flat assembler
Message board for the users of flat assembler.

Index > Heap > Anti-Debugging question (maybe new one?)

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello everyone, I was thinking and here comes the idea.
When program is attached to debugger, it places INT3 breakpoints right ? let's take little example.
We have 0x90909090 instructions at 0x00401000 and there are some instructions at 0x90909090 too!
When debugger places breakpoint there, it would be 0xCC909090 right ?
here's examples what I'm thinking.

normal execution:
Code:
mov eax,dword[0x00401000] ;eax = 0x90909090 -> valid memory address
mov eax,dword[eax] ;eax = some data at 0x90909090    

under debugger:
Code:
mov eax,dword[0x00401000] ;eax = 0xCC909090 -> invalid memory address
mov eax,dword[eax] ;???    

is this possible ? because I saw a lot of applications under debugger with same result. (it's probably changed before I guess?)
Post 14 Nov 2011, 17:44
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
This is a common way to protect code from debugging. Reading from code and doing something with the result, which fails if you have for example set a software breakpoint somewhere in the code.
Post 14 Nov 2011, 19:04
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
garystampa



Joined: 25 May 2011
Posts: 52
Location: Central FLorida
garystampa
I would think if someone were single-stepping they might just skip any compare that is performed with that data. Further, if the pattern is a bunch of NOPs that would be a clue that something's up. I'd suggest things like PUSH eax and POP eax or other inert combinations.
Post 14 Nov 2011, 21:14
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Overflowz wrote:
When program is attached to debugger, it places INT3 breakpoints right ?
Not necessarily.

Single-stepping sets EFLAGS.TF and handles INT1, and you can do location breakpoints with the DRx hardware debugging registers instead of placing 0xCC.

_________________
Image - carpe noctem
Post 15 Nov 2011, 18:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.