OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 10, 2008 02:56 CDT by kcynice .

if i want to do some anti-debug trick in a driver, when the GUI client is debugged the driver can find it. should i do it as a normal user-mode program?

Soul12		September 11, 2008 02:25.37 CDT
you wanna defeat a anti-dbg trick on a driver ? or make a anti-debugging driver ? if you wanna make a Driver for Anti-debugging purpose , the same methods as for ring3 applies ..with i guess the normal limitlessness of ring0.

kcynice		September 16, 2008 20:29.22 CDT
> Soul12: you wanna defeat a anti-dbg trick on a driver ? or make a anti-debugging driver ? > > if you wanna make a Driver for Anti-debugging purpose , the same methods as for ring3 applies ..with i guess the normal limitlessness of ring0. In fact, i wanna defeat a anti-debug trick on a driver. A software has its own driver, if i insert any breakpoints anywhere, it will encounter a fatal error and abort running. So, i think there must be any anti-debug tricks embedded in it. I want to know how it completement such job. Any ideas? Thanks.

frankboldewin		September 24, 2008 05:22.21 CDT
if you used hardware breakpoints, it might check for DRx registers. try to find manipulations on DR0 - DR3 regs as well as a kernel debugger detection via DR7. you might also try to set a software breakpoint by using 0xcc mnem or just jmp in loop using 0xeb + 0xfe. if this also gets detected, the driver might use a self-defense technique, by testing for a checksum of its own code somewhere.

cod		September 26, 2008 13:33.44 CDT
you can try to set an interrupt handler on int3, to trap all INT3/INT 03 opcodes...

nezumi		September 26, 2008 14:09.23 CDT
another solution: PAGE_NOACCESS. in this case ACCESS_VIOLATION exception will be generated, so you have a chance to fool your driver. OllyDbg supports this kind of breakpoint. Context Menu -> BreakPoint -> Memory, On Access (none: Memory, On Access means: read or execute) there is more complicated technique: unload the page off the memory and break on #PF (0Eh). Soft-Ice can do this, or you can do it manually with any kernel debugger (just know the page table format). if it doesn't work. well. try this: a lot of protection control .text section integrity, but... who controls .data? nobody! so, just find the nearest pointer, stored into global/static variable and turn it to zero to cause an exception. this is not a breakpoint, but... kind of.

kcynice		September 27, 2008 01:45.10 CDT
I think i got the resolution now. Fortunately, i get rewarded. Just so so. Yes, the program does use driver anti-debug. I don't think that's a bad choice. The driver just move the user level anti-debug tricks into kernel mode. In fact, the main program has been encrypted. so, if we insert any breakpoint(int3), the decrypted codes will be wrong. The main program will send specified io request(via DeviceIoControl) to ask the driver to decrypted some specified code block at special phase. Inaddition, the driver will also do some other anti-debug job to defend itself. I got it after i had learn some basic information about driver debugging. > nezumi: another solution: > PAGE_NOACCESS. in this case ...... Yes, its a little complex for me, a newbie for reversing. But I will do my best to digest what you advised, thanks.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit