Anti-Debugging Techniques and Mitigation
Techniques
-
Windows
- API methods:
IsDebuggerPresentCheckRemoteDebuggerPresentNtQueryInformationProcessOutputDebugString/GetLastError
- Manually checking structures
- Check BeingDebugged in PEB (in fs:[30]).
- Check ForceFlags:
- In fs:[30][18][10] on Windows XP.
- In fs:[30][18][44] on Windows 7 32 bit.
- Check Flags:
- In fs:[30][18][0C] on Windows XP.
- In fs:[30][18][40] on Windows 7 32 bit.
- Check NTGlobalFlag at
fs:[30][68] == 0x70. - Look for debuggers specifically:
- Check registry.
- Use
FindWindow(<debugger>). - Look for executables on the file system.
- API methods:
-
Linux
- Check /proc/self/status for TracerPid.
- Try to attach using
ptrace.
-
Generic
- Check memory for breakpoints (e.g. 0xCC on x86).
- Code checksums (e.g. CRC).
- Check timing (see if more time has elapsed between two points than expected, implying single stepping).
rdtsc.QueryPerformanceCounteron Windows.GetTickCounton Windows.
- Mess with the debugger:
- Use tls callbacks, which run before many debuggers attach (check for a PE’s .tls section).
- Use exception, which are often handled by the debugger, or take too long to be passed to the application..
- Insert bogus interrupts. e.g.
int 3(as 0xCC and 0xCD03),int 2D(kernel bp),icebp.
- Take advantage of debugger bugs or vulns:
- Spotify used to crash OllyDBG.
- Bad PE/ELF.
- NumberOfRvaAndSizes > 0x10 in IMAGE_OPTIONAL_HEADER crashes OllyDBG 1.1.
- SizeOfRawData too big in IMAGE_SECTION_HEADER crashes OllyDBG 1.1.
- Calls to
OutputDebugStringwith “%s” token crashes OllyDBG 1.1.
Mitigation
- There are many plugins for OllyDBG, and newer windows debuggers tend to have them integrated.
- Use hw breakpoints.
- Break on these checks and fake the result.
- Configure the debugger to immediately pass on certain exceptions.
- Use a different debugger.
When all else fails:
- Find where the crash is, find the check and circumvent it.
Last modified on 2016-09-18