Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  SEH and anti-debugging

Topic created on: April 18, 2007 03:57 CDT by madiyaan .

Hello,

I am very much a newbie when it comes to disassembling executables. I read a few interesting articles on OpenRCE which were very educational, I must admit (thank you for those articles).

In some articles, I've read that using SEH, programs can defeat debuggers. I guess I don't know how/why that statement is true. Let me elaborate:

When a program runs under a debugger, the debugger can single step through the program by injecting 0xcc in place of instructions. Now if a program does something like modify the default SEH by changing fs:0 (if I'm correct) and then does something like write to memory location 0, execution goes to the debugger, right? (A question I have in mind is how does the execution go to the debugger when really the exception should be managed by the pointer the executable just put in by modifying fs:0?) Assuming execution goes to the debugger, can't the debugger simply look at the next exception handler in the chain (I'm assuming that that would be the executable's own handler) and insert a breakpoint there?

Several articles I've seen people say that using SEH handlers, executables can make debuggers detach from them. My question is how? Can anyone explain to a newbie like myself exactly how (with maybe a timeline or snapshot in time how the SEH frame looks like etc.) this magical detach happen? (I've seen an popup box in OllyDbg say that "control might be lost"). My question is how (and how is this non-deterministic (Olly uses the phrase "might be")). Under what circumstances will control be lost, and under what circumstances will control not be lost?

Can anyone elucidate.

Thank you very much for your time,

Madiyaan.

  anonymouse     April 19, 2007 05:11.10 CDT
injecting 0x33 in place of instructions you mean 0xCC there ?

how does seh defeat debugger

well rather that treat it as defeat you can call it as detect

for example a simplest form of seh would be to

pushfd
or [esp],0x100
popfd
nop

what does the above sequence do ?
it simply sets the trapflag in in the eflags register

now when you are single stepping through it or running it
the exception that would be generated could be used to detect whether you are running this code under debugger or
running it out of debugger

in one case the Exception generated would be EXCEPTION_SINGLE_STEP

ok if you meant 0xCC in your quote above aka int3

then you can install your own exception handler to handle
this int3 which in turn could make the life of debugger more tedious because the one who is tracing it cant rely or
can never set a 0xCC breakpoint

ok apart from 0xCC there is a hardware breakpoint
now
if you find and read the exception handling mechanism well
(i suggest you look for jeremy gordons or matt pietreks article on seh the former comes with nice test samples as well)

you will come to understand that in the handler one can erase the contents of Dr1 to Dr7 (debug registers) or possibly use it in code so that if some one sets a hard ware breakpoint you can easily detect and modify the behaviour

there are few other inventive uses as well
but i think this much would be sufficient for starters

  madiyaan   April 19, 2007 12:32.50 CDT
> anonymouse: injecting 0x33 in place of instructions you mean 0xCC there ?

First of all, thank you for your post, anonymouse. I really appreciate you helping a new guy out here. Yes, that was a typo (I mixed int 3 and 0xcc making it 0x33). I corrected my post now.

>
> how does seh defeat debugger
>
> well rather that treat it as defeat you can call it as detect

Well I read on a few websites that using SEH will somehow detach the process from the debugger. And my original question was can you step-by-step explain how that happens.

>
> for example a simplest form of seh would be to
>
> pushfd
> or [esp],0x100
> popfd
> nop
>
> what does the above sequence do ?
> it simply sets the trapflag in in the eflags register
>
> now when you are single stepping through it or running it
> the exception that would be generated could be used to detect whether you are running this code under debugger or
> running it out of debugger

Thank you for this. I understand now that you can detect the debugger. But when the pop happens, the debugger can manually edit the flags back and set the that bit back to 0. If that doesn't work (I'm not sure if popfd itself will be affected by the newly changed flags), you can edit the stack and make sure that flag is turned off.

>
> in one case the Exception generated would be EXCEPTION_SINGLE_STEP
>
> ok if you meant 0xCC in your quote above aka int3
>
> then you can install your own exception handler to handle
> this int3 which in turn could make the life of debugger more tedious because the one who is tracing it cant rely or
> can never set a 0xCC breakpoint

Yes, that is exactly what I'm looking for. My question is this:

Exactly how will it make the life of the debugger more tedious? I mean, can you step-by-step explain it in one paragraph? (i.e. tell me what happens when it sets itself as the handler)

I would really appreciate it.

I'm seeing an application that does this trick (i.e. sets itself as the handler) and then somehow it detatches itself from Olly.

>
> ok apart from 0xCC there is a hardware breakpoint
> now
> if you find and read the exception handling mechanism well
> (i suggest you look for jeremy gordons or matt pietreks article on seh the former comes with nice test samples as well)

Thank you for the pointer to these resources. I will be sure to check them out!

>
> you will come to understand that in the handler one can erase the contents of Dr1 to Dr7 (debug registers) or possibly use it in code so that if some one sets a hard ware breakpoint you can easily detect and modify the behaviour

Okay, I understand this now. Thanks!

>
> there are few other inventive uses as well
> but i think this much would be sufficient for starters

I will continue to read articles/tutorials posted on this website and others to further increase my knowledge.

Regards,

Madiyaan.

  anonymouse     April 20, 2007 02:29.38 CDT
the debugger by itself cannot do any editing it is not a program with artificial intelligence and even if it had artficial intelligence  how would it understand if the popfd with modified trapflag is geniune or bogus

there are geniune instances of requiring a trapfalg set
code

and if you say the one who sitting in front of the screen is going to edit the flag back
then thats the main problem
he / she wouldnt have a clue if the basic code was slightly obfuscated

what about
pushfd
add [esp],1
jmp some hell
zero counter
inc counter
jmp some other place
cmp counter 100
and set some obscure pointer for result
jmp some where else

check the resut
add [esp], anoter constant (not just one but a pattern hidden some where in some .data saection
a proprietory algorithm
that gurentees the added numbers will be equal to 0x100

loop like mad dog till you can be sure you do popfd
and do popfd in a junk routine with several other popfd interspersed inbetween to cheat the one sitting in front of console

ah its hell of a job to trace this
and that is supposed to be the main motive of these tricks
to get rid of all except the most tenacious ones from the trail

detaching a debugger is possible with a single api
in operating systems => xp

in os below xp the debuggee dies with debugger
you will get better answer about detach debugee in msdn

paragraphing the intricacies of setting up your own int3 handlers is not feasible

system informs a debugger of events that happened one of it is Exception Event
look for DEBUG_EVENT structure and thier unions referance

and the debugger can handle these Exceptions and send back
DBG_CONTINUE and some other results back

and the system acts according to the result sent back

now if you imagine a linked list of handlers
1,2,3,4 that are sent notificataion of certain events in a predefined order
the handler that sits in the top of the list is the undisputed authority and it can decide what to do
if you happen to insert your handler on top
you can simply decide to say hell this exception is non_continuable and decide not to pass the notification to further links in the chain and you can issue an order to kill

understanding these concepts dont fall into one night stand
and/or paragraphing
it simply cant be done  it needs a full marriage that celebrates atleast 10 years of bickering and nagging
nights

  apridgen   April 20, 2007 09:48.20 CDT
I had to read this post twice b/c it sounds like you had a bitter divorce with the SEH.  And it seems like you caught SEH in bed with popfd doing the 0x100. :p

Good post, though.  I did not think of obfuscating the pushfd check with function calls, and I will definitely check out MSDN on the debugger api call.

  anonymouse     April 20, 2007 10:26.49 CDT
bitter divorce ? you mean i attained a state of marital bliss catching seh in bed with popfd then you are right

btw you can check out pedrams ollydbg plugin that detaches a debuggee from ollydbg

here is the link for list of debugging functions from msdn
check for DebugActiveProcessStop and DebugSetProcessKillOnExit

http://msdn2.microsoft.com/en-us/library/ms679303.aspx


http://www.openrce.org/downloads/details/185/Olly_De-Attach_Helper

Note: Registration is required to post to the forums.

There are 31,054 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit