flat assembler
Message board for the users of flat assembler.

Index > Heap > Strange Anti-Debugging Technique.

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello everyone, I found some file that has really strange protection against debugging and virtual machine.. I can't analyse it because it does anti-debug thing, before debugger are in ready state.. I've tried it on VM but it just closed my debugger and said can't work under virtual mode.. Can someone analyse this and tell me what's wrong ? Smile Thank you.
P.S I'll PM link and 1 more thing, it's not a virus. It's just a game file.
Post 08 Aug 2011, 22:38
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
I suggest you to read over full PE specifications. Many seldom-used things can be used as effective anti-debugging technique, what you found is one of them. I won't say more, that would ruin all the fun for you.
Post 08 Aug 2011, 22:53
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1411
Location: Toronto, Canada
AsmGuru62
Watch out for sections in PE file. They may be mixed in such a way that most debuggers will not load it, but real loader will. I've seen it once in some rev. engineering manual long ago (2004 or so...).
Post 09 Aug 2011, 10:47
View user's profile Send private message Send e-mail Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
PE Sections are OK, I found it uses privileged instruction "SYSENTER" and I'm going to study how it happening. I'll post results later if found something Smile
Post 09 Aug 2011, 12:38
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Overflowz wrote:
PE Sections are OK, I found it uses privileged instruction "SYSENTER" and I'm going to study how it happening. I'll post results later if found something Smile

does it come with a driver?

Becouse if it uses a driver protection you will able to debug it using only a kernel mode debuger like windbg
Post 09 Aug 2011, 13:19
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Yes, it uses driver. I've copied only executable file in VMWare, where driver is not installed but it does same job. Exists debugger before it loads to normal state.
Post 09 Aug 2011, 15:33
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Overflowz wrote:
Exists debugger before it loads to normal state.

TLS callback section?

http://board.flatassembler.net/topic.php?t=13170
Post 10 Aug 2011, 05:05
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Oh come on, you spoil all the fun Sad
Post 10 Aug 2011, 09:05
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Yes!!! Really, I didn't knew about TLS. It has section called 'TLS' and using same thing I guess now! Thank you very much Smile)) I'm going to study on that Smile
vid
I'm not so enough knowledged to guess things like that Razz I'm only 18 and trying to learn all things myself, nobody are helping me except people from here, so, everything is hard for me ))
Post 10 Aug 2011, 13:02
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
vid wrote:
Oh come on, you spoil all the fun Sad

He had 3 days to find it, if I didn't tell him, he would get frustrated an commit a suicide.
We don't what it that way Laughing


by the way overlowz, try to put a jmp to the EntryPoint in the first line of the TLS.
If the program does not crash, it would mean that in the tls is only antidebugging stuff and your welcom to erase.
Post 10 Aug 2011, 13:23
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
I'm not so enough knowledged to guess things like that I'm only 18 and trying to learn all things myself, nobody are helping me except people from here, so, everything is hard for me ))

That's why you should read the official specs which cover everything, and experiment with rare stuff. That's how TLS was discovered in first place.
Post 10 Aug 2011, 13:25
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Well, I could but I don't have time.. I'm learning at university + learning + working and I have little time for ASM.. I'm trying learn it when I have free time Smile(Which I have really not so much..)
about TLS callback, I don't understand what this does mean..
Code:
section '.tls' data readable writeable  
data 9 ;the tls directory is the 9nth directory entry. 
        .RawDataStartVA dd 0 
        .RawDataEndVA   dd 0 
        .AddressofIndex dd adress_of_index 
        .AddressofCallback dd adress_of_callback 
        .SizeofZeroFill dd 0 
        .Characteristic dd 0 
         
        adress_of_index dd 0 
        adress_of_callback dd my_callback1, my_callback2, 0 
end data    

what does "data 9" means ? and also, is there any macro for doing such thing ? like "section '.data' data readable writeable'..."
Post 10 Aug 2011, 13:49
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Are you joking? Shocked
Read the comment in the source. ^^
Post 10 Aug 2011, 15:30
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
No, I'm not. I can read comment but what it does ? 9th directory or something.. also, what these subvalues mean ?
Post 10 Aug 2011, 15:55
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Post 10 Aug 2011, 16:54
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
omg Very Happy lol
Post 10 Aug 2011, 17:39
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
as I guess this would be for IAT.
Code:
data 0
   .OriginalFirstThunk  dd  0
   .TimeDateStamp       dd  0 
   .ForwarderChain      dd  0 
   .Name                dd  dname 
   .FirstThunk          dd  iname
end data    

I'm right?
edit:
dname, iname = random values
I mean, it equals this:
section '.idata' import ...
Post 11 Aug 2011, 14:46
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko


Last edited by Enko on 11 Aug 2011, 16:27; edited 2 times in total
Post 11 Aug 2011, 15:58
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Enko: Come on, let him do at least some part of his homework. Give him hint, not the answer.
Post 11 Aug 2011, 16:20
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
I wasn't sure myself that that was the answer. Because in the documentation they don't put 0,1,2,3,4 to the sections, only the offset in order.
Let me look like I know something, at least sometimes Laughing
Post 11 Aug 2011, 16:25
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.