Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Tuesday, January 31 2012 05:33.39 CST  
Printer Friendly ...
Yet Another Anti-Debug Trick
Author: waleedassar # Views: 11352

I have recently come up with a new anti-debug trick, which can be useful only if the "Break on new thread" option is set. The trick has been tried on OllyDbg v1.10 and Immunity Debugger v1.83 in WOW64, Windows 7. Actually, i am not sure if someone else has already found it.

In any affected debugger, if CREATE_THREAD_DEBUG_EVENT is received and the "Break on new thread" option is set, the debugger places an int3 software breakpoint on the lpStartAddress. There is a narrow time window between setting the int3 software breakpoint and recovering the original byte and this is what we are going to exploit.

N.B. The next few lines are only for demonstration. More complicated methods may evolve out of them.

Having two threads in an application, the first thread does almost nothing and the second one checks the first byte of the first thread's entrypoint, we can simply detect the debugger. See the image below.


The demo can be found here.
http://ollytlscatch.googlecode.com/files/demo.exe
You can also find its source code here.
https://docs.google.com/document/d/1kd-Fw110lbK9h-i6Jc2fs57LUjdU2sYji97XCLTTawE/edit

An XP-compatible demo can be found here.
http://ollytlscatch.googlecode.com/files/demo_xp.exe

You can find its source code here.
https://docs.google.com/document/d/1G-6VSCrqM9KI_t82kPTGdo05cmaqyoVZG23o304Pk_o/edit


Blog Comments
NirIzr Posted: Tuesday, January 31 2012 07:48.24 CST
This is a portion of an already known imperfection with olly v1 (and thus also with immunity)... Olly used software interrupt 03 for all of its internal breakpoints, so actually a lot of other similar tricks could be used (like scanning your code for int3's in general) in olly v2 there's a new (and very logical) option - to default to hardware breakpoints instead of software ones, which became rather obsolete...

waleedassar Posted: Wednesday, February 1 2012 17:38.04 CST
Cautious reverse engineers won't be affected by 0xCC scanning, as they carefully set and delete software breakpoints. But they may be affected, if they don't know the fact that OllyDbg pauses on new threads with software breakpoints.

NirIzr Posted: Sunday, February 5 2012 11:39.21 CST
Cautious reverses will user HW breakpoints, or combination of software + memory BPs... i believe these are better precautions.
however, notice I wasn't talking about users` breakpoints but all the BPs olly uses itself.
I've actually reminded that there are more BPs olly places other than on thread creation, all of which might be detected with your method.
I've also mentioned that Olly v2 does what most of us do manually for years - use HW BPs.

anyway I've seen the technique you've found used in the wild, where the protector would load DLLs and create threads only to check if they were BPed.
So i guess i can verify someone else had found it, but not sure if it was ever documented anywhere.

JeRRy Posted: Tuesday, February 21 2012 09:39.27 CST
It would be great if you make a plugin or patches for the bugs you found for Ollydbg 1.10.

waleedassar Posted: Tuesday, February 21 2012 10:25.29 CST
Soon, i will release a plugin to address these issues.



Add New Comment
Comment:









There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit