Results 1 to 6 of 6

Thread: POP SS and Debuggers

  1. #1

    POP SS and Debuggers

    This little trick is very interesting, my first encounter with it was in a commercial protection, it left me wondering why a Push / Pop SS would implicit execute the next instruction without the Debugger knowing of it, i.e. raising a single-step exception, so I’ve decided to look into it and try to figure out why, and I believe I have found the explanation , but first let me show you how this technique can be used to detect debuggers relying on the Single Step flag for tracing.

    If a debugger executes something like this:

    PUSHFD -> push Efflags to Stack .

    debuggers such as Olly is kind enough to “shadow” itself, And clean the result produced by this instruction and removing the trap flag from the EFflags pushed to stack.

    But if it’s done like this:

    Push ss
    pop ss
    pushfd

    Olly will not remove the trap flag, which is very interesting and leaves it very vulnerable to trace detection. The Explanation seems to be pretty straight forward if you check out the Intel manuals and look up pop , you will find a passage similar to this :

    A POP SS instruction inhibits all interrupts, including the NMI interrupt, until after
    Execution of the next instruction. This action allows sequential execution of POP SS
    And MOV ESP, EBP instructions without the danger of having an invalid stack during
    An interrupt1. However, use of the LSS instruction is the preferred method of loading
    the SS and ESP registers.

    Well most of this can be boiled down to , if POP SS is executed , the CPU will prevent triggering of interrupts , as to avoid corruption of the stack. So why on earth is this affecting us when we are tracing using the single-step flag, well simply because when the Single-step flag is set , it triggers and interrupt in the CPU , but when a POP SS is executed it won’t trigger interrupts before it has executed the next instruction after it , and thus olly will never get a single-step exception for the PUSHFD and won’t know it has been executed , and thus wont clean out the trap-flag and leave us vulnerable to detection.

    Circumventing this trick , is tricky since simply patching it out is easy , but if implementet correctly it can prevent tracing of your code very effectively and be a pain in the ass.

    Comments and suggestions , are always welcome

  2. #2
    ...hmmm where did i see that (sometime buggy) snippet repeated over and over?

    however, there are 2 simple ways:

    1) write a small driver that, whenever you are tracing, check the next instruction to ensure it is not a pop SS (and checking if you were coming from !kernel address is always a nice idea anyway). A well known ARTeam guy has written one with sourcecode

    2) using olly or IDA, just write a small extension that filter it out during stepping.

    It depends on your debugger of choice, mainly. Whenever you find pop SS, just patch it (inc. program counter or patch/restore it with nops then emulate etc.). You won't find many applications that CHANGE the segment register nowadays...
    Won't be very difficult to do, believe me.
    I think I did the former (oh, you also need to inc ESP by 4 too, I did forget it the first time and it is never a nice idea...)
    Last edited by Maximus; August 21st, 2008 at 16:03.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,480
    Blog Entries
    1
    BTW
    This fact is not only for POP SS, but all other MOV SS, instructions..

  4. #4
    why does int3 following pop ss still raise #BP ? cause the int3 is EXECUTED? maybe I misunderstand the NMI

  5. #5
    forgot , im not sure..berpaps Debug_intrupts or whatever are exceptet from the rule ..im not so knowledgeable on the interupt part ..but im sure somebody here knows.

    evaluator: thats interesting info
    http://www.reversing.dk/

  6. #6
    Registered User
    Join Date
    Mar 2006
    Posts
    16
    Blog Entries
    1
    forgot, according to the Intel manuals if you place a breakpoint instruction imediately after POP SS/MOV SS it may not be trigerred in some cases.

Similar Threads

  1. Hiding Threads From Debuggers
    By walied in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: November 24th, 2012, 20:34
  2. Exception Handling and Debuggers
    By _genuine in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 9th, 2009, 09:14
  3. Debuggers, user experience
    By cli.iface in forum The Newbie Forum
    Replies: 7
    Last Post: July 2nd, 2009, 15:40
  4. about the book <<How Debuggers Work.. >>
    By lordor in forum The Newbie Forum
    Replies: 7
    Last Post: December 6th, 2004, 18:44
  5. Debuggers/Disassemblers?
    By ftothe3 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: April 14th, 2004, 07:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •