Monday, January 28, 2013

Wow64-Specific Anti-Debug Trick

In this post i will show you an anti-debug trick that i have recently found. The trick is specific to Wow64 processes. It rely on the fact that 32-bit debuggers e.g. OllyDbg, IDA Pro Debugger, and WinDbg_x86 don't receive debug events for certain exceptions originating from 64-bit code. One example of these exceptions is EXCEPTION_BREAKPOINT 0x80000003.

N.B. In a Wow64 process in Windows 7, its 32-bit code is executing in CS=0x23, while its 64-bit code is executing in CS=0x33.

Let's take for example the ntdll "DbgPrompt" function in Windows 7 64-bit.  I chose DbgPrompt for two reasons:
1) Calls to it end up with executing the INT 0x2D instruction, which raises an EXCEPTION_BREAKPOINT.
2) The 32-bit version of it (in 32-bit version of ntdll.dll) calls the 64-bit version of it (in 64-bit version of ntdll.dll).

N.B. The ntdll "DbgPrompt" function wraps up calls to the non-exported "DebugPrompt" function.

So, now if we call the "DbgPrompt" function from within our 32-bit code, we know that the call will end up with an EXCEPTION_BREAKPOINT raised from 64-bit mode.

The interesting thing here is that if you call the function without a debugger, the exception will be raised and its exception handler will be called. One the other hand, if a debugger is present, no exceptions are raised and the instruction following INT 2D will be executed.

Given the above knowledge, i wrote a simple demo for that Wow64-specific anti-debug trick. You can download the demo from here and its source code from here.

To bypass this trick, you have to use a 64-bit debugger where the exception will be raised and seen by the debugger.

Any comments or ideas are very welcome.

You can follow me on Twitter @waleedassar


  1. I haven't looked at the wow64 layer in awhile but i'm pretty sure that the debug layer provided to x86 debuggers will automatically pass on as handled any exception_breakpoint (0x80000003) or single_step (0x80000004) unless of course the interrupt was caused in the 32 bit code segment which are raised as 0x4000001E or 4000001F.

    Another good wow64 specific anti-debug that is typically overlooked while under a 32 bit debugger is the 64 bit PEB beingdebugged flag :)

  2. >>Another good wow64 specific anti-debug that is
    >>typically overlooked while under a 32 bit
    >>debugger is the 64 bit PEB beingdebugged flag :)

    I tweeted about that a while ago.

    Also, mentioned in Peter Ferrie's "Ultimate Anti-Debugging Reference".

  3. well then you just have everything documented don't ya ;p

    here is another one for your journeys that is specific to windbg. Have a look at Wow64NotifyDebugger. should be invoked by an x86 NtRaiseException.

  4. please how to compile this?
    extern simbol _DbgPrompt@12 with no reference

    1. In Linker Options of your project, add ntdll.lib to list of Additional Dependencies.

      Then define the function prototype in an 'extern "C" '.

      See this:

  5. After using windbg x64, exception handler will not still be called.