Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: Anti-trace/Anti-debug techniques

  1. #1
    foxthree
    Guest

    Question Anti-trace/Anti-debug techniques

    Hi All:

    I'm very much interested in this part of the protection (as I'm sure you all are ). This is because if a protection does this well enough, it might as well make our life miserable, as we rely on tracing/debugging to analyze the inner workings of the program.

    Recently, I find that INT 1 is the debugger exception and that when the TR flag in EFLAGS is setup, the processor executes exactly one instruction and generates INT 1 so that the debugger can gain control.

    Also, if GD (Global Debug) flag is turned off in the DR7 register, you cannot write anything to the DRx registers. It is like essentially locking all DRx registers.

    My questions are as follows:

    (1) Does Kernel-level debuggers (like SICE) also use INT 1?
    (2) Why doesn't any protection software switch temporarily to ring 0, turn of TR flags, hook INT 1 (the new interrupt handler does nothing actually), set the GD flags in the DR7: thereby essentially *finishing* all debuggers ? (Or do some of them already do this?)
    (3) Is my above postings correct or am I just having an ASM fit

    Thanks for sharing your thoughts on this.

    Signed,
    -- FoxThree

    PS: I'm planning to open an archive of all known anti-debug and anti-trace techniques (similar to CrackZ). I already have quite a few material. If you find any site/url that has such information, I'd be glad if you could share it with me so that I, in turn, can share it with the world
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    DakienDX
    Guest
    Hello foxthree !

    If GD in DR7 is turned on, any read/write to the DR? registeres will execute an INT 1.

    SoftICE uses INT 1, but not all the time. For example a BPX does use INT 3 to break, a BPM uses INT 1. BPR/BPX use INT 1 to re-enable the BPR/BPX after it has tiggered once.
    You can find very usefull information about this in +Spath's "SoftICE Internals".

    Some protections switch to Ring-0 to change/clear the DR? registers, but the problem is always how to do it on different operating systems. Turning off the Trap Flag wouldn't help anything if the program is running, since it isn't traced and TR is not set on anyway. Hooking INT 1 and setting GD on is a bit unsafe, since an INT 3 or the debugger's hotkey will be able to set INT 1 back and clear the GD flag again, since it executes it's own INT 1 on DR? access. And if you're tracing the code, the protector can't hook INT 1 and enable GD in one instruction (didn't you think that the debugger could also have set GD on?) and if you're stepping over a call, INT 3 comes in again and can set everything back.

    No, your above posting with "GD off=DR? locked" is not correct.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    foxthree
    Guest

    Question One further question

    THIS MSG IS QUOTED BY TSEHP...VBULLETIN BUG...

    Hi DakienDX:

    Thanks for your insightful post. However, my question is that if I (as the protector) hook the INT 1 handler (which the debugger would've hooked) and prevent "chaining" of the INT 1 interrupt vector, what gives?

    >>it will give the following thing :
    Daemon already coded an app that selftraces, hooking the int1 to decode instructions and executes them later.
    But my tracer is installed here before, so it can fool the target that tries to hook this interrupt and chain it's own interrupt vector after... he he, it was there at first

    Another coincidence is that of tsehps' post in the same forum about SICE behavior in WinXP. In that he writes, WinXPs' SYSENTER interrupt handler trashes the TR flag and there seems to be no way to reset it back. What if I do this + hook the INT 1 handler and prevent the Debugger's INT 1 from being called.

    >>it's done at ring0 level, but again a ring0 tracer that detect this and re-enable the tf flag after this crime is done ;-)

    Am I making sense or just yapping?

    >>to finish : if the tracer/debugger is loaded at first, it will always have the opportunity to emulate and lie to the traced target, and all the work coding such apps is there.

    regards,

    tsehp

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    DakienDX
    Guest
    Hello foxthree !

    I don't think I understand your question. I was assuming that you are the only one who handles INT 1 and that there is no chaining. You must always remember that INT 1 is not the only way to access SoftICE. How would you try to hook INT 1 anyway? (remember, different operating systems)

    I think you haven't understood Tsehp's post right. Tsehp means the TR flag is switched off by WinXP, so his tracer will not continue after the system call because there is no INT 1 executed after that call. Of course you can set the flag back by hand, but it isn't done automatically. This is nothing which a protector could use, only a WinXP specific "bug".
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    foxthree
    Guest

    Thanks!

    Hi Tsehp/DakienDX:

    Thanks for all your wise posts. I really appreciate you sharing your knowledge with me.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    ^DAEMON^
    Guest
    Hi

    sorry but the above isn't correct... i DON'T hook interrupt 1! it's a good old trap flagger nothing else using seh (that turns on trap flag in eflags!)

    and if u are interested in anti-stuff visit my homepage

    h**p://www.anticrack.de/daemon

    best regards,
    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    foxthree
    Guest

    Talking He he

    Hi there Daemon:

    Up to your usual tricks is it? I took a look at your site and all I can say is WOW!!!

    I can see a new ALERT coming up:

    ALERT!!! HEAVY DUTY READING COMING UP ALERT!!!!

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    tsehp
    Guest
    yep, you're right daemon, sorry for the mistake.

    you also used a lea eax, eax to do the dirty calls ;-)


    two kinds of tracers actually exists :

    1-the ring 3 tracer : my first versions and actual imprec 1.4.2
    they must be the first seh, so always reside at the top of fs:[0] chain. they are pretty easy to defeat because they only rely on ring3 mem accesses, they can't fool the idt and you can play tricks on them to remove them from fs:[0] , they always have to emulate/avoid the instructions that can uninstall them.

    2-the ring0 tracer : icedump (installed with sice) and revirgin's actual tracer; TMHK. Those tracers have the highest "power", meaning that they can access everything in mem, can modify the idt and can also produces great (bsod's) for my part ;-)
    Those are more difficult to defeat, because they only rely on windows internal kernel code to work.

    regards,

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    ^DAEMON^
    Guest
    btw your tracer gets stuck in my latest version of child - protector u can download now a public version on http://www.anticrack.de/daemon ))

    (win 2k!!!)

    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    ^DAEMON^
    Guest
    (hihi i love my job )
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    DakienDX
    Guest
    Originally posted by ^DAEMON^
    Hi

    sorry but the above isn't correct... i DON'T hook interrupt 1! it's a good old trap flagger nothing else using seh (that turns on trap flag in eflags!)

    and if u are interested in anti-stuff visit my homepage

    h**p://www.anticrack.de/daemon

    best regards,
    ^DAEMON^
    Hello ^DAEMON^ !

    The thread here was started by foxthree as general question and I answered him in a general way. We were only talking about anti-debugging tricks and WinXP bugs.
    Then you came thinking we're all talking about you and your protector and started to tell that everything is false just because your protector doesn't use it.

    We weren't talking about you, didn't you notice that?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    Yep, I downloaded "protect_last_beta.zip" at 10.04.2002 00:11.
    Finished unpacking at 01:55.
    !!!!!!!!!!!!!DO YOU KNOW!!!!!!!!!!!!!!!!
    ******I unpacked it WITHOUT debugger!*******

    OEP I guessed. So daemon, be so kiddy & tell me, am I RIGHT?

    BTW!!! BUG REPORT!
    I tried but failed protect this programs:
    NOTEPAD.EXE
    REVIRGIN.EXE
    2 exe's from ICLEZION's tuts & all others!
    Here I crash my PC..
    Attached Files Attached Files

  13. #13
    ^DAEMON^
    Guest
    Sorry Dakien, i noticed that of course

    again sorry, if i got u angry, didn't want that

    evaluator: i wrote that u should only try it @ tasm files (otherwise play with the ini file set all values to 0)
    but it will fail in 90% - download a few of my unpackers and protect them... and u'll see it works (tasm ://)

    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    OK, but you not answered on Q:
    My OEP is right or no?

  15. #15
    ^DAEMON^
    Guest
    dunno sorry iam @ work can't check for it

    but stop uploading such files here please, if u want then email me them, k ?

    would be nice if u delete the post thx in advance

    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Windows Anti-Debug Reference, nice collection of anti-debug tricks
    By dELTA in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: September 16th, 2007, 01:34
  2. Linux Anti Anti Debugging Techniques
    By JMI in forum Linux RCE
    Replies: 2
    Last Post: July 17th, 2005, 12:10
  3. New Anti-debug protection?
    By br00t_4_c in forum The Newbie Forum
    Replies: 12
    Last Post: April 30th, 2005, 08:17
  4. Anti Bpx
    By zero1 in forum OllyDbg Support Forums
    Replies: 1
    Last Post: February 28th, 2005, 10:04
  5. Strong Anti-debugging, Anti-FrogsIce
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: November 30th, 2000, 04:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •