Results 1 to 12 of 12

Thread: Is Win32 A Debugging API? If Not, How Close Is It?

  1. #1

    Is Win32 A Debugging API? If Not, How Close Is It?

    Assume a black-box pen-test with a Win32 target that has perfectdebugger detection (disregarding how hard “perfect” is toachieve). Arbitrarily, assume no access to the kernel; in fact, noadministrator privilege at all. We simply run in processes alongsidethe target with the same credentials.

    How much control do we have over the target?

    • We can get a Win32 handle to the process with OpenProcess.
    • We can read process memory by virtual offset and length withReadProcessMemory
    • We can enumerate the threads in the target with Toolhelp32
    • We can suspend or resume individual threads with OpenThread,SuspendThread, and ResumeThread
    • We can write process memory by virtual offset and length withWriteProcessMemory
    • We can allocate memory within the target with VirtualAlloc
    • We can change memory protection with VirtualProtectEx
    • We can enumerate modules and offsets within the target withToolhelp32.
    • We can map out memory regions with VirtualQueryEx.
    • We can excute code in the context of the process withCreateRemoteThread (and RtlRemoteCall).
    How much control would a debugger have given us?

    • We’d be able to suspend and resume threads, which we can do anyways.
    • We’d be able to read and write memory, which we can do anyways.
    • We’d be able to set breakpoints.
    • We’d be able to single-step the program.
    • We’d be able to read register contents.
    • We’d be able to call functions, which we can do anyways.
    • We’d be able to search memory for strings, which we can do anyways.
    Without anything more interesting than the MSDN man pages, we comereasonably close to this without invoking the debug interface. Inexchange for not showing up in NtQuerySystemInformation or muckingwith the UEF, we give up easy-to-use breakpoints, single-stepping, andregister access. But:

    • We can trivially get single-use, nonrecoverable breakpoints; just inject INT 3 into the text with WriteProcessMemory.
    • We can potentially get access to registers using NtSetThreadContext.
    • We can hook functions, in all the usual ways.
    How close can we get to a fully-functional debugger without Windowsknowing about it? I’ve been playing with this for a couple weeks,using Python and ctypes, turning IDLE into a debugger prompt. And itseems like the answer is “extremely close”. More later, but if this istotally obvious, pointers, links, and comments are welcome.



    http://www.matasano.com/log/707/is-win32-a-debugging-api-if-not-how-close-is-it/

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    This is a actually a very interesting area, and I remember a good discussion about it here before, including emulating breakpoints, but I can't seem to find it at the moment.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    So has anybody ever attempted to write a debugger that never actually attaches? Clearly, a lot of functionality is available, you just have to work for it. But if somebody took the time to encapsulate this work...

    Regarding breakpoints (if this wasn't already suggested in dELTA's phantom thread ). If DLL-injection into the target is allowed, then we could quite feasibly install a VEH - which precedes the SEH - and communicate the exception record back to the debugging process. It's reasonably clean, and it can be made to work with most processes, as VEH-use is rare. Even processes that do use vectored handlers can be dealt with if necessary by hooking AddVectoredExceptionHandler, but that's a little immoral.

    Another project for the bottom of the to-do list, then

    Admiral

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That would indeed be a very cool project. I'll add it to the bottom of my todo-list as well.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    Well then, which one of you is going to actually move it closer to the "top" of the "to do" list and start actually working??

    Regards,
    JMI

  6. #6
    Actually, the correct name for these tools is 'not-intrusive debuggers', and are based upon the principle of injecting a dll in an application, which hooks SEH and communicate with an external application that is the debugger GUI.
    It is commonly used for logging application 'steps' without being forced to deal with, like VM logging and debugging.

    mmh... but always wondered if... mmh...
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  7. #7
    non intrusive debugging is not the most accurate sometimes, poc - try single steping this code with nonintrusive debugger, and see what happens

    Code:
    mov [esp-4], 0deadc0deh
    mov eax, [esp-4]
    context will overwrite content of [esp-4], well there are a few ways that come to my mind on how to solve this problem, but it will require ring0 patching, and we are here limited to r3 by author of the 1st post

  8. #8
    !

    Never thought about that, indeed. Thanks, useful
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Damn that's cool, just what we were talking about, even seems quite serious and advanced, and open source too, thanks!

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/Obsidian
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #12

Similar Threads

  1. Downloader.Win32.Small or Win32/PolyCrypt Reversing
    By evilcry in forum Blogs Forum
    Replies: 0
    Last Post: May 16th, 2008, 09:12
  2. Close program (Alt-F2) bug?
    By bundy in forum Bugs
    Replies: 1
    Last Post: May 6th, 2003, 06:44
  3. Too Close To The Bone ???????????
    By slave in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 11th, 2001, 03:10
  4. Win32 Asm
    By OeDiFuZz in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 10th, 2001, 14:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •