Anti-Debugging | Test for Anti-Debugging | Code Inspection library
kandi X-RAY | Anti-Debugging Summary
kandi X-RAY | Anti-Debugging Summary
Test for Anti-Debugging
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of Anti-Debugging
Anti-Debugging Key Features
Anti-Debugging Examples and Code Snippets
Community Discussions
Trending Discussions on Anti-Debugging
QUESTION
I've been doing some research on debug registers lately and how some malware programs are able to manipulate them as an anti-debugging tactic. One of the things I have read a few times now is that this can be prevented by using the General Detect flag in DR7, which raises a debug exception if a MOV instruction is used to access any of DR0-DR7.
However, what I am not clear on is what exactly access means - if, for instance, a mov instruction is used to only place the address of DR0-DR3 into a general purpose register so it can be read, would this still cause a debug exception to be raised when the GD flag is set? Or does this only happen if a MOV instruction is used to actually change the contents of the register? What I have read so far has been slightly ambiguous on this.
I encountered the assembly below in a text that shows manipulation of the debug registers, but in this case mov is only used to get the address of the debug registers and the actual modification is done by the or instruction, so I am not sure if this code would raise an exception if GD was set.
...ANSWER
Answered 2020-Dec-14 at 11:00Intel is pretty clear about it:
An attempt to read or write the debug registers from any other privilege level generates a general-protection exception (#GP).
So reading or writing a debug register when not running at CPL 0 will raise an exception, independently of the GD flag.
In fact, I've analyzed quite a bit of malwares and none of them access the debug registers directly. They get the current thread context (GetThreadContext or NtGetContextThread or similar WOW64 variants) and check the values of the debug registers from there, note that it is the Windows' kernel that read the debug register in this case. This antidebug trick can be worked around manually (with a breakpoint on the API retrieving the context) or with a debugger plugin. Malwares running at CPL 0 could use the GD flag but I've never found one so far.
Answering your title question, any read or write access (at CPL 0) to a debug register will raise a #GP if GD is set.
I have not tested it but considering its intended use (to support hardware debugger emulator), the idea is to "virtualize" the debug registers.
The hardware debugger emulated in software can then use the debug register even if the OS debugged is already using them.
This is done by faulting on every access and properly swapping in and out the OS vs emulator values.
If only writes were faulting the emulator could not prevent the debugged OS from reading an incorrect value (placed there by the emulator) from a debug register.
Enables (when set) debug-register protection, which causes a debug exception to be generated prior to any MOV instruction that accesses a debug register.
When such a condition is detected, the BD flag in debug status register DR6 is set prior to generating the exception. This condition is provided to support in-circuit emulators. When the emulator needs to access the debug registers, emulator software can set the GD flag to prevent interference from the program currently executing on the processor.
The processor clears the GD flag upon entering to the debug exception handler, to allow the handler access to the debug registers.
QUESTION
I'm currently in the process of learning different techniques malware use to prevent debugging, and I came across an issue I can't seem to really understand. This piece of malware that I am currently trying to figure out and debug uses some kind of anti-debugging technique that doesn't allow me to attach a debugger in the first place. I have tried using things such as Scylla-hide, I've also tried manually going in and hooking common anti-debugging API calls to see what is going on, but no luck so far. I also tried with WinDbg hoping it would give me some error message I can go off of, and it gave me this: WinDbg output when trying to debug program
So this got me thinking that it was doing something to prevent a thread being started and that is what is causing any debugger from being able to attach. I also tried injecting a DLL with the typical LoadLibrary CreateRemoteThreadEx technique and seems it doesn't allow me to create a thread that way either. I've looked at as much as possible on anti-debugging and can't seem to find an answer to this. Any nudge in the right direction would be greatly appreciated.
I'm hoping to be able to circumvent this in user-mode, as I'm trying to understand what exactly it is doing to stop me from debugging rather than simply bypassing it. This is my first time asking a question so sorry if anything was hard to understand.
...ANSWER
Answered 2020-May-22 at 10:18This is the defacto antidebug reference by Peter Ferrie, it's an amazing resource: https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
It contains almost every known anti-debug method, you can use this reference and tick each method off your list until you find the ones that are implemented, the book should also help you easily mitigate each method as well.
Per our conversation in the comments, the answer to your question was that the process was hooking both DbgBreakPoint and DbgUiRemoteBreakig. Patching them enabled you to then attach a debugger.
QUESTION
I am learning golang and I wanna implement a simple Linux anti-debugging method in golang. I have a CPP code which works in the same way I intended. But cannot do the same in golang. can you guys guide me how to do same in go?
Here is the C++ Code I am using as a reference.
...ANSWER
Answered 2019-Nov-28 at 12:30Based on @MarkPlotnick's comments, here is the golang Equivalent code for the c++ code posted by me.
QUESTION
I'm working with Android 8.1 Pixel2 XL phone. I have hooked the sys_call_table and have replaced the syscalls with my own functions using the kernel module. I want to make an application unable to quit. I'm trying to invalidate an application's sys_exit_group and sys_kill. What should I do in my own function.
I want to debug an application, but it turns on anti-debugging. So I want to hook the system call
I have tried direct return, but It wasn't work. System will call sys_kill again.But this time, I can't get the application's uid from its pid.
...ANSWER
Answered 2019-Aug-12 at 12:56At a very high level, this can't work. When an application calls _Exit (possibly/likely at the end of exit), it has no path to any further code to be run. These functions are normally even marked _Noreturn, meaning that the compiler does not leave the registers/calling stack frame in a meaningful state where resumption of execution could occur. Even if it did, the program itself at the source level is not prepared to continue execution.
If the function somehow returned, the next step would be runaway wrong code execution, likely leading to arbitrary code execution under the control of an attacker if the application had been processing untrusted input of any kind.
In practice, the libc side implementation of the exit and _Exit functions likely hardens against kernel bugs (yes, what you're asking for is a bug) whereby SYS_exit_group fails to exit. I haven't verified other implementations lately but I know mine in musl do this, because it's cheap and the alternative is very dangerous.
QUESTION
For several days, I have been trying to document myself about Anti-Debugger techniques.
So I found many different methods to achieve this. In these techniques, I found the possibility to hiding thread from debugger, thanks to the NtSetInformationThread method. My project is to use this method in my code written in VB.NET.
Here is a description of the technique I found in my research, which I find very well explained:
In Windows 2000, a new class of thread information transferred to the NtSetInformationThread function appeared – ThreadHideFromDebugger. This was one of the first anti-debugging techniques provided by Windows in Microsoft's search for how to prevent reverse engineering, and it's very powerful. If this flag is set for a thread, then that thread stops sending notifications about debug events
So I found a source coming from this site to achieve this. Here is the method he uses in C++:
...ANSWER
Answered 2019-Jul-21 at 08:46You're almost there, but your current code has two issues:
First of all your P/Invoke declaration for the NtSetInformationThread function is not quite correct and I recommend you stick to DllImport as most Declare Function declarations that you find on the internet were written for VB6 and are not compatible with VB.NET.
Here is the corrected version:
QUESTION
I'm trying to understand how to implement an anti-debugging by starting with the simplest method, PT_DENY_ATTACH, and try to debug it with lldb. But I have no idea in which part of my objective-c that I need to implement it in.
I wrote a simple objective-c code for a login page.
...ANSWER
Answered 2019-Feb-08 at 06:37First of all ptrace() is not part of public API on iOS. As per the AppStore publishing policy, use of non-public API is prohibited and use of them may lead to rejection of the app from the AppStore, so we need call it via function pointer using dlsym.
Full Code:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install Anti-Debugging
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
