anti-debug | Android detect debugger | Code Inspection library
kandi X-RAY | anti-debug Summary
kandi X-RAY | anti-debug Summary
Android detect debugger
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of anti-debug
anti-debug Key Features
anti-debug Examples and Code Snippets
Community Discussions
Trending Discussions on anti-debug
QUESTION
I've been doing some research on debug registers lately and how some malware programs are able to manipulate them as an anti-debugging tactic. One of the things I have read a few times now is that this can be prevented by using the General Detect flag in DR7, which raises a debug exception if a MOV instruction is used to access any of DR0-DR7.
However, what I am not clear on is what exactly access means - if, for instance, a mov instruction is used to only place the address of DR0-DR3 into a general purpose register so it can be read, would this still cause a debug exception to be raised when the GD flag is set? Or does this only happen if a MOV instruction is used to actually change the contents of the register? What I have read so far has been slightly ambiguous on this.
I encountered the assembly below in a text that shows manipulation of the debug registers, but in this case mov is only used to get the address of the debug registers and the actual modification is done by the or instruction, so I am not sure if this code would raise an exception if GD was set.
...ANSWER
Answered 2020-Dec-14 at 11:00Intel is pretty clear about it:
An attempt to read or write the debug registers from any other privilege level generates a general-protection exception (#GP).
So reading or writing a debug register when not running at CPL 0 will raise an exception, independently of the GD
flag.
In fact, I've analyzed quite a bit of malwares and none of them access the debug registers directly. They get the current thread context (GetThreadContext or NtGetContextThread or similar WOW64 variants) and check the values of the debug registers from there, note that it is the Windows' kernel that read the debug register in this case. This antidebug trick can be worked around manually (with a breakpoint on the API retrieving the context) or with a debugger plugin. Malwares running at CPL 0 could use the GD flag but I've never found one so far.
Answering your title question, any read or write access (at CPL 0) to a debug register will raise a #GP if GD
is set.
I have not tested it but considering its intended use (to support hardware debugger emulator), the idea is to "virtualize" the debug registers.
The hardware debugger emulated in software can then use the debug register even if the OS debugged is already using them.
This is done by faulting on every access and properly swapping in and out the OS vs emulator values.
If only writes were faulting the emulator could not prevent the debugged OS from reading an incorrect value (placed there by the emulator) from a debug register.
Enables (when set) debug-register protection, which causes a debug exception to be generated prior to any MOV instruction that accesses a debug register.
When such a condition is detected, the BD flag in debug status register DR6 is set prior to generating the exception. This condition is provided to support in-circuit emulators. When the emulator needs to access the debug registers, emulator software can set the GD flag to prevent interference from the program currently executing on the processor.
The processor clears the GD flag upon entering to the debug exception handler, to allow the handler access to the debug registers.
QUESTION
I'm currently in the process of learning different techniques malware use to prevent debugging, and I came across an issue I can't seem to really understand. This piece of malware that I am currently trying to figure out and debug uses some kind of anti-debugging technique that doesn't allow me to attach a debugger in the first place. I have tried using things such as Scylla-hide, I've also tried manually going in and hooking common anti-debugging API calls to see what is going on, but no luck so far. I also tried with WinDbg hoping it would give me some error message I can go off of, and it gave me this: WinDbg output when trying to debug program
So this got me thinking that it was doing something to prevent a thread being started and that is what is causing any debugger from being able to attach. I also tried injecting a DLL with the typical LoadLibrary CreateRemoteThreadEx technique and seems it doesn't allow me to create a thread that way either. I've looked at as much as possible on anti-debugging and can't seem to find an answer to this. Any nudge in the right direction would be greatly appreciated.
I'm hoping to be able to circumvent this in user-mode, as I'm trying to understand what exactly it is doing to stop me from debugging rather than simply bypassing it. This is my first time asking a question so sorry if anything was hard to understand.
...ANSWER
Answered 2020-May-22 at 10:18This is the defacto antidebug reference by Peter Ferrie, it's an amazing resource: https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
It contains almost every known anti-debug method, you can use this reference and tick each method off your list until you find the ones that are implemented, the book should also help you easily mitigate each method as well.
Per our conversation in the comments, the answer to your question was that the process was hooking both DbgBreakPoint and DbgUiRemoteBreakig. Patching them enabled you to then attach a debugger.
QUESTION
For a bit of background, I was playing around with anti-debug techniques. To prevent software breakpoints, one can search at runtime for 0xCC inside a memory segment. Code example here -> https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp
Instead of checking for only one function, I wanted to test the whole .text
section at runtime and compute the hash of the section. After some research I ended up with something like that.
ANSWER
Answered 2019-Dec-06 at 09:59@PeterCordes is right (look in the comments). It's because of ASLR, I just tested the code with ASLR Off and the sum is always the same.
QUESTION
I am learning golang and I wanna implement a simple Linux anti-debugging method in golang. I have a CPP code which works in the same way I intended. But cannot do the same in golang. can you guys guide me how to do same in go?
Here is the C++ Code I am using as a reference.
...ANSWER
Answered 2019-Nov-28 at 12:30Based on @MarkPlotnick's comments, here is the golang Equivalent code for the c++ code posted by me.
QUESTION
I'm working with Android 8.1 Pixel2 XL phone. I have hooked the sys_call_table and have replaced the syscalls with my own functions using the kernel module. I want to make an application unable to quit. I'm trying to invalidate an application's sys_exit_group and sys_kill. What should I do in my own function.
I want to debug an application, but it turns on anti-debugging. So I want to hook the system call
I have tried direct return, but It wasn't work. System will call sys_kill again.But this time, I can't get the application's uid from its pid.
...ANSWER
Answered 2019-Aug-12 at 12:56At a very high level, this can't work. When an application calls _Exit
(possibly/likely at the end of exit
), it has no path to any further code to be run. These functions are normally even marked _Noreturn
, meaning that the compiler does not leave the registers/calling stack frame in a meaningful state where resumption of execution could occur. Even if it did, the program itself at the source level is not prepared to continue execution.
If the function somehow returned, the next step would be runaway wrong code execution, likely leading to arbitrary code execution under the control of an attacker if the application had been processing untrusted input of any kind.
In practice, the libc side implementation of the exit
and _Exit
functions likely hardens against kernel bugs (yes, what you're asking for is a bug) whereby SYS_exit_group
fails to exit. I haven't verified other implementations lately but I know mine in musl do this, because it's cheap and the alternative is very dangerous.
QUESTION
For several days, I have been trying to document myself about Anti-Debugger techniques.
So I found many different methods to achieve this. In these techniques, I found the possibility to hiding thread from debugger, thanks to the NtSetInformationThread method. My project is to use this method in my code written in VB.NET.
Here is a description of the technique I found in my research, which I find very well explained:
In Windows 2000, a new class of thread information transferred to the NtSetInformationThread function appeared – ThreadHideFromDebugger. This was one of the first anti-debugging techniques provided by Windows in Microsoft's search for how to prevent reverse engineering, and it's very powerful. If this flag is set for a thread, then that thread stops sending notifications about debug events
So I found a source coming from this site to achieve this. Here is the method he uses in C++:
...ANSWER
Answered 2019-Jul-21 at 08:46You're almost there, but your current code has two issues:
First of all your P/Invoke declaration for the NtSetInformationThread
function is not quite correct and I recommend you stick to DllImport
as most Declare Function
declarations that you find on the internet were written for VB6 and are not compatible with VB.NET.
Here is the corrected version:
QUESTION
I'm trying to understand how to implement an anti-debugging by starting with the simplest method, PT_DENY_ATTACH, and try to debug it with lldb. But I have no idea in which part of my objective-c that I need to implement it in.
I wrote a simple objective-c code for a login page.
...ANSWER
Answered 2019-Feb-08 at 06:37First of all ptrace() is not part of public API on iOS. As per the AppStore publishing policy, use of non-public API is prohibited and use of them may lead to rejection of the app from the AppStore, so we need call it via function pointer using dlsym.
Full Code:
QUESTION
I'm trying to understand some of the anti-debugger functions in https://github.com/nemesisqp/al-khaser/blob/0f74c40dde8ba060807e031271f81457a187fa08/DebuggerDetection.cpp#L603
Would
...ANSWER
Answered 2018-Aug-30 at 04:11Both of those techniques are relatively old. I think they were in use in the early 2000s, if not the late 90s.
The first uses the fact that the Thread-Information Block (TIB) resides at fs:[0]
for windows processes (at least as late as WinXP...I haven't looked since then).
Offset 0x30 into the TIB is a pointer to the Process Environment Block (PEB). From that link, we see that offset 0x2 into the PEB is the 'being debugged' flag. This is the value that is read by the API call IsDebuggerPresent
.
The second example demonstrates two detection mechanisms:
This answer gives good detail on the function of int 0x2d
on windows. For the moment, we'll just note that it's part of Windows' built-in debugging support.
The simpler mechanism is this: Structured exception handling in Windows would catch things that the language-based exceptions couldn't, because it was hooked into the OS's exception handling framework, not the language-runtime's.
So the int 0x2d
would generate a fault; any debugger present would handle the fault, and because this interrupt is for debugging, the debugger would return to control-flow as usual. Thus the structured-exception handling mechanism wouldn't be invoked...so the 'catch' would never be reached, and the return value of the function would thereby change. This method was pretty trivially defeated by later SEH-aware debuggers, by telling the debugger to pass the exception to the program, in which case the SEH would fire.
The other mechanism is based in the detail of the of way int 0x2d
is processed by windows, which was apparently not emulated perfectly by OllyDbg (a once phenomenal debugger that went defunct and came back full of malware). I am not personally familiar with this method, so I would direct you to the linked answer.
Just for context, the early days of anti-debugger techniques were studies of particularly popular debug tools. In whatever document you've dug these techniques from, you will no doubt also see ones dedicated to detecting NuMega Softice --- probably the first kernel debugger for Windows (circa NT 4.0). The instruction sequence from whence my handle is derived was used as a method of detecting this debugger.
Thanks for the trip down memory lane ;)
QUESTION
I have an executable that I would like to protect from changes to the File Version Info.
I initially thought that signing the exe with a certificate would handle this, however when you modify the File Version Info with freely available utilities, it seems that the digital signature still remains intact.
I figure the only way would be to perform some sort of checksum on the exe, however this isn't ideal as I'm concerned that this will cause problems with various post-processors (obfuscation, anti-debug, etc) that I am doing which deny access to the .exe at run-time.
Is there any other way I detect if the File Version Info has been modified in some way?
...ANSWER
Answered 2018-Aug-25 at 05:53The certificate is not more valid if only 1 byte of the executable changed. It seems you use Properties window of Windows Explorer and after changing the version number see the Digital Signature tab still there. This is very misleading about digital signature of executable files in Windows but not true. This tab just say the file contain certificate but nothing about validation of this certificate. In this tab click on certificate and then click on Details, now on top of the opened window you can see the cert is valid or not.
By using Windows API you can check the certificate is valid or not, maybe this topic help you in C#.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install anti-debug
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page