DeleteFiber AntiDebug
 bLaCkeye <bLaCk reteam org> |
Wednesday, August 15 2007 04:24.35 CDT |
I was reversing a piece of malware today when its decryptor revelead a trick i haven't seen before.
The trick seems to be based on the behaviour of DeleteFiber under debugger.
After calling it with an invalid parameter, it checks last set error using GetLastError which is
- 0x00000057 if process was not debugged
- other if process was under debugger
In the malware i was analysing the return value was used to build a jump to another section of the decryptor.
Easy code to conduct your own reversing.
char lama[1024]={0};
int main(int argc, CHAR* argv[])
{
DeleteFiber(lama);
printf("GetLastError = %.8x", GetLastError());
return 0;
}
Comments
 camus |
Posted: Wednesday, August 15 2007 09:58.37 CDT |
| Interesting, thanks ;) | |
 jms |
Posted: Wednesday, August 15 2007 11:22.52 CDT |
| Sweet, thanks for the heads up. Is this posted in the anti-debugger portion of the site? | |
 carib |
Posted: Thursday, August 16 2007 07:10.20 CDT |
|
DeleteFiber calls RtlFreeHeap. If the process is debugged without forcing the NtGlobalFlags, the heap will have the flags FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK and FLG_HEAP_VALIDATE_PARAMETERS enabled by default. Those flags will enforce some protections before memory chunks are freed; in this case, the fiber data is invalid and the heap routines will call ntdll!DbgBreakPoint (a simple INT3). So, this anti-debug is one of the NtGlobalFlags class, which can be bypassed by force-setting the global flags before the program is created. |
|
|
jms |
Posted: Thursday, August 16 2007 11:21.59 CDT |
| Excellent, thanks for the explanation. | |
 bLaCkeye |
Posted: Thursday, August 16 2007 11:50.07 CDT |
| Like jms said: excellent :) | |