Results 1 to 6 of 6

Thread: ARTeam: xADT eXtensible Anti Debug Tester v1.4 by Shub-Nigurrath

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    ARTeam: xADT eXtensible Anti Debug Tester v1.4 by Shub-Nigurrath

    Hi all,
    version 1.4 is ready to go out, this is a major release of the already released xADT Program.

    You can find it at http://arteam.accessroot.com/releases.html

    This is a major release because a lot of work have been done to add novel and missing anti-debugging tests.

    The rough list of improvements is:

    • several new tests, a total of 20 (!) new tests have been added to this version
    • complete C++ sources of 8 plugins (1 which was already distributed as binary in version 1.3 and 7 new for version 1.4)
    • 6 tutorials specific for some tests, explaining how the tests works and how to skip the detection.
    • a standalone program made by chupachu performing the same tests I already included in the version 1.3
    • 2 standalone parallel programs: chupachu tester (the same tests are also distributed as xADT's plugins) and EDD by Hellsp@wn
    • several fixes here and there.


    I whish to thanks several people who contributed with ideas, code and testing:
    metr0, Evilcry, ChupaChu, MOID, ReWolf, Defsanguje, ap0x, ... and all the ARTeam members!

    For a complete history and instructions check the complete history written in the file readme.txt

    Code:
    version 1.4
          -slightly modified the readme FAQ section
          -Everything has been tested with Windows XPSP3 and sources are have been tested with VS2008 and VS60
          -fixed an error in the PDK _cdecl convention wasn't explicitly declared
    
          plugins:
             -minor bugfixing of some previously released plugins
             -Updated FindWindow Complex with recent keywords (like PHANTOM, 0LLY, BR3AKPOINTS,...)
             -fixed xadt_ollybof.dll. Now it's named Allybof. PAY ATTENTION: due to the nature of the test whole xADT might crash 
              if tested outside OllyDbg (see notes within the readme.txt file)
             -fixed SIDT Test (now is called ex-SIDT) which was crashing the system on multi-processor machines
          
          new-plugins: total of 20 new tests
            +ex-SIDT, a fixup of the old SSIDT test, thanks to deroko who rewrote the driver (now is multprocessor aware). This is a PoC of multi-plugin using drivers
            +ex-SIDT also performs a Ring0 test of debug registers
            +NtQueryInfoProc_hook_detection (idea of Metr0/SnD), plus standalone Proof-of-concepts 
            +DeleteFiber (idea of evilcry), plus documentation on the theory of the test
            +NtSystemDebugControl (idea of evilcry), plus documentation on the theory of the test. This plugins implements 3 dimostrative tests
            +xadt_SofticeServicesTest by deroko, which tests the present of SOFTICE using OpenServiceA/EnumServicesStatusA/EnumServicesStatusExA 
            (3 internal tests done)
            +int2Atrick (idea of ReWolf), plus documentation on the theory of the test
            +MiscTricks from ideas documented here http://www.securityfocus.com/infocus/1893 (also included in distribution). 
             All tests not already implemented in xADT have been included (9 tests)
    
            +full sources (projects tested with VS60/VS2008) of the following plugins, often with explations on theory and how you can hide: 
                      ex-SIDT, sources of driver and plugin
                      int2Atrick, 
                      DeleteFiber,
    		  NtSystemDebugControl,
                      SICE_Tricks, 
                      MiscTricks, 
                      xadt_SofticeServicesTest 
                      NtQueryInfoProc_hook_detection sources of standalone C and ASM programs and of the whole plugin
            +added ZwQueryObject_readme.txt which explains a possible way to solve the ZwQueryObject test (thanks to deroko)
    
          standalone tools:
            +All the tests ChupaChu released since version 1.3 as a separate standalone program too: "testbed_chupachu.exe"
            +Included in the distribution the program EDD Extreme Debug Detector by Hellsp@wn, this program does less tests but it's handy to have it in this package too
    Some notes on the Tests.
    • 1. Some tests are just PoC and can be improved, I released the sources for them, an example is the test NtQueryInfoProc_hook_detection which can also be used with other anti-debug tests and not only with NtQueryInfoProc
    • 2. The xadt_Allybof test is though to exploit the export name buffer overflow vulnerability of Olly, trying to crash it. This plugin is from Defsanguje. By it's nature the test works perfectly if xADT is debugged by OllyDbg, but crashes xADT if the program is running normally. Then pay attention and eventually do not launch this test or remove the dlls (the test is made of two dlls: xadt_Allybof.dll and Allybof.dll) from the plugin folder.
    • 3. Several tests are connected to execution time thresholds which detect the presence of a debugger, because the same code goes slower than usual. This timing based tests are sensible to slow machines, because in these cases the thresholds should be higher. I didn't coded any thresholds adaptation routine, so you might get some false positive on slow machines or virtually emulated machines (which are slow too). You can disassemble the dll or recompile it to adapt the thresholds to your needs.
    • 4. xADT has been tested with all these combinations:
      • Operative Systems on real PCs and Virtual PC:
        • Windows XP SP2/SP3,
        • Windows Vista
      • OllyDbg:
        • SND OllyDbg,
        • normal OllyDbg,
        • OllDbg modded using xFile,
        • hidden using xFile,advancedolly,analyzethis,hidedebugger,ollydump



    PS CRCETL entry updated as well. ;-)
    Last edited by Shub-nigurrath; September 22nd, 2008 at 08:51.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    Thanks Shub for the update!

    Regards,
    JMI

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Nice update! (and thanks as always for keeping the CRCETL entries of your tools updated!)

    Direct CRCETL link:
    http://www.woodmann.com/collaborative/tools/index.php/XADT_eXtensible_Anti-Debug_Tester
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    nice work shub
    Found in the OpenGL header file for Visual C++ 6: 'typedef GLint int '. AAAARRRRGGGHHHH!!! [Don't get it? You're not a C programmer.]

    A hacker does for love what others would not do for money.

    Being married to a programmer is like having a cat. You talk to it but you're never really sure if it hears you, much less comprehends what you say.

  5. #5
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Great work mate!

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  6. #6
    blub22
    Guest
    very nice but doesn't support vista 64
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ARTeam: Simple Socket Fuzzer by Shub-Nigurrath
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: October 16th, 2012, 10:41
  2. [ARTeam] QuickUnpack CFF Explorer Extension v.10, by Shub-Nigurrath
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 24th, 2008, 06:48
  3. ARTeam: xADT eXtensible Anti-Debug Tester V 1.2
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 8
    Last Post: November 6th, 2007, 03:28
  4. ARTeam: Symbian Symphony For 4 Crackmes And A Commercial Program, by Shub-Nigurrath
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 8th, 2007, 14:54
  5. [ARTeam] xADT eXtensible Anti-Debug Tester v 1.0
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: July 27th, 2006, 19:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •