Results 1 to 12 of 12

Thread: Debugger Detection Via NtSystemDebugControl

  1. #1
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31

    Debugger Detection Via NtSystemDebugControl

    Hi,
    NtSystemDebugControl() is a really powerful undocumented function, that allows you Direct Manipulation of System's Structures.

    Here a definition of NtSystemDebugControl:

    http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Debug/NtSystemDebugControl.html

    The use of this function is only limited to the fancy of the coder

    I've rewritten some basical Anti Debugging Techniques with Direct Structure Reading with NtSystemDebugControl. Obviously there are shorter ways to implement these Anti-Dbg Apps, but I think that more reimplementations exists and more are possibilities to trick an attacker, that may not know/understands the application..especially if embedded in many..many.. Junk Code

    Here you can download the Source Code sample:

    http://evilcry.netsons.org/other/ntsd.zip

    Have a nice Day,
    Evilcry

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    this applies only to m$ debugger, or also Sice & Olly??

  3. #3
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    It's debugger independent, because it checks the usual System's structs influenced by the presence of debuggers
    Last edited by evilcry; September 15th, 2008 at 10:18.

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  4. #4
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    excellent mate!
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  5. #5
    if you look closely though its nothing 'new' regarding debugger detection, just another way to go about it...
    checking globalflags, checking peb for isdebugged and so on...

  6. #6
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    yes of course, the information on which rely are the same of well known tests, anyway interesting API.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  7. #7
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hi,

    evlncrn8, I've clearly specificated this:

    I've rewritten some basical Anti Debugging Techniques
    I've not claimed that these are new detection methods, but other ways

    My only intent is to illustrate NtSystemDebugControl.

    @Shub-nigurrath: Thank you man


    Regards,
    Evilcry
    Last edited by evilcry; September 15th, 2008 at 10:16.

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  8. #8
    hi there, I remember seeing anti-rootkit tool which used this specific API to perform rootkit detection without the driver. Can't remember it's name, but I will try to find it and post ref to it.

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    this applies only to m$ debugger, or also Sice & Olly??
    No, not with Sice. EPROCESS.DebugPort is never enabled when running under Softice, so they're all usermode only.


    Nice evilcry, I threw the code into a blank VC6++ console project. I get a weird somewhat random error when running on my system (xpsp2) with NO debuggers present. Under a debugger it runs fine. It also seems to run fine under VMWare under either condition. McAfee is the only ~thing~ I have running.


    The error occurs either the 1st OR the 2nd time NtSystemDebugControl tries to read the PEB, or EPROCESS, the return is the unhelpful STATUS_UNSUCCESSFUL. GetLastError doesn't provide any info.

    The 1st time is when it reads the PEB, OR the 2nd is when it accesses one of the fields (IsDebuggerPresent, NtGlobalFlags).

    It doesn't matter which of the 3 tests is called first, it always happens on the *first* occurence of accessing the PEB (or sometimes initially the Peb field), the rest of the NtSystemDebugControl calls seems to be able to access the PEB ok after that. In the case of DebugPort, there was also an error, this time when accessing EPROCESS I think.

    But it doesn't happen all the time! It seems to happen more when I open the file from a command line, instead of double clicking on the application, but not always. The behaviour is also a little different between Debug and Release versions of the file. One tends to error when the PEB itself is read, the other errors when the PEB.0xxx field is read by NtSystemDebugControl.


    It's a weird error, but it seems to indicate that the PEB and EPROCESS may not be immediately accessible to NtSystemDebugControl, 100% of the time. The function itself might be a bit buggy, or maybe it indicates some failure to immediately verify the proper privileges.

    I suppose I should also test it on another system and a different compiler, but it makes me question the undocumented NtSystemDebugControl as a bombproof function - or method.

    Dunno if anyone else experienced this.

    Cheers,
    Kayaker

  10. #10
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hello,

    I've worked with VS2k5 and XP Sp2

    Also I've noticed one or two NtSystemDebugControl failure, but they "seems" random, and I've had your same impression Kayaker, NtSystemDebugControl
    is buggy I think it fails on the occurrence of some unknown condition.

    It seems to happen more when I open the file from a command line, instead of double clicking on the application, but not always. The behaviour is also a little different between Debug and Release versions of the file. One tends to error when the PEB itself is read
    Nice discovery!
    I'll step into NtSystemDebugControl under command line condition to see what happens

    @Deroko:
    eheh yes this function has been used for anti-rootkit technology, here you can see a sample code of it:

    http://www.openrce.org/blog/view/354/Tips_&_Tricks_Part_2_-_Putting_ZwSystemDebugControl_to_good_use

    Regards,
    Evilcry

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  11. #11
    nah it's not the one I was reffering to. At rootkit.com a few months ago there was full working anti-rootkit using this api. Really can't find it now

  12. #12
    nice contribution..

Similar Threads

  1. Run-time Detection of Self-Replication
    By tHE mUTABLE in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 24th, 2008, 05:13
  2. Loop Detection
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  3. Unpacker Detection
    By Corpus in forum The Newbie Forum
    Replies: 10
    Last Post: May 1st, 2004, 07:50
  4. SICE Detection on 'GETRIGHT'
    By Zkhan13 in forum The Newbie Forum
    Replies: 5
    Last Post: November 11th, 2003, 22:37
  5. RegMon Detection Protection
    By Joda in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: June 4th, 2001, 01:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •