Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-06-2010, 02:34
lena151 lena151 is offline
Friend
 
Join Date: Oct 2005
Posts: 14
Rept. Given: 0
Rept. Rcvd 12 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
lena151 Reputation: 12
x64 and anti-debugging

In reversing, anti-debugging tricks have always been a highly interesting matter. Since the migration towards x64 hardware and OS'es, some things have changed though.

The other day, I came across a x64 software which was always fake detecting debugging on a certain test system. Diving into the matter and circumventing all anti-debugging tricks under debugger, it worked fine. The reason of faillure outside debugger proved to be the well-known rep stos/movs trick.

Code:
Example code

	t1 equ goodboy-badboy-2
	new: db 0EBh,01,81h,0EBh,t1

   ; cut //

	lea rsi,[new]
	lea rdi,[here]
	mov rdx,[rdi]
	mov rcx,3
  here:
	rep movsw
  badboy:
	mov r9,30h
	lea r8,[DebugStatus]
	lea rdx,[DbgFoundText]
	xor rcx,rcx
	invoke MessageBox			; badboy!
	jmp Exit
  goodboy:
	mov r9,40h
	lea r8,[DebugStatus]
	lea rdx,[DbgNotFoundText]
	xor rcx,rcx
	invoke MessageBox			; goodboy!

   ; cut //

The rep stos/movs trick does not need further explaining since everybody knows this one since 16 bit. However, be warned not to use it anymore on x64. For testing, I attached an exe. Single step it F7 (F8 on the messagebox call) and it will always detect you, however I'm sure that a small percentage -having the newest x64 CPU technology- will get fake detected outside debugger!

Carpe Diem,

lena151.
Attached Files
File Type: rar x64 Anti-single step.rar (549 Bytes, 24 views)
Reply With Quote
The Following 5 Users Gave Reputation+1 to lena151 For This Useful Post:
ahmadmansoor (04-06-2010), BoB (04-06-2010), metr0 (04-06-2010), Vivaldi (04-08-2010)
  #2  
Old 04-06-2010, 04:17
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Thumbs up Good to see u again

@lena151 : Good to see u again ..Miss u Sooooooooooooooooooooooo much .
I hope that u r will and ur family too .
Good to see u write reverse again .
I hope u still like write a tut for Newbie ...like me

Thank in adv
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #3  
Old 04-06-2010, 09:51
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 711
Rept. Given: 172
Rept. Rcvd 767 Times in 256 Posts
Thanks Given: 193
Thanks Rcvd at 693 Times in 220 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today.

Thank you, lena151.
I think we need more information about RCE on x64.
Reply With Quote
  #4  
Old 04-07-2010, 03:06
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Talking

Quote:
Hmmm, Ahmadmansoor is a Newbie?
It is not 1st April today.
nice one ZeNiX ....
but Ahmadmansoor VS Lena no way .
I think I still a child (Newbie)

_____________
I have play with it ....and change some byte ..
then Lol debugger detect for all time ....... .
I now it is stupid work ...just I like fun .
Attached Files
File Type: zip x64 Anti-single step.zip (583 Bytes, 20 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #5  
Old 04-07-2010, 10:38
remal
 
Posts: n/a
Quote:
Originally Posted by ahmadmansoor View Post
I have play with it ....and change some byte ..
then Lol debugger detect for all time ....... .
What did you change? To something like this?

Code:
if (detected) {
MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK);
} else {
MessageBox(NULL, "Debugger detected", "Debugger detected", MB_OK);
}
Reply With Quote
  #6  
Old 04-13-2010, 10:03
remal
 
Posts: n/a
According to this blog

http://nezumi-lab.org/blog/?p=120

The prefetch bug no longer exists from Intel Core i7.
Reply With Quote
  #7  
Old 05-20-2010, 06:12
netseeker netseeker is offline
Friend
 
Join Date: Jan 2009
Posts: 23
Rept. Given: 14
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
netseeker Reputation: 0
@ahmadmansour
I've DLed your code and I don't have any debugger on my system but it says debugger found.

can you explain about it?

p.s : I have windows7 64bit
Reply With Quote
  #8  
Old 05-22-2010, 18:20
STRELiTZIA
 
Posts: n/a
Hi lena151,
Can you post external link? Cause my account has not sufficient privileges to download attachement... Thanks
Reply With Quote
  #9  
Old 05-25-2010, 13:02
STRELiTZIA
 
Posts: n/a
Hi,
rep stos/movs trick works fine on my tests:
- Windows Xp x64
- Windows 7 x64

Attached flash movie IDA live test...

---
File: x64 Anti-single step.htm
MD5: 91aad204fe61b3a46afb46eed4d1fda2
SHA1: 3c48deb7d8d6e21f8c6e63882615128d4b854baf
CRC32: 95d4569f
---
File: x64 Anti-single step.swf
MD5: a9287a4f42a467f23290e7d284891132
SHA1: e9c2c931de3de7df9c2c735bc574d13cbca3292a
CRC32: f97ee390
---
File: x64 Anti-single step.exe
MD5: a2702aaf3844eaf3903cb563deaeda05
SHA1: 26bd720ec215754a8a140593cd3924d504ff173a
CRC32: fd8fa22d
---
File: x64 Anti-single step.i64
MD5: 667ce8eab62117c15f6f3679b9d63b0b
SHA1: b7ce9f357930d7ca7bb4a74d9bd9c59b7a6aba22
CRC32: 8306cb3a
---
Attached Files
File Type: rar x64 Anti-single step LIVE TESTS.rar (202.1 KB, 13 views)
Reply With Quote
The Following User Gave Reputation+1 to For This Useful Post:
  #10  
Old 05-25-2010, 19:31
remal
 
Posts: n/a
It's not about the OS that you're running. It's about the chip.
Reply With Quote
  #11  
Old 10-13-2010, 04:50
atomix atomix is offline
Friend
 
Join Date: Aug 2004
Posts: 50
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 2 Posts
atomix Reputation: 3
lena151, thank you for the nice tip.

Also thanks for all your tutorials, I very much enjoyed them.
Reply With Quote
  #12  
Old 01-25-2011, 06:49
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 262
Rept. Given: 47
Rept. Rcvd 306 Times in 98 Posts
Thanks Given: 17
Thanks Rcvd at 72 Times in 39 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
SEH can be used as a powerful anti-debug trick, see attachment.
Attached Files
File Type: zip seh64.zip (7.1 KB, 19 views)
Reply With Quote
The Following User Gave Reputation+1 to arlequim For This Useful Post:
ahmadmansoor (01-25-2011)
  #13  
Old 01-25-2011, 16:40
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 187
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
will be tested ...
Thanks arlequim
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #14  
Old 01-26-2011, 03:30
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 262
Rept. Given: 47
Rept. Rcvd 306 Times in 98 Posts
Thanks Given: 17
Thanks Rcvd at 72 Times in 39 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Quote:
Originally Posted by ahmadmansoor View Post
will be tested ...
Thanks arlequim
I see you are really interested on this subject, here is a little tricks for OllyDbg 1.10:

Code:
;bye OllyDbg 1.10 :))
.data
byeolly qword -1
word 403Dh
.code
start:
fld tbyte ptr ds:[byeolly] 
end start
Dunno if it works, let me know. Bye!
Reply With Quote
  #15  
Old 01-26-2011, 04:17
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 262
Rept. Given: 47
Rept. Rcvd 306 Times in 98 Posts
Thanks Given: 17
Thanks Rcvd at 72 Times in 39 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Here is another good trick with DebugActiveProcess. Example in attachment
Attached Files
File Type: zip dap64.zip (4.3 KB, 33 views)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Beginners Guide to Basic Linux Anti Anti Debugging Techniques taos General Discussion 10 07-09-2005 05:55
Anti-Debugging ? ? LOUZEW General Discussion 7 04-02-2005 18:38


All times are GMT +8. The time now is 08:34.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX