Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Tuesday, January 31 2012 05:33.39 CST  
Printer Friendly ...
Yet Another Anti-Debug Trick
Author: waleedassar # Views: 7311

I have recently come up with a new anti-debug trick, which can be useful only if the "Break on new thread" option is set. The trick has been tried on OllyDbg v1.10 and Immunity Debugger v1.83 in WOW64, Windows 7. Actually, i am not sure if someone else has already found it.

In any affected debugger, if CREATE_THREAD_DEBUG_EVENT is received and the "Break on new thread" option is set, the debugger places an int3 software breakpoint on the lpStartAddress. There is a narrow time window between setting the int3 software breakpoint and recovering the original byte and this is what we are going to exploit.

N.B. The next few lines are only for demonstration. More complicated methods may evolve out of them.

Having two threads in an application, the first thread does almost nothing and the second one checks the first byte of the first thread's entrypoint, we can simply detect the debugger. See the image below.


The demo can be found here.
http://ollytlscatch.googlecode.com/files/demo.exe
You can also find its source code here.
https://docs.google.com/document/d/1kd-Fw110lbK9h-i6Jc2fs57LUjdU2sYji97XCLTTawE/edit

An XP-compatible demo can be found here.
http://ollytlscatch.googlecode.com/files/demo_xp.exe

You can find its source code here.
https://docs.google.com/document/d/1G-6VSCrqM9KI_t82kPTGdo05cmaqyoVZG23o304Pk_o/edit


Blog Comments
NirIzr Posted: Tuesday, January 31 2012 07:48.24 CST
This is a portion of an already known imperfection with olly v1 (and thus also with immunity)... Olly used software interrupt 03 for all of its internal breakpoints, so actually a lot of other similar tricks could be used (like scanning your code for int3's in general) in olly v2 there's a new (and very logical) option - to default to hardware breakpoints instead of software ones, which became rather obsolete...

waleedassar Posted: Wednesday, February 1 2012 17:38.04 CST
Cautious reverse engineers won't be affected by 0xCC scanning, as they carefully set and delete software breakpoints. But they may be affected, if they don't know the fact that OllyDbg pauses on new threads with software breakpoints.

NirIzr Posted: Sunday, February 5 2012 11:39.21 CST
Cautious reverses will user HW breakpoints, or combination of software + memory BPs... i believe these are better precautions.
however, notice I wasn't talking about users` breakpoints but all the BPs olly uses itself.
I've actually reminded that there are more BPs olly places other than on thread creation, all of which might be detected with your method.
I've also mentioned that Olly v2 does what most of us do manually for years - use HW BPs.

anyway I've seen the technique you've found used in the wild, where the protector would load DLLs and create threads only to check if they were BPed.
So i guess i can verify someone else had found it, but not sure if it was ever documented anywhere.

JeRRy Posted: Tuesday, February 21 2012 09:39.27 CST
It would be great if you make a plugin or patches for the bugs you found for Ollydbg 1.10.

waleedassar Posted: Tuesday, February 21 2012 10:25.29 CST
Soon, i will release a plugin to address these issues.



Add New Comment
Comment:









There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit