OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 9, 2008 00:58 CST by kcynice .

hi,i found a program having anti-debug function.I used OD to load and run the program,it worked well,but if i debuged it one step by one step,it would terminate at a call for DeviceIoControl.that's to say,it terminated itself before returning from DeviceIoControl! In addition,the program has its own driver installed. So i think it implement its anti-debug in its driver.
I think its a good example for anti-debuging.So,i want to understand it and learn it,but it's so difficult.

cod		March 9, 2008 08:08.51 CDT
what's the name of program?

morel		March 9, 2008 09:32.51 CDT
did you disassemble the driver? i'd disasm it and look at the IOCTL handler proc. you can get it's address from DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL].

kcynice		March 9, 2008 18:31.32 CDT
> morel: did you disassemble the driver? i\'d disasm it and look at the IOCTL handler proc. you can get it\'s address from DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]. yes,i had disassembled the driver using IDA Pro.but i didn't know how to debug it. I only can debug some normal gui program,for such non-gui program,i don't know how to insert a break point and how to run it one step by one step.

morel		March 9, 2008 18:45.12 CDT
you can't debug drivers with user mode debuggers. you can use windbg connected to a virtual machine, or livekd to locally peek into your kernel :)

kcynice		March 9, 2008 20:51.25 CDT
> morel: you can\'t debug drivers with user mode debuggers. you can use windbg connected to a virtual machine, or livekd to locally peek into your kernel :) what you said should be true.but i only used OD before.Would you like to explain how whould i do this or give me a url for a guideline?Thanks.

b0ne		March 9, 2008 23:32.04 CDT
here's a start: http://www.wd-3.com/archive/RemoteDbg.htm

kcynice		March 10, 2008 02:24.36 CDT
ok,it seems a little difficult,but i will do my best to have a try.

RabidCicada		March 17, 2008 10:05.35 CDT
I guess you might have already figured this out from the previous people or reading up since this post but: What it boils down to is that there are ring0(kernelspace) debuggers and ring3(userland) debuggers. They run at the same level as the user and only have permission to access userland stuff. If you're tracing, your debugger is trying to set a breakpoint after every instruction and that includes instructions that happen to get executed in kernel space (or ring0) when you get to driver code(driver code is only kernelspace/ring0). This violates its memory access priviledges and the program terminates. Other Debuggers are made/setup to run in kernelspace (through some trickery or another :) ). If you use a ring0 debugger then you can debug code that executes in ring0. Just for reference ring0 and ring3 are terms that come from processor instruction priviledge sets. In all acutality there are many more "rings"/sets of privledge levels available in the processor for executing different sets of proviledged assembly commands. Windows just simplified the model with it's software on top and only "exposes" ring0(kernelspace) and ring3(userspace).

kcynice		March 18, 2008 01:00.52 CDT
yes,thanks RabidCicada's expanation. yes,i have some basic knowledge.but i think i lacks enough real practice.there almost no such master around me i could learn from him. You see,only a few days the messageboard can be updated. there also is a irc channel named openrce at irc.freenode.net.but i am a fraid it's not somewhere suitable for us newbies(it's so silent there). I hope a kind master would like tell the newbies including me how to work deeply,not only resolve some crackmes. Regards.

anonymouse		March 18, 2008 13:08.54 CDT
like so many have stated above you cannot debug a driver with userland debugger if you would want to debug a driver you would need a kernel debugger the only kernel debugger available nowadys and will work without much hinderance is windbg from ms softice used to be the preferred debugger for many and many still swear by it and will go to any extent to try and make it run on their current os or would never change thier old os just because they love to use softice if the application runs on w2k and you run w2k try finding some old softice and installing it and with it you can simply step through both r3 and r0 in one go if thats not possible and you run vizzzzta and your app needs w2k8 you are left with only windbg and setting up a virtual environemt and or two computers joined by some sort of communication arrangement right from the old and reliable com port to latest usb cable and every thing in between like 1394 etc a virtual kernel debugging scenerio could be like this say you download microsofts virtual pc and install it install your favourite os inside virtual pc install the app in question (hope it runs in virtual environements els you are screwed to use real computers and there are few that wont run in real computers too if you have booted with /debug switch ) download and install windbg in original computer setup a virtual com port communication (look for kernel debugging documentation in both windbg folder and white paper in virtual pc folder for details) edit the app in question with a hardcoded int 3 aka 0xcc with a hexeditor in the ioctl calls and run it in virtual pc thats booted with /debug switch the kd (windbg ) thats waiting will latch on to it and you can single step through MOST of the code (very very steep learning curve ahead and many many crashes ahead and many many sleepless night ahead before you will be able to comprehend anything at all in this route ) happy debugging

daniellewis		March 20, 2008 21:22.04 CDT
Well, that's not quite true. An emulator works but they're rare, difficult to retool, and somewhat heavyweight. Like using a freight train to put in a nail.

kcynice		March 22, 2008 08:13.30 CDT
perhaps this way is fixed to some occasions. but there are too many program which can find you are debugging it in a remote pc.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit