About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Tuesday, January 31 2012 05:33.39 CST  
Printer Friendly ...
Yet Another Anti-Debug Trick
Author: waleedassar # Views: 997

I have recently come up with a new anti-debug trick, which can be useful only if the "Break on new thread" option is set. The trick has been tried on OllyDbg v1.10 and Immunity Debugger v1.83 in WOW64, Windows 7. Actually, i am not sure if someone else has already found it.

In any affected debugger, if CREATE_THREAD_DEBUG_EVENT is received and the "Break on new thread" option is set, the debugger places an int3 software breakpoint on the lpStartAddress. There is a narrow time window between setting the int3 software breakpoint and recovering the original byte and this is what we are going to exploit.

N.B. The next few lines are only for demonstration. More complicated methods may evolve out of them.

Having two threads in an application, the first thread does almost nothing and the second one checks the first byte of the first thread's entrypoint, we can simply detect the debugger. See the image below.


The demo can be found here.
http://ollytlscatch.googlecode.com/files/demo.exe
You can also find its source code here.
https://docs.google.com/document/d/1kd-Fw110lbK9h-i6Jc2fs57LUjdU2sYji97XCLTTawE/edit

An XP-compatible demo can be found here.
http://ollytlscatch.googlecode.com/files/demo_xp.exe

You can find its source code here.
https://docs.google.com/document/d/1G-6VSCrqM9KI_t82kPTGdo05cmaqyoVZG23o304Pk_o/edit


Blog Comments
NirIzr Posted: Tuesday, January 31 2012 07:48.24 CST
This is a portion of an already known imperfection with olly v1 (and thus also with immunity)... Olly used software interrupt 03 for all of its internal breakpoints, so actually a lot of other similar tricks could be used (like scanning your code for int3's in general) in olly v2 there's a new (and very logical) option - to default to hardware breakpoints instead of software ones, which became rather obsolete...

waleedassar Posted: Wednesday, February 1 2012 17:38.04 CST
Cautious reverse engineers won't be affected by 0xCC scanning, as they carefully set and delete software breakpoints. But they may be affected, if they don't know the fact that OllyDbg pauses on new threads with software breakpoints.

NirIzr Posted: Sunday, February 5 2012 11:39.21 CST
Cautious reverses will user HW breakpoints, or combination of software + memory BPs... i believe these are better precautions.
however, notice I wasn't talking about users` breakpoints but all the BPs olly uses itself.
I've actually reminded that there are more BPs olly places other than on thread creation, all of which might be detected with your method.
I've also mentioned that Olly v2 does what most of us do manually for years - use HW BPs.

anyway I've seen the technique you've found used in the wild, where the protector would load DLLs and create threads only to check if they were BPed.
So i guess i can verify someone else had found it, but not sure if it was ever documented anywhere.

JeRRy Posted: Tuesday, February 21 2012 09:39.27 CST
It would be great if you make a plugin or patches for the bugs you found for Ollydbg 1.10.

waleedassar Posted: Tuesday, February 21 2012 10:25.29 CST
Soon, i will release a plugin to address these issues.



Add New Comment
Comment:









There are 28,631 total registered users.


Recently Created Topics
windbg - olly/immunity
May/14
Reverse a WinRAR pac...
May/13
Add comments to resu...
May/10
can we code script ...
May/09
Type Casting Structu...
May/07
How to Reverse Engin...
May/03
Sulley on OS X (10.7)
May/01
Help me guys
May/01
IDA Resource Viewer ...
Apr/28
How do i use plugins...
Apr/27


Recent Forum Posts
windbg - olly/immunity
blowcheck
Help me guys
Olivier
Reverse a WinRAR pac...
NirIzr
windbg - olly/immunity
anonymouse
Reverse a WinRAR pac...
DriEm
Add comments to resu...
phn1x
IDA Resource Viewer ...
DriEm
Add comments to resu...
qiuhan
IDA Resource Viewer ...
waleeda...
IDA Resource Viewer ...
DriEm


Recent Blog Entries
waleedassar
Apr/20
OllyDbg NumberOfSections Crash
icegood
Apr/13
Advanced labels plugin for ...
waleedassar
Mar/31
GetModuleFileNameEx And Inf...
waleedassar
Mar/31
OllyDbg v1.10 And Wow64
waleedassar
Mar/29
OllyDbg Resource Table Pars...
More ...


Recent Blog Comments
raxen on:
Mar/27
Anti-Dumping
Dallas on:
Mar/22
ChapljaVM Code Obfuscator
Dallas on:
Mar/22
Hack stuff, get paid
Dallas on:
Mar/22
Exe Packer TAGGANT system f...
Dallas on:
Mar/22
Olly2 SystemTray Plugin
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit