Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Int 3 anti debug?

Topic created on: May 5, 2013 17:27 CDT by Funv .

Hi, trying to analyse a piece of malware, which when I step over a particular call, it hits an int 3 instruction within that call (in kernel32.dll).

If I try to continue stepping through (or step out) it eventually just continues to run...

The int 3 call is in kernel32.dll, is this normal? I believe its called as part of a WMI query.

Any help on how to get IDA to ignore this break point, or how to continue the debugging after this break would be great! I've tried setting IDA to ignore most exceptions (in the debugging options dialogue), but it still breaks at the same point, I've also tried patching the instruction to a nop in memory.

The only thing I haven't tried is running it in Olly because it took me a while to get to where I am now (its a packed, obfuscated program... brilliant for a newbi...)

A screenie of where the program stops and hits INT 3


Any help would be appreciated!

Thanks,

FV

  codeinject     May 8, 2013 01:37.34 CDT
http://newgre.net/node/43
http://www.hexblog.com/?p=11

But as I don't use IDA for Dynamic Analyses (ImmDBG is my tool of choice).

And the 'is this normal' question, check yourself :)
Fetch another kernel32.dll w/ the same version md5 hash it. And check hashes.

  SteveIRQL   June 5, 2013 11:16.48 CDT
It seems a little unusual that you would hit that int 3 in kernel32 (Unless as your post implies, its anti-debug). I would check your call stack for each thread that hits the 0xCC and go breakpoint an earlier instruction back in the main module. Chances are the reason you are hitting the breakpoint doesnt exist in kernel32.

If the malware is actually doing a runtime modification of Kernel32 then its an entirely different story, but I would guess its not the case.

I also don't use IDA to debug, but most debuggers allow you to modify the machine instructions in memory. nopsled those instructions at runtime (0x90) and you won't have to suffer through the breakpoints.

Note: Registration is required to post to the forums.

There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit