Monday, January 28, 2013

Wow64-Specific Anti-Debug Trick

In this post i will show you an anti-debug trick that i have recently found. The trick is specific to Wow64 processes. It rely on the fact that 32-bit debuggers e.g. OllyDbg, IDA Pro Debugger, and WinDbg_x86 don't receive debug events for certain exceptions originating from 64-bit code. One example of these exceptions is EXCEPTION_BREAKPOINT 0x80000003.

N.B. In a Wow64 process in Windows 7, its 32-bit code is executing in CS=0x23, while its 64-bit code is executing in CS=0x33.

Let's take for example the ntdll "DbgPrompt" function in Windows 7 64-bit.  I chose DbgPrompt for two reasons:
1) Calls to it end up with executing the INT 0x2D instruction, which raises an EXCEPTION_BREAKPOINT.
2) The 32-bit version of it (in 32-bit version of ntdll.dll) calls the 64-bit version of it (in 64-bit version of ntdll.dll).

N.B. The ntdll "DbgPrompt" function wraps up calls to the non-exported "DebugPrompt" function.

So, now if we call the "DbgPrompt" function from within our 32-bit code, we know that the call will end up with an EXCEPTION_BREAKPOINT raised from 64-bit mode.

The interesting thing here is that if you call the function without a debugger, the exception will be raised and its exception handler will be called. One the other hand, if a debugger is present, no exceptions are raised and the instruction following INT 2D will be executed.

Given the above knowledge, i wrote a simple demo for that Wow64-specific anti-debug trick. You can download the demo from here and its source code from here.







To bypass this trick, you have to use a 64-bit debugger where the exception will be raised and seen by the debugger.

Any comments or ideas are very welcome.

You can follow me on Twitter @waleedassar
Posted by walied at 11:17 PM
Labels: , , , ,

6 comments:

  1. everdoxJanuary 29, 2013 at 6:10 AM

    I haven't looked at the wow64 layer in awhile but i'm pretty sure that the debug layer provided to x86 debuggers will automatically pass on as handled any exception_breakpoint (0x80000003) or single_step (0x80000004) unless of course the interrupt was caused in the 32 bit code segment which are raised as 0x4000001E or 4000001F.

    Another good wow64 specific anti-debug that is typically overlooked while under a 32 bit debugger is the 64 bit PEB beingdebugged flag :)

    ReplyDelete
  2. waliedJanuary 29, 2013 at 6:51 AM

    >>Another good wow64 specific anti-debug that is
    >>typically overlooked while under a 32 bit
    >>debugger is the 64 bit PEB beingdebugged flag :)

    I tweeted about that a while ago.
    https://twitter.com/waleedassar/status/226754102791651329

    Also, mentioned in Peter Ferrie's "Ultimate Anti-Debugging Reference".

    ReplyDelete
  3. everdoxJanuary 29, 2013 at 1:41 PM

    well then you just have everything documented don't ya ;p

    here is another one for your journeys that is specific to windbg. Have a look at Wow64NotifyDebugger. should be invoked by an x86 NtRaiseException.

    ReplyDelete
  4. AnonymousJune 21, 2013 at 1:59 PM

    please how to compile this?
    extern simbol _DbgPrompt@12 with no reference

    ReplyDelete
    Replies
    1. waliedJune 22, 2013 at 2:15 PM

      In Linker Options of your project, add ntdll.lib to list of Additional Dependencies.

      Then define the function prototype in an 'extern "C" '.

      See this:
      https://lh4.googleusercontent.com/-OKlemUAyrvg/UcYTdmklQWI/AAAAAAAAB1o/lNXDJ2M8uX8/w799-h365-no/xxxxxxxxxxxx.png

      Delete
  5. JoyChouDecember 22, 2013 at 5:22 AM

    After using windbg x64, exception handler will not still be called.

    ReplyDelete

Subscribe to: Post Comments (Atom)