-2018, 05:31
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,056
Rept. Given: 579
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 725
Thanks Rcvd at 587 Times in 348 Posts
user1 Reputation: 41
google it, you find open source projects. some code is in ASM x86 so will need rewrite for x64.
Reply With Quote
Reply

Tags
debugger, hypervisor

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Beginners Guide to Basic Linux Anti Anti Debugging Techniques taos General Discussion 10 07-09-2005 05:55


All times are GMT +8. The time now is 22:03.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )