Flag: Tornado!
Hurricane!
|
|
 Error: Invalid blog entry ID specified.
Topic created on: by  .
> memger: hi,
>
> i\'m looking for people who are interested in testing an IDA plugin which aims to hide the IDA debugger from most common anti-debugging tricks. The idea is to create a rather complete implementation which defeats all known anti-debugging techniques.
> The plugin can be found at http://newgre.net/node/50.
> If you have any suggestions or find bugs, please post here or at my site.
>
> Cheers
> Jan
The plug looks nice have to test it. But I think you have to change the name since there is IDA Stealth plugin and it's created by the author of IDA, no matter that it doesn't work against all the anti-debugging techniques
|
> v01d: > memger: hi,
> >
> > i\\\'m looking for people who are interested in testing an IDA plugin which aims to hide the IDA debugger from most common anti-debugging tricks. The idea is to create a rather complete implementation which defeats all known anti-debugging techniques.
> > The plugin can be found at http://newgre.net/node/50.
> > If you have any suggestions or find bugs, please post here or at my site.
> >
> > Cheers
> > Jan
>
> The plug looks nice have to test it. But I think you have to change the name since there is IDA Stealth plugin and it\'s created by the author of IDA, no matter that it doesn\'t work against all the anti-debugging techniques
Ilfak actually knows about this plugin becasue i already posted it in the IDA forum. It didn't seem he was too mad about it ;-)
|
> nezumi: um, how about this?
> JohoR crackme
Am i missing something here? If you just pass all exceptions to the application the debugger is not recognized. So this little program rather checks if a debugger is capable of handling exceptions correctly (IDA has some problems with this), rather than a test program for anti-anti-debugging techniques. Correct me if i'm wrong
cheers
Jan
|
memger
sorry, your plug-in works ok, just my IDA 5.2 crashes on mov fs:[eax], esp/xor eax,[eax], changing EAX content. I removed all plug-ins, but yours and the bug mystically disappeared. guess, conflict with two (or more) plug-ins, I'm trying to find the second "bad" plug-in now. however, without your plug-in everything works fine (as far as if your plug-in is the only plug-in and there is no others). the bug is - EAX is changed to -1, so the rest of the code goes wrong way.
|
The plugin still has at least one major bug: modifying the import directory fails with packed executables, so injection of the stealth dll fails, thats why it was tagged alpha ;-)
Will fix it asap.
Knwon bugs and new versions at http://newgre.net/idastealth
|
|
Fixed the bug when using the plugin with a packed executable.
|
I have used Extreme Debugger Detector 0.50 by Hellsp@wn..
there is a bug when try to hide these functions:
-SetUnhandledExceptionFilter
-Detect DRx
-Invalid HANDLE
-GetTickCount
-RDTSC
Cheers.
thE Cur!ouZ.
|
> thECurouZ: I have used Extreme Debugger Detector 0.50 by Hellsp@wn..
> there is a bug when try to hide these functions:
>
> -SetUnhandledExceptionFilter
> -Detect DRx
> -Invalid HANDLE
> -GetTickCount
> -RDTSC
>
> Cheers.
> thE Cur!ouZ.
I will address these issues asap. Thx for pointing this out!
Edit: Can you provide me with a download link to this tool?
|
> memger: > thECurouZ: I have used Extreme Debugger Detector 0.50 by Hellsp@wn..
> > there is a bug when try to hide these functions:
> >
> > -SetUnhandledExceptionFilter
> > -Detect DRx
> > -Invalid HANDLE
> > -GetTickCount
> > -RDTSC
> >
> > Cheers.
> > thE Cur!ouZ.
>
> I will address these issues asap. Thx for pointing this out!
> Edit: Can you provide me with a download link to this tool?
http://rapidshare.com/files/127676344/Extreme_Debugger_Detector_0.50.rar.html
|
I just released a new version of my stealth plugin at http://newgre.net/idastealth.
The new version is nearly feature complete (the RDTSC driver is still missing, though) and addresses all techniques described in the paper by peter ferrie and some additional techniques which are probably not so common (e.g. handling of DBG_PRINTEXCEPTION_C or NtYieldExecution).
Besides, xADT as well as Extreme Debugger Detector 0.5 are unable to detect the IDA debugger if all options are set (apart from the "find tools complex" test in xADT).
If you find bugs or have any suggestions for additional techniques please contact me.
cheers
jan
|
|
Should plugin work under IDA running in vmware winXP/2K guest, just wondered
|
> dnix: Should plugin work under IDA running in vmware winXP/2K guest, just wondered
yes it should work as long as you have rights to write to %IDA_DIR%/cfg directory.
Edit: When started from a guest account you need to make sure that the guest user is able to execute the .plw file, then it works.
|
> The new version is nearly feature complete (the RDTSC driver is still missing, though) and addresses all techniques described in the paper by peter ferrie
My new paper contains all new tricks. I'll test the plugin against them when I have some time.
> and some additional techniques which are probably not so common (e.g. handling of DBG_PRINTEXCEPTION_C or NtYieldExecution).
Yes, these are known to me, but for some reason they are not very common.
|
I rlsed the first beta version at my site. I guess nearly all publicly known anti-debugging techniques have been implemented so far and the plugin seems to be quite stable. If you feel something is missing or anything doesn't work as it should, pls let me know
cheers
Jan
|
Hi everyone,
just wanted to announce that a new version of IDA Stealth along with the complete source code is available from my site. Feedback appreciated :)
Cheers
Jan
|
Just posted a new version at my website. Finally IDAStealth includes a RDTSC emulation driver (with source code). Besides, some bugfixes made it into the new version, which you can download here.
If you think something is missing or doesn't work, please let me know.
|
I just released a new version of IDAStealth (v1.2) at my website. It finally comes with full Themida support. If you find bugs or have suggestions, pls let me know.
Edit: is it possible to change the picture in the download section? It's still an old beta screenshot
|
|
Lets take a look at GetThreadContextHook from HideDebugger.cpp Why do you use DWORD id = GetCurrentThreadId(); if the thread that gets the context is pointed at by HANDLE hThread? And this thread is not current at all. The same thing with SetThreadContextHook.
|
|
you're right this is a bug, I'll fix it for the next rls. thx
|
|
The thread handle is also insufficient, since many handles can point to the same object, and all of them should return the same information. You need the thread ID that corresponds to the handle.
|
> PeterFerrie: The thread handle is also insufficient, since many handles can point to the same object, and all of them should return the same information. You need the thread ID that corresponds to the handle.
You're quite correct Peter, I'll use NtQueryInformationThread with THREAD_BASIC_INFORMATION to map a given handle to its thread id. It's not implemented yet since I'm very busy recently. Will fix it asap.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}