Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> INT 2D Debugger Detection

Technique Name Category Analysis By Download Added On Last Updated
INT 2D Debugger Detection Debugging ReWolf March 15 2007
Description:
;---------------------------------------------------------------------------
; Int 2Dh debugger detection and code obfuscation - ReWolf^HTB
;
; Date: 14.III.2007
;
;
; I. BACKGROUND
;
;       Possibly new method of debugger detection, and nice way for code
;    obfuscation.
;
;
; II. DESCRIPTION
;
;       Int 2Dh is used by ntoskrnl.exe to play with DebugServices (ref1),
;    but we can use it also in ring3 mode. If we try to use it in normal
;    (not debugged) application, we will get exception. However if we will
;    attach debugger, there will be no exception.
;
;       push    offset _seh     ;\
; push    fs:[0]          ; > set SEH
;       mov     fs:[0], esp     ;/
;
;       int     2dh             ; if debugger attached it will run normally,
;                               ; else we've got exception
;       nop
;       pop     fs:[0]          ;\ clear SEH
;       add     esp, 4          ;/
;
;       ...
;       debugger detected
;       ...
;
;       _seh:
;       debugger not detected
;
;    It can also crash SoftIce DbgMsg driver (ref2).
;
;       Besides this, int 2Dh can also be used as code obfuscation method.
;    With attached debugger, after executing int 2Dh, system skips one byte
;    after int 2Dh:
;
;       int     2dh
;       nop                     ; never executed
;       ...
;
;    If we'll execute step into/step over on int 2Dh different debuggers
;    will behave in different way:
;
;       OllyDbg - run until next breakpoint (if we have any)
;       Visual Studio - stop on instruction after nop in our example
;       WinDbg - stop after int 2dh (always even if we 'Go')
;
;    Only OllyDbg behaves correctly if we permit to run process without any
;    breaks. We can create self debuggable application (as in attached
;    example) that will take advantages of int 2Dh code obfuscation.
;
;
; III. Links
;
;    1. http://www.vsj.co.uk/articles/display.asp?id=265
;    2. http://www.piotrbania.com/all/adv/sice-adv.txt
;
;
; IV. Thanks
;
;    omega red, Gynvael Coldwind, ved, Piotr Bania
;
;
; comments, suggestions, job opportunities: rewolf@poczta.onet.pl
;                                           http://www.rewolf.prv.pl
;---------------------------------------------------------------------------
;
;change file extensionton .asm and compile
;tested on: Win XP Pro sp2 (x86), Win 2k3 server (x64), Vista Ultimate (x64)
;
;---------------------------------------------------------------------------
.386
.model flat, stdcall
option casemap:none
;---------------------------------------------------------------------------
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32
includelib \masm32\lib\user32
;---------------------------------------------------------------------------
.data
procinfo PROCESS_INFORMATION <0>
startinfo STARTUPINFO <0>
debugEvt DEBUG_EVENT<0>
_str db 100 DUP (0)
_fmt db 'eax: %08X',0dh,0ah,'ebx: %08X',0dh,0ah,'ecx: %08X',0dh,0ah,
'edx: %08X',0

;---------------------------------------------------------------------------
;CLOAKxB -> cloaks x bytes instruction

CLOAK1B macro ;int.int
int 2dh
db 0cdh
endm

CLOAK2B macro ;int.ret
int 2dh
db 0c2h
endm

CLOAK3B macro ;int.enter
int 2dh
db 0c8h
endm

CLOAK4B macro ;int.call
int 2dh
db 0e8h
endm

;If you find some other 'cloaking' opcodes i.e. 5 or more bytes please send
;me e-mail ;-)

;---------------------------------------------------------------------------
;sample mov r32, val macro

MOV_REG macro reg1: REQ, val1:REQ, val2:REQ, val3:REQ, val4:REQ
int 2dh
int reg1 ;\
int val3 ; >mov eax, (val1)CD(val3)CD
int val1 ;/
int 2dh
;enter 78xxh, 90h ;  mov al, val4
db 0c8h, reg1 - 8, val4, 90h
int 2dh
;enter 0xxc1h, 10h ;  ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
int 2dh
;enter 34xxh, 90h ;  mov al, val2
db 0c8h, reg1 - 8, val2, 90h
int 2dh
;enter 0xxc1h, 10h ;  ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
endm
;---------------------------------------------------------------------------
MOV_EAX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b8h, val1, val2, val3, val4
endm

MOV_EBX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bbh, val1, val2, val3, val4
endm

MOV_ECX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b9h, val1, val2, val3, val4
endm

MOV_EDX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bah, val1, val2, val3, val4
endm
;---------------------------------------------------------------------------
.code
start:


assume fs:nothing
push offset _seh ;\
push fs:[0] ; > set SEH
mov fs:[0], esp ;/

int 2dh ; if debugger attached it will run normally,
; else we've got exception
nop
pop fs:[0] ;\ clear SEH
add esp, 4 ;/

;---------------------------------------------------------------------------

MOV_EAX 98h ,76h, 54h, 32h ; mov eax, 98765432h
MOV_EBX 12h, 34h, 56h, 78h ; mov ebx, 12345678h
MOV_ECX 0abh, 0cdh, 0efh, 0 ; mov ecx, 0abcdef00h
MOV_EDX 90h, 0efh, 0cdh, 0abh ; mov edx, 90efcdabh

;---------------------------------------------------------------------------

CLOAK1B
push edx
CLOAK1B
push ecx
CLOAK1B
push ebx
CLOAK1B
push eax
CLOAK4B
push offset _fmt
CLOAK4B
push offset _str
CLOAK4B
call wsprintf
CLOAK3B
add esp, 18h
CLOAK2B
push 0
CLOAK4B
push offset _str
CLOAK4B
push offset _str
CLOAK2B
push 0
CLOAK4B
call MessageBox
CLOAK2B
push 0
CLOAK2B
jmp _end2
;---------------------------------------------------------------------------
_seh:
; setting mini-debugger ;-)
push offset procinfo
push offset startinfo
push 0
push 0
push DEBUG_PROCESS
push 0
push 0
push 0
call GetCommandLine
push eax
push 0
call CreateProcess

_dbgloop:
push INFINITE
push offset debugEvt
call WaitForDebugEvent

cmp debugEvt.dwDebugEventCode, EXIT_PROCESS_DEBUG_EVENT
je _end

push DBG_CONTINUE
push debugEvt.dwThreadId
push debugEvt.dwProcessId
call ContinueDebugEvent

jmp _dbgloop


_end: push 0
_end2: call ExitProcess
end start

There are 30,779 total registered users.


Recently Created Topics
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17
OllyDBG Process Term...
Apr/28
Reversing opcode
Apr/24
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
Problem with ollydbg
Mar/22


Recent Forum Posts
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit