Monday, January 28, 2013

Wow64-Specific Anti-Debug Trick

In this post i will show you an anti-debug trick that i have recently found. The trick is specific to Wow64 processes. It rely on the fact that 32-bit debuggers e.g. OllyDbg, IDA Pro Debugger, and WinDbg_x86 don't receive debug events for certain exceptions originating from 64-bit code. One example of these exceptions is EXCEPTION_BREAKPOINT 0x80000003.

N.B. In a Wow64 process in Windows 7, its 32-bit code is executing in CS=0x23, while its 64-bit code is executing in CS=0x33.

Let's take for example the ntdll "DbgPrompt" function in Windows 7 64-bit.  I chose DbgPrompt for two reasons:
1) Calls to it end up with executing the INT 0x2D instruction, which raises an EXCEPTION_BREAKPOINT.
2) The 32-bit version of it (in 32-bit version of ntdll.dll) calls the 64-bit version of it (in 64-bit version of ntdll.dll).

N.B. The ntdll "DbgPrompt" function wraps up calls to the non-exported "DebugPrompt" function.

So, now if we call the "DbgPrompt" function from within our 32-bit code, we know that the call will end up with an EXCEPTION_BREAKPOINT raised from 64-bit mode.

The interesting thing here is that if you call the function without a debugger, the exception will be raised and its exception handler will be called. One the other hand, if a debugger is present, no exceptions are raised and the instruction following INT 2D will be executed.

Given the above knowledge, i wrote a simple demo for that Wow64-specific anti-debug trick. You can download the demo from here and its source code from here.







To bypass this trick, you have to use a 64-bit debugger where the exception will be raised and seen by the debugger.

Any comments or ideas are very welcome.

You can follow me on Twitter @waleedassar

6 comments:

  1. I haven't looked at the wow64 layer in awhile but i'm pretty sure that the debug layer provided to x86 debuggers will automatically pass on as handled any exception_breakpoint (0x80000003) or single_step (0x80000004) unless of course the interrupt was caused in the 32 bit code segment which are raised as 0x4000001E or 4000001F.

    Another good wow64 specific anti-debug that is typically overlooked while under a 32 bit debugger is the 64 bit PEB beingdebugged flag :)

    ReplyDelete
  2. >>Another good wow64 specific anti-debug that is
    >>typically overlooked while under a 32 bit
    >>debugger is the 64 bit PEB beingdebugged flag :)

    I tweeted about that a while ago.
    https://twitter.com/waleedassar/status/226754102791651329

    Also, mentioned in Peter Ferrie's "Ultimate Anti-Debugging Reference".

    ReplyDelete
  3. well then you just have everything documented don't ya ;p

    here is another one for your journeys that is specific to windbg. Have a look at Wow64NotifyDebugger. should be invoked by an x86 NtRaiseException.

    ReplyDelete
  4. please how to compile this?
    extern simbol _DbgPrompt@12 with no reference

    ReplyDelete
    Replies
    1. In Linker Options of your project, add ntdll.lib to list of Additional Dependencies.

      Then define the function prototype in an 'extern "C" '.

      See this:
      https://lh4.googleusercontent.com/-OKlemUAyrvg/UcYTdmklQWI/AAAAAAAAB1o/lNXDJ2M8uX8/w799-h365-no/xxxxxxxxxxxx.png

      Delete
  5. After using windbg x64, exception handler will not still be called.

    ReplyDelete