SlideShare ist ein Scribd-Unternehmen logo

Anti Debugging

•
•
n|u - The Open Security Community
n|u - The Open Security Community

null Delhi Chapter - August 2013 Meet

BildungTechnologie
1 von 47
Downloaden Sie, um offline zu lesen
ANTI|DEBUGGING By Adwiteeya Agrawal
REVERSE ENGINEERING • Definition “Software reverse engineering is about opening up a program’s “box,” and looking inside. “
PROGRAMMERS vs REVERSERS Logic Code Executable Logic Code
Example : Code Written Ideally , the else block should never be executed since the value of var1 is not changed.
After Disassembling We can easily modify the binary to execute the else loop.
Problem ? • A Google search for “Crack Torrent” returns 200 million results and “Software Crack” around 45M. • Reversing is extensively used to develop cracks for proprietary software.
Possible Solutions • Anti-Debugging (Detecting how a process is different from when it is being debbugged and when its run.) • Code Obfuscation(Encryption, pseudo execution flow, logic) • However : The end result after exploring the various options available is that we cannot totally prevent software reverse engineering however we can slow down the process for a dedicated reverse engineer.
Anti - Debugging • Anti Debugging is done acknowledging the fact that when a process is being debugged it is going to have a set of properties that would be different from when it is not debugged. • Anti-debugging requires a thorough understanding of the environment in which the program would be run.
Does Anti - Debugging help ? Example : CCleaner Software Vendors Software Crackers Malware Analysts
Types API Based Detection Techniques Direct structure access Exception Handling Based Detection
API Based Anti|Debugging (11 Techniques)
1.FindWindow API • Scans memory for a process with the particular class name. { hnd = FindWindow("OLLYDBG", 0); } • “OLLYDBG” is the class name for all windows that would be created and have the same callback function. • “0” scans irrespective of WindowName. • Returns a handle if successful • Spy++ utility can be used to enumerate the ClassName. • DEMO - spy++
Spy++ on OllyDbg
2. Registry Value • RegOpenKeyEx and RegQueryValueEx open a registry key and retrieve its value respectively KEY Function HKEY_CLASSES_ROOTexefileshellOpen with OllyDbg Specifies the menu for opening an exe file with OllyDbg with a right click HKEY_CLASSES_ROOTexefileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbg Specifies the menu for opening a dll file with OllyDbg with a right click HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo ws NTCurrentVersionAeDebugDebugger Path to default Debugger
3. IsDebuggerPresent API • Looks for the BeingDebugged flag inside the PEB. • Extremely simple to use and thwart. • { IsDebuggerPresent() } returns true if the process is being debugged false otherwise. • Can be done manually • Assembly dump :
4. CheckRemoteDebuggerPresent API • Function : Detects if a Debug Port has been set. • Can be used for a “remote” process but is used locally mostly. • Locally : CheckRemoteDebuggerPresent(GetCurrentProcess(),&pblsPresent) ; • Remotely for a PID 2800 { hndle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2800); CheckRemoteDebuggerPresent(hndle,&pblsPresent); }
5.OutputDebugString API Set Random Value for ERROR Call OutputDebugString with any string Check Value Of ERROR If(No Change) : Debugger Present Else : No Debugger Works in XP.
Debug String Display in OllyDbg
Run Time Dynamic Linking LoadLibrary Handle to dll received GetProcAddress Address of exported function Call Example : ntdll.dll Ex : NTSetInformationThread, NTQueryInformationProcess
6. ZwSetInformationThread Function • Use run-time dynamic linking to get the address of ZwSetInformationThread. • Make the Call • (_ZwSetInformationThread)(GetCurrentThread(),0×11,0,0); • GetCurrentThread : Pseudo handle for the current thread • 0x11 : ThreadHideFromDebugger , 17 in THREADINFOCLASS enum. • 0 : Pointer of value that is to be set • 0 : Size of the value. • Different Approached followed.
7. DebugActiveProcess based Self Debugging • Theoretically a process can be debugged only by One Debugger. • Working : Create a child process Child Process attempts to debug parent If Error : Debugger Detected
8. OllyDbg Format String Vulnerability for Debugger Messages • More like a vulnerability based detection • The internal function that handles the input from OutputDebugString does so without using the correct number of format specifiers, allowing a user to supply their own format specifiers. • OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s%s% s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")); • Similar vulnerability based detection can be modeled around various vulnerabilities, Reference : http://waleedassar.blogspot.in
9. NTQueryInformationProcess to detect ProcessDebugPort • Run-time dynamic linking to get the pointer to NTqueryInformationProcess • Make the call with PROCESSINFOCLASS = 0x07 • NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); • The 0x07 value is the process debug port. • Debug Port is used for communication of Debug_Event between ring 3 and the kernel • If set the process is being debugged.
• private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, . . . ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, MaxProcessInfoClass };
10. ProcessDebugFlags using NTQueryInformationProcess 11. ProcessDebugObject using NTQueryInformationProcess •Run-time Dynamic Linking to get address of NTQuertInformationProcess Function. •Make the call with PROCESSINFOCLASS 0x1F. •If Set Debugger is present. •Run-time dynamic linking to get the address •Call with PROCESSINFOCLASS 0x1E •If set debugger is present
• private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, . . . ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessResourceManagement, . . . ProcessRevokeFileHandles, MaxProcessInfoClass };
Exception Based Anti|Debugging (9 Techniques)
Exceptions | Windows First Chance VEH SEH Last Chance Unhandled 1st • EXCEPTION_DEBUG_EVENT VEH • VEH SEH • SEH, per thread, FS:0 LC • Process Suspend UE • UnhandledExceptionFilter • System Final Handler
Exception Handlers typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD* ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD, *PEXCEPTION_RECORD; typedef struct _EXCEPTION_POINTERS { PEXCEPTION_RECORD ExceptionRecord; PCONTEXT ContextRecord; } EXCEPTION_POINTERS, *PEXCEPTION_POINTERS; LONG CALLBACK ExceptionHandler( __in PEXCEPTION_POINTERS ExceptionInformation);
1. INT 3 Break Point Exception. • The INT 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler. • To set INT3 breakpoint, a debugger replaces first byte of the 80x86 command by 0xCC • Type : EXCEPTION_BREAKPOINT to the Debugger • When manually inlined then the process would just halt at the next instruction if run in a Debugger(thereby not triggering your catch block) or return 0x80000003 status code if run without a debugger.
2. INT 2D Exception • Int 2Dh is used by ntoskrnl.exe to interact with kernel debugging system but we can use it also in user-mode or from ring 3 as well since the call will eventually filter to a ring 3 debugger if no kernel debugger exists. • When int 2Dh is called the system will skip one byte after the interrupt, leading to opcode scission. • Behaves exactly like int 3 • Based on weather our catch block is executed or not we declare presence of a debugger.
3. 0xF1 ICE Break Point • This is identical to the functioning of 0xcc except the fact the this uses two bytes 0xCD 0x3C to insert the breakpoint. 4. TWO byte INT 3 breakpoint. •One of the Intel's undocumented instruction, opcode 0xF1. •Executing this instruction will generate a SINGLE_STEP exception. •The debugger will think it is the normal exception generated by executing the instruction with the SingleStep bit set in the Flags registers.
5. Close Handle API call • The CloseHandle function throws an exception, if an invalid handle is provided. • The logic behind detection with Close Handle function is the opposite to the ones used in INT3 or INT 2D exception based debugger detection. • Exception is only thrown when in a debugger • Usually in debugging sessions it is a common practice that the exception is passed to the application
6. Trap Flag exception based detection • The EFLAGS is a 32-bit register used as a collection of bits representing Boolean values to store the results of operations and the state of the processor. • By in-lining ASM we can modify the EFLAGS register. • First bit of the second byte that is TF or the trap flag. If this flag is set the execution halts after executing the current instruction. • Also called as the single step exception
EGLAGS Register
7. Memory breakpoint based detection • If a memory breakpoint is set up, any access to the page in which the breakpoint exists, would result in the exception and the process would halt. Allocate some 5mb Fill with RET Make it a GUARD PAGE Pointer to the PAGE Call the Pointer Detect Error
Technically VirtualAlloc(NULL, 0x500000, MEM_COMMIT, PAGE_READWRITE); RtlFillMemory(memRegion, 0x10, 0xC3); VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD, &oldProt); myproc = (FARPROC) memRegion myproc(); Detect Error ProcessExplorer:Demo
Hack that ?
8. Control C VEH • If a console process is being debugged for a CTRL+C signals, the system generates a DBG_CONTROL_C exception. • If a debugger is not present CTRL+C event would require a console control handler. • The CCH is executed if the debugger is not present. • However if the debugger is present and it passes the exception to the application we can still detect it by adding a vectored exception handler. ;)
9. INVALID OPCODE exception based debugging • Invalid OPCODE can be formed by manually editing bytes. • F0 0F C7 C8 popularly known as the "Pentium F00F bug.“ • This evaluates to LOCK CMPXCHNG8B EAX • OPCODE since a LOCK on CMPXCHNG8B cannot be applied with the destination operand as a register • Now, before this OPCODE is executed an exception is created ILLEGAL_INSTRUCTION (C000001D) • we define an UnhandledExceptionFilter ,only executed when the program is not being debugged. So even if the debugger passes the exception to the application there isnt any handler. ;)
Direct Structure Access Based Anti|Debugging (4 Techniques)
Direct isDebuggerPressent via PEB • In this method we manually do what the isdebuggerpresent function call does. • Run-Time Dynamic Linking to call NTQueryInformationProcess with PROCESSINFOCLASS set to ProcessBasicInformation = 0. • typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; • Access ProcessExecutionBlock via PPEB (pointer) to check BeingDebbugedFlag.
PEB |Structure typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PVOID Reserved8[312]; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; pPIB.PebBaseAddress->BeingDebugged
ProcessHeapFlag Debugger Detection Heap Header User Allocation Heap Header User Allocation Tail Checking Pattern Heap Extra Multiple of 16 bytes16 bytes 16 bytes Multiple of 16 bytes 16 bytes 16–31 bytes DEBUGGERWithout With { HEAP } { /HEAP } •In order to tell this to the OS before creating the HEAP two flags are set. “Flags” and “ForceFlags” •Present at the offset 0x14 and 0x18 for windows XP. •PEBbase address + Offset to HEAPbaseAddress + Flag offset.
typedef struct _HEAP { HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; PHEAP Heap; . . . ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; WORD SegmentAllocatorBackTraceIndex; WORD Reserved; LIST_ENTRY UCRSegmentList; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; . . HEAP_COUNTERS Counters; HEAP_TUNING_PARAMETERS TuningParameters; } HEAP, *PHEAP;
NTGlobalFlag Debugger Detection • NTGlobalFlag is a DWORD value present at the offset 0x68 from the PEB base address. • When inside a debugger the following flags are set by the operating system : FLG_HEAP_ENABLE_TAIL_CHECK (0x10) FLG_HEAP_ENABLE_FREE_CHECK(0x20) FLG_HEAP_VALIDATE_PARAMETERS(0x40) • This equals to 0x70. We detect the value by the similar method and judge if a debugger is present or not.
and many more…  • Quick Discussion on minor. • And MOST importantly if I have reached this slide :D • THANK YOU NULL !

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionCongDoanVan1
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
User security awareness
User security awarenessUser security awareness
User security awarenessK. A. M Lutfullah
 

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionCongDoanVan1
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
User security awareness
User security awarenessUser security awareness
User security awarenessK. A. M Lutfullah
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
Web security
Web securityWeb security
Web securitySubhash Basistha
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Format String Attack
Format String AttackFormat String Attack
Format String AttackMayur Mallya
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Data explosion
Data explosionData explosion
Data explosionG Prachi
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Web security
Web securityWeb security
Web securitykareem zock
 
Broken access control
Broken access controlBroken access control
Broken access controlPriyanshu Gandhi
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsSukrit Gupta
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Autour du Reverse Engineering des Malwares
Autour du Reverse Engineering des MalwaresAutour du Reverse Engineering des Malwares
Autour du Reverse Engineering des MalwaresAymen Bentijani
 

Weitere ähnliche Inhalte

Was ist angesagt?

Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Format String Attack
Format String AttackFormat String Attack
Format String AttackMayur Mallya
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Data explosion
Data explosionData explosion
Data explosionG Prachi
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Web security
Web securityWeb security
Web securitykareem zock
 
Broken access control
Broken access controlBroken access control
Broken access controlPriyanshu Gandhi
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsSukrit Gupta
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 

Was ist angesagt? (20)

Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Sql injection
Sql injectionSql injection
Sql injection
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking database
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
Web security
Web securityWeb security
Web security
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Format String Attack
Format String AttackFormat String Attack
Format String Attack
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Data explosion
Data explosionData explosion
Data explosion
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Web security
Web securityWeb security
Web security
 
Broken access control
Broken access controlBroken access control
Broken access control
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 

Andere mochten auch

Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Autour du Reverse Engineering des Malwares
Autour du Reverse Engineering des MalwaresAutour du Reverse Engineering des Malwares
Autour du Reverse Engineering des MalwaresAymen Bentijani
 
software testing strategies
software testing strategiessoftware testing strategies
software testing strategiesHemanth Gajula
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Download presentation
Download presentationDownload presentation
Download presentationwebhostingguy
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare pptMandy Suzanne
 

Andere mochten auch (8)

Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Autour du Reverse Engineering des Malwares
Autour du Reverse Engineering des MalwaresAutour du Reverse Engineering des Malwares
Autour du Reverse Engineering des Malwares
 
Notes on Debugging
Notes on DebuggingNotes on Debugging
Notes on Debugging
 
Debugging
DebuggingDebugging
Debugging
 
software testing strategies
software testing strategiessoftware testing strategies
software testing strategies
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Download presentation
Download presentationDownload presentation
Download presentation
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Ähnlich wie Anti Debugging

A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16Max Kleiner
 
Современные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПОСовременные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПОPositive Hack Days
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone CivettaCocoaHeads France
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
JavaScript - Chapter 15 - Debugging Techniques
JavaScript - Chapter 15 - Debugging Techniques JavaScript - Chapter 15 - Debugging Techniques
JavaScript - Chapter 15 - Debugging TechniquesWebStackAcademy
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
 
6-Error Handling.pptx
6-Error Handling.pptx6-Error Handling.pptx
6-Error Handling.pptxamiralicomsats3
 
Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Rapita Systems Ltd
 
F6dc1 session6 c++
F6dc1 session6 c++F6dc1 session6 c++
F6dc1 session6 c++Mukund Trivedi
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks LessAlon Fliess
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)Unity Technologies Japan K.K.
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 

Ähnlich wie Anti Debugging (20)

A exception ekon16
A exception ekon16A exception ekon16
A exception ekon16
 
Современные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПОСовременные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПО
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Exception
ExceptionException
Exception
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
JavaScript - Chapter 15 - Debugging Techniques
JavaScript - Chapter 15 - Debugging Techniques JavaScript - Chapter 15 - Debugging Techniques
JavaScript - Chapter 15 - Debugging Techniques
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
6-Error Handling.pptx
6-Error Handling.pptx6-Error Handling.pptx
6-Error Handling.pptx
 
Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage"
 
F6dc1 session6 c++
F6dc1 session6 c++F6dc1 session6 c++
F6dc1 session6 c++
 
We Make Debugging Sucks Less
We Make Debugging Sucks LessWe Make Debugging Sucks Less
We Make Debugging Sucks Less
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス(note付き)
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 

KĂźrzlich hochgeladen

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A BeĂąa
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 

KĂźrzlich hochgeladen (20)

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 

Anti Debugging

  • 2. REVERSE ENGINEERING • Definition “Software reverse engineering is about opening up a program’s “box,” and looking inside. “
  • 4. Example : Code Written Ideally , the else block should never be executed since the value of var1 is not changed.
  • 5. After Disassembling We can easily modify the binary to execute the else loop.
  • 6. Problem ? • A Google search for “Crack Torrent” returns 200 million results and “Software Crack” around 45M. • Reversing is extensively used to develop cracks for proprietary software.
  • 7. Possible Solutions • Anti-Debugging (Detecting how a process is different from when it is being debbugged and when its run.) • Code Obfuscation(Encryption, pseudo execution flow, logic) • However : The end result after exploring the various options available is that we cannot totally prevent software reverse engineering however we can slow down the process for a dedicated reverse engineer.
  • 8. Anti - Debugging • Anti Debugging is done acknowledging the fact that when a process is being debugged it is going to have a set of properties that would be different from when it is not debugged. • Anti-debugging requires a thorough understanding of the environment in which the program would be run.
  • 9. Does Anti - Debugging help ? Example : CCleaner Software Vendors Software Crackers Malware Analysts
  • 12. 1.FindWindow API • Scans memory for a process with the particular class name. { hnd = FindWindow("OLLYDBG", 0); } • “OLLYDBG” is the class name for all windows that would be created and have the same callback function. • “0” scans irrespective of WindowName. • Returns a handle if successful • Spy++ utility can be used to enumerate the ClassName. • DEMO - spy++
  • 14. 2. Registry Value • RegOpenKeyEx and RegQueryValueEx open a registry key and retrieve its value respectively KEY Function HKEY_CLASSES_ROOTexefileshellOpen with OllyDbg Specifies the menu for opening an exe file with OllyDbg with a right click HKEY_CLASSES_ROOTexefileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbg Specifies the menu for opening a dll file with OllyDbg with a right click HKEY_CLASSES_ROOTdllfileshellOpen with OllyDbgcommand Path to OllyDbg HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo ws NTCurrentVersionAeDebugDebugger Path to default Debugger
  • 15. 3. IsDebuggerPresent API • Looks for the BeingDebugged flag inside the PEB. • Extremely simple to use and thwart. • { IsDebuggerPresent() } returns true if the process is being debugged false otherwise. • Can be done manually • Assembly dump :
  • 16. 4. CheckRemoteDebuggerPresent API • Function : Detects if a Debug Port has been set. • Can be used for a “remote” process but is used locally mostly. • Locally : CheckRemoteDebuggerPresent(GetCurrentProcess(),&pblsPresent) ; • Remotely for a PID 2800 { hndle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2800); CheckRemoteDebuggerPresent(hndle,&pblsPresent); }
  • 17. 5.OutputDebugString API Set Random Value for ERROR Call OutputDebugString with any string Check Value Of ERROR If(No Change) : Debugger Present Else : No Debugger Works in XP.
  • 18. Debug String Display in OllyDbg
  • 19. Run Time Dynamic Linking LoadLibrary Handle to dll received GetProcAddress Address of exported function Call Example : ntdll.dll Ex : NTSetInformationThread, NTQueryInformationProcess
  • 20. 6. ZwSetInformationThread Function • Use run-time dynamic linking to get the address of ZwSetInformationThread. • Make the Call • (_ZwSetInformationThread)(GetCurrentThread(),0×11,0,0); • GetCurrentThread : Pseudo handle for the current thread • 0x11 : ThreadHideFromDebugger , 17 in THREADINFOCLASS enum. • 0 : Pointer of value that is to be set • 0 : Size of the value. • Different Approached followed.
  • 21. 7. DebugActiveProcess based Self Debugging • Theoretically a process can be debugged only by One Debugger. • Working : Create a child process Child Process attempts to debug parent If Error : Debugger Detected
  • 22. 8. OllyDbg Format String Vulnerability for Debugger Messages • More like a vulnerability based detection • The internal function that handles the input from OutputDebugString does so without using the correct number of format specifiers, allowing a user to supply their own format specifiers. • OutputDebugString(TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s%s% s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")); • Similar vulnerability based detection can be modeled around various vulnerabilities, Reference : http://waleedassar.blogspot.in
  • 23. 9. NTQueryInformationProcess to detect ProcessDebugPort • Run-time dynamic linking to get the pointer to NTqueryInformationProcess • Make the call with PROCESSINFOCLASS = 0x07 • NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength ); • The 0x07 value is the process debug port. • Debug Port is used for communication of Debug_Event between ring 3 and the kernel • If set the process is being debugged.
  • 24. • private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, . . . ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, MaxProcessInfoClass };
  • 25. 10. ProcessDebugFlags using NTQueryInformationProcess 11. ProcessDebugObject using NTQueryInformationProcess •Run-time Dynamic Linking to get address of NTQuertInformationProcess Function. •Make the call with PROCESSINFOCLASS 0x1F. •If Set Debugger is present. •Run-time dynamic linking to get the address •Call with PROCESSINFOCLASS 0x1E •If set debugger is present
  • 26. • private enum PROCESSINFOCLASS: int { ProcessBasicInformation ProcessQuotaLimits, ProcessIoCounters ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, . . . ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessResourceManagement, . . . ProcessRevokeFileHandles, MaxProcessInfoClass };
  • 28. Exceptions | Windows First Chance VEH SEH Last Chance Unhandled 1st • EXCEPTION_DEBUG_EVENT VEH • VEH SEH • SEH, per thread, FS:0 LC • Process Suspend UE • UnhandledExceptionFilter • System Final Handler
  • 29. Exception Handlers typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD* ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD, *PEXCEPTION_RECORD; typedef struct _EXCEPTION_POINTERS { PEXCEPTION_RECORD ExceptionRecord; PCONTEXT ContextRecord; } EXCEPTION_POINTERS, *PEXCEPTION_POINTERS; LONG CALLBACK ExceptionHandler( __in PEXCEPTION_POINTERS ExceptionInformation);
  • 30. 1. INT 3 Break Point Exception. • The INT 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler. • To set INT3 breakpoint, a debugger replaces first byte of the 80x86 command by 0xCC • Type : EXCEPTION_BREAKPOINT to the Debugger • When manually inlined then the process would just halt at the next instruction if run in a Debugger(thereby not triggering your catch block) or return 0x80000003 status code if run without a debugger.
  • 31. 2. INT 2D Exception • Int 2Dh is used by ntoskrnl.exe to interact with kernel debugging system but we can use it also in user-mode or from ring 3 as well since the call will eventually filter to a ring 3 debugger if no kernel debugger exists. • When int 2Dh is called the system will skip one byte after the interrupt, leading to opcode scission. • Behaves exactly like int 3 • Based on weather our catch block is executed or not we declare presence of a debugger.
  • 32. 3. 0xF1 ICE Break Point • This is identical to the functioning of 0xcc except the fact the this uses two bytes 0xCD 0x3C to insert the breakpoint. 4. TWO byte INT 3 breakpoint. •One of the Intel's undocumented instruction, opcode 0xF1. •Executing this instruction will generate a SINGLE_STEP exception. •The debugger will think it is the normal exception generated by executing the instruction with the SingleStep bit set in the Flags registers.
  • 33. 5. Close Handle API call • The CloseHandle function throws an exception, if an invalid handle is provided. • The logic behind detection with Close Handle function is the opposite to the ones used in INT3 or INT 2D exception based debugger detection. • Exception is only thrown when in a debugger • Usually in debugging sessions it is a common practice that the exception is passed to the application
  • 34. 6. Trap Flag exception based detection • The EFLAGS is a 32-bit register used as a collection of bits representing Boolean values to store the results of operations and the state of the processor. • By in-lining ASM we can modify the EFLAGS register. • First bit of the second byte that is TF or the trap flag. If this flag is set the execution halts after executing the current instruction. • Also called as the single step exception
  • 36. 7. Memory breakpoint based detection • If a memory breakpoint is set up, any access to the page in which the breakpoint exists, would result in the exception and the process would halt. Allocate some 5mb Fill with RET Make it a GUARD PAGE Pointer to the PAGE Call the Pointer Detect Error
  • 37. Technically VirtualAlloc(NULL, 0x500000, MEM_COMMIT, PAGE_READWRITE); RtlFillMemory(memRegion, 0x10, 0xC3); VirtualProtect(memRegion, 0x10, PAGE_EXECUTE_READ | PAGE_GUARD, &oldProt); myproc = (FARPROC) memRegion myproc(); Detect Error ProcessExplorer:Demo
  • 39. 8. Control C VEH • If a console process is being debugged for a CTRL+C signals, the system generates a DBG_CONTROL_C exception. • If a debugger is not present CTRL+C event would require a console control handler. • The CCH is executed if the debugger is not present. • However if the debugger is present and it passes the exception to the application we can still detect it by adding a vectored exception handler. ;)
  • 40. 9. INVALID OPCODE exception based debugging • Invalid OPCODE can be formed by manually editing bytes. • F0 0F C7 C8 popularly known as the "Pentium F00F bug.“ • This evaluates to LOCK CMPXCHNG8B EAX • OPCODE since a LOCK on CMPXCHNG8B cannot be applied with the destination operand as a register • Now, before this OPCODE is executed an exception is created ILLEGAL_INSTRUCTION (C000001D) • we define an UnhandledExceptionFilter ,only executed when the program is not being debugged. So even if the debugger passes the exception to the application there isnt any handler. ;)
  • 41. Direct Structure Access Based Anti|Debugging (4 Techniques)
  • 42. Direct isDebuggerPressent via PEB • In this method we manually do what the isdebuggerpresent function call does. • Run-Time Dynamic Linking to call NTQueryInformationProcess with PROCESSINFOCLASS set to ProcessBasicInformation = 0. • typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; • Access ProcessExecutionBlock via PPEB (pointer) to check BeingDebbugedFlag.
  • 43. PEB |Structure typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PVOID Reserved8[312]; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; pPIB.PebBaseAddress->BeingDebugged
  • 44. ProcessHeapFlag Debugger Detection Heap Header User Allocation Heap Header User Allocation Tail Checking Pattern Heap Extra Multiple of 16 bytes16 bytes 16 bytes Multiple of 16 bytes 16 bytes 16–31 bytes DEBUGGERWithout With { HEAP } { /HEAP } •In order to tell this to the OS before creating the HEAP two flags are set. “Flags” and “ForceFlags” •Present at the offset 0x14 and 0x18 for windows XP. •PEBbase address + Offset to HEAPbaseAddress + Flag offset.
  • 45. typedef struct _HEAP { HEAP_ENTRY Entry; ULONG SegmentSignature; ULONG SegmentFlags; LIST_ENTRY SegmentListEntry; PHEAP Heap; . . . ULONG NumberOfUnCommittedPages; ULONG NumberOfUnCommittedRanges; WORD SegmentAllocatorBackTraceIndex; WORD Reserved; LIST_ENTRY UCRSegmentList; ULONG Flags; ULONG ForceFlags; ULONG CompatibilityFlags; ULONG EncodeFlagMask; HEAP_ENTRY Encoding; . . HEAP_COUNTERS Counters; HEAP_TUNING_PARAMETERS TuningParameters; } HEAP, *PHEAP;
  • 46. NTGlobalFlag Debugger Detection • NTGlobalFlag is a DWORD value present at the offset 0x68 from the PEB base address. • When inside a debugger the following flags are set by the operating system : FLG_HEAP_ENABLE_TAIL_CHECK (0x10) FLG_HEAP_ENABLE_FREE_CHECK(0x20) FLG_HEAP_VALIDATE_PARAMETERS(0x40) • This equals to 0x70. We detect the value by the similar method and judge if a debugger is present or not.
  • 47. and many more…  • Quick Discussion on minor. • And MOST importantly if I have reached this slide :D • THANK YOU NULL !