Antidebugging by Piotr Bania

1.        ---------------------------------------------------
2.     Antidebugging for (m)asses - protecting the env.
3.        ---------------------------------------------------
4.      written by Piotr Bania <bania.piotr@gmail.com>
5.  
6.          [___ http://pb.specialised.info ___]
7.  
8.   -----------------
9.    0. DISCLAIMER
10.   -----------------
11.  
12.     Author takes no responsibility for any actions with provided information
13.         or codes. The copyright for any material created by the author is reserved.
14.         Any duplication of codes or texts provided here in electronic or printed
15.     publications (including compiled code) is not permitted without the author's
16.     agreement.
17.  
18.  
19.  -----------------
20.   I. INTRODUCTION
21.  -----------------
22.  
23.     The number of computer hackers/crackers has reached a very high level recently.
24.     Currently it is very hard to develop product which will be secure against
25.     those type of people, to be const-stricto it is surely impossible. However,
26.     why not make their dirty work harder and give them some more, so lets take a
27.     look of few new antidebugging methods/techniques.
28.     On the other hand it can help malware/virus researchers understand
29.     and analyse latest bad stuff. Enjoy!
30.  
31.     NOTE: Following examples were created/researched/tested on windows xp box
32.     it is possible that they will not work on other windows systems.
33.  
34.  -----------------
35.   II. EXAMPLES
36.  -----------------
37.  
38.        ----------------------
39.     [+] Example 01h
40.        ----------------------
41.  
42.     Affects (works on): All so-called SEH debuggers (tested on Ollydbg and Windbg).
43.      
44.     Note: Following example requires administrator privileges for well known
45.     reasons. In fact it doesn't affects scale of its severity much, because
46.     administrator privileges are required to use some debugger features, so
47.     if one wants to use all debug stuff it needs to run as admin.
48.  
49.     Generally after researching few things inside windows kernel, I found that it is
50.     possible to open CSRSS.EXE (client server runtime process - system process),
51.     while application is being debugged. Have a look at this code (I believe it will make it
52.     hell easier to understand):
53.  
54.     ----// SNIP SNIP //---------------------------------------------------------
55.    
56.     push <CSRSS_PID>        ; pid
57.     push 0              ; Inheritable = FALSE
58.     push 0C3Ah          ; access flags=CREATE_THREAD|VM_OPERATION|VM_READ|VM_WRITE
59.                     ; \ |QUERY_INFORMATION|800
60.     @callx OpenProcess
61.     test eax,eax
62.     jz @we_are_not_debugged
63.  
64.     @evil_me:           ; <- execution flows here when debugger is attached
65.     int 3
66.  
67.     @we_are_not_debugged:       ; well no SEH debugger detected or not enough privileges
68.  
69.     ----// SNIP SNIP //---------------------------------------------------------
70.  
71.     Like I said before when application is debugged it is able to open CSRSS.EXE and it this
72.     case OpenProcess will not fail (of course I guess I don't have to remind you about
73.     privileges). What's more, look at the rights which we have used to open target process,
74.     *yuck* - debugged application has full control of CSRSS.EXE! The last thing I have figured
75.     out that a special native API exists exported by ntdll used to grab pid of CSRSS named as
76.     CsrGetProcessId.
77.  
78.     (microsoft windows xp sp1 output)
79.     E:\asm>find ntdll.dll CsrGetProcessId
80.     ------------------------------------------------------------
81.         Little GetProcAddress Utility
82.         coded by Piotr Bania <bania.piotr@gmail.com>
83.     ------------------------------------------------------------
84.     * ntdll.dll base addr at: 0x77F50000
85.       + CsrGetProcessId has address: 0x77F5EF76
86.     ------------------------------------------------------------
87.  
88.     If you don't want to execute CsrGetProcessId you can emulate it
89.     (address hard coded for microsoft windows xp sp1), like this example shows:
90.  
91.     ----// SNIP SNIP //---------------------------------------------------------
92.     mov eax,077FC46A4h      ; ntdll variable where CSRSS pid is stored
93.     xchg eax,[eax]          ; EAX=now CSRSS pid
94.     ----// SNIP SNIP //---------------------------------------------------------   
95.  
96.  
97.     Following example (when debugged) causes BSOD because its creating a thread inside of
98.     client server runtime process at not existing location:
99.  
100.    
101.     ----// SNIP SNIP //---------------------------------------------------------
102.     mov eax,077F5EF76h
103.     call eax            ; execute CsrGetProcessId, returns CSRSS pid
104.  
105.     push eax
106.     push 0
107.     push 0C3Ah
108.     @callx OpenProcess      ; open CSRSS process
109.     test eax,eax       
110.     jz exit             ; opening failed
111.  
112.  
113.     call a
114.     dd 0
115.     a:
116.     push 0
117.     push 0
118.     push 0
119.     push 1234567h           ; yep, it doesn't exist...
120.     push 0
121.     push 0
122.     push eax
123.     @callx CreateRemoteThread   ; creates a thread inside of process, *BSOD*
124.  
125.     exit:
126.     push 0
127.     @callx ExitProcess
128.     ----// SNIP SNIP //---------------------------------------------------------
129.  
130.    
131.     Well I hope you enjoyed this one, so lets think about another example.
132.  
133.  
134.        ----------------------
135.     [+] Example 02h
136.        ----------------------
137.  
138.     The XP series provides magic API called CheckRemoteDebuggerPresent (well generally it
139.     provides a lot of new debug features), and like the name suggests it is used to check if
140.     debugger is present.
141.  
142.  
143.     E:\asm>find kernel32.dll CheckRemoteDebuggerPresent
144.     ------------------------------------------------------------
145.         Little GetProcAddress Utility
146.         coded by Piotr Bania <bania.piotr@gmail.com>
147.     ------------------------------------------------------------
148.     * kernel32.dll base addr at: 0x77E60000
149.       + CheckRemoteDebuggerPresent has address: 0x77EB582B
150.     ------------------------------------------------------------
151.  
152.     Few words from MSDN about this function:
153.     (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
154.     \ debugactiveprocessstop.asp)
155.  
156.     ----
157.     CheckRemoteDebuggerPresent
158.  
159.     The CheckRemoteDebuggerPresent function determines whether the specified process
160.     is being debugged.
161.  
162.     BOOL CheckRemoteDebuggerPresent(
163.       HANDLE hProcess,
164.       PBOOL pbDebuggerPresent
165.     );
166.  
167.     Parameters
168.     hProcess        - [in] Handle to the process.
169.     pbDebuggerPresent   - [in, out] Pointer to a variable that the function sets to
170.                 - TRUE if the specified process is being debugged, or FALSE otherwise.
171.  
172.     Return Values
173.     If the function succeeds, the return value is nonzero.
174.     If the function fails, the return value is zero. To get extended error information,
175.     call GetLastError.
176.     ----
177.  
178.     And here is a little code for this example:
179.  
180.     ----// SNIP SNIP //---------------------------------------------------------
181.  
182.     push offset is_present      ; our variable
183.     push -1             ; process handle
184.     mov eax,077EB582Bh
185.     call eax            ; execute CheckRemoteDebuggerPresent
186.  
187.     mov eax,dword ptr [is_present]
188.     test eax,eax
189.     jz @we_are_not_debugged     ; no debugger found
190.  
191.     @we_are_debugged:       ; execution flows here when debugger is attached
192.     int 3      
193.    
194.     is_present  dd 0   
195.  
196.     ----// SNIP SNIP //---------------------------------------------------------
197.    
198.  
199.     Or if you prefer emulated way (by using NtQueryInformationProcess):
200.  
201.     E:\asm>find ntdll.dll NtQueryInformationProcess
202.     ------------------------------------------------------------
203.         Little GetProcAddress Utility
204.         coded by Piotr Bania <bania.piotr@gmail.com>
205.     ------------------------------------------------------------
206.     * ntdll.dll base addr at: 0x77F50000
207.       + NtQueryInformationProcess has address: 0x77F5BDD8
208.     ------------------------------------------------------------
209.      
210.     And here comes a little emulation example:
211.  
212.     ----// SNIP SNIP //---------------------------------------------------------
213.  
214.     lea eax,our_process_handle
215.     push eax
216.     mov ebx,esp
217.     push 0
218.     push 4
219.     push ebx
220.     push 7
221.     push dword ptr [eax]
222.     mov eax,077F5BDD8h
223.     call eax                ; execute NtQueryInformationProcess
224.     pop ecx
225.     test eax,eax
226.     jl exit
227.  
228.     cmp ecx,0
229.     jge @we_are_not_debugged
230.  
231.     int 3                   ; yes we are debugged!
232.  
233.  
234.     @we_are_not_debugged:           ; no debugger detected
235.     exit:
236.     push 0
237.     @callx ExitProcess
238.  
239.     our_process_handle          dd -1
240.    
241.     ----// SNIP SNIP //---------------------------------------------------------
242.  
243.     Now lets turn the page to another 3rd example.
244.  
245.  
246.        ----------------------
247.     [+] Example 03h
248.        ----------------------  
249.    
250.    
251.     Many times Softice/D* users terminates debugged program by using "r eip ExitProcess"
252.     or by assembling direct jump/call to ExitProcess api in this example I will demonstrate
253.     how to detect debugger when such action/actions occurs.
254.  
255.     Well this thing can be done in many ways like patching ExitProcess with jmp to
256.     our procedure and so on, however it can be defeated easily and it is not so stealthy.
257.     I'm going to show you an example for this technique.
258.  
259.     Protecting region of ExitProcess by VirtualProtect (for known reasons dirty and not
260.     perfect), what is even more funny it causes Break-on-access exception in Olly in
261.     current version there is no option to bypass it :)) (of course I believe you
262.     know how to rewrite it for catching olly)
263.  
264.    
265.        Schema how this example works:
266.        I.   STAGE - Setup SEH frame which will catch PAGE_GUARD exception
267.     II.  STAGE - Change access protection of >ExitProcess to PAGE_GUARD
268.     III. STAGE - If debugger action will be found we will end in SEH frame
269.                  with marker variable set to zero, otherwise it will be set
270.                  to 1 (good flag).
271.     IV.  STAGE - display message box
272.  
273.  
274.        NOTES: After STATUS_PAGE_GUARD exception the PAGE_GUARD access protection
275.            of ExitProcess is turned off. Better thing then variable marker?
276.            Yes you can try random keys stored in registers and so on
277.            then you can compare it in SEH frame (context structure)
278.  
279.    
280.        ----// SNIP SNIP //---------------------------------------------------------
281.     mov ebx,077E79863h              ; ExitProcess addr
282.  
283.         push offset seh_handler     ;setup SEH frame
284.        push dword ptr fs:[0]
285.        mov dword ptr fs:[0],esp
286.  
287.        push offset old_protect
288.        push PAGE_EXECUTE_READ OR PAGE_GUARD
289.        push 1
290.        push ebx
291.         @callx VirtualProtect       ; give it PAGE_GUARD protection
292.  
293.  
294.        push 0
295.        push offset m1
296.        push offset m1
297.        push 0
298.        @callx MessageBoxA
299.                     ; attach debugger and give "r eip ExitProcess"
300.                     ; of course it must be done after protecting
301.                     ; ExitProcess
302.  
303.        exit:
304.         mov dword ptr [marker],1    ; marker set to 1
305.        push 0
306.         @callx ExitProcess         
307.  
308.  
309.        seh_handler:
310.         pop     dword ptr fs:[0]    ; remove SEH frame
311.         pop eax
312.  
313.         cmp byte ptr [marker],1     ; is this our call?
314.        je exit
315.  
316.        push 0
317.        push offset m2
318.        push offset m2
319.        push 0
320.         @callx MessageBoxA      ; we are debugged...
321.        jmp exit
322.  
323.         m2              db "Ups im being debugged :)",0
324.         m1              db "Attach debugger now and change eip to ExitProcess!",0
325.  
326.         marker              db 0
327.         old_protect         dd 0
328.        
329.  
330.            ----// SNIP SNIP //---------------------------------------------------------    
331.        
332.    
333.  
334.  ---------------------
335.   III. OUTRO(DUCTION)
336.  ---------------------
337.  
338.     This is seems to be the end of this short article, I have plenty more ideas but
339.     not enough time to write them all here. Anyway I hope you enjoyed the stuff
340.     I have provided here, if you have any questions drop me a mail.