. TLS supports callback functions for initialization and termination of TLS data objects. Windows executes these functions before running code at the normal start of a program.. All TLS callback functions have their labels prepended with TlsCallback. You can browse to the callback function in IDA Pro by double-clicking the function name.., you learned how to set up an SEH to achieve an unconventional jump. The modification of the SEH chain applies to both anti-disassembly and anti-debugging. In this section, we will skip the SEH specifics (since they were addressed in ) and focus on other ways that exceptions can be used to hamper the malware analyst.
Exceptions can be used to disrupt or detect a debugger. Most exception-based detection relies on the fact that debuggers will trap the exception and not immediately pass it to the process being debugged for handling. The default setting on most debuggers is to trap exceptions and not pass them to the program. If the debugger doesn’t pass the exception to the process properly, that failure can be detected within the process exception-handling mechanism.
shows OllyDbg’s default settings; all exceptions will be trapped unless the box is checked. These options are accessed via Options ▶ Debugging Options ▶ Exceptions.
shows assembly code that implements this technique. This example sets a new SEH and then calls INT 3 to force the code to continue.The INT 2D anti-debugging technique functions like INT 3—the INT 0x2D instruction is used to access the kernel debugger. Because INT 0x2D is the way that kernel debuggers set breakpoints, the method shown in Listing 16-9 applies.
One of Intel’s undocumented instructions is the In-Circuit Emulator (ICE) breakpoint, icebp (opcode 0xF1). This instruction is designed to make it easier to debug using an ICE, because it is difficult to set an arbitrary breakpoint with an ICE.
Executing this instruction generates a single-step exception. If the program is being traced via single-stepping, the debugger will think it is the normal exception generated by the single-step and not execute a previously set exception handler. Malware can take advantage of this by using the exception handler for its normal execution flow, which would be disrupted in this case.
In order to bypass this technique, do not single-step over an icebp instruction.
Назад: Identifying Debugger Behavior
Дальше: Debugger Vulnerabilities
Войти в систему
Войти с помощью соц. сетей:
TlsCallback. You can browse to the callback function in IDA Pro by double-clicking the function name., you learned how to set up an SEH to achieve an unconventional jump. The modification of the SEH chain applies to both anti-disassembly and anti-debugging. In this section, we will skip the SEH specifics (since they were addressed in ) and focus on other ways that exceptions can be used to hamper the malware analyst.
Exceptions can be used to disrupt or detect a debugger. Most exception-based detection relies on the fact that debuggers will trap the exception and not immediately pass it to the process being debugged for handling. The default setting on most debuggers is to trap exceptions and not pass them to the program. If the debugger doesn’t pass the exception to the process properly, that failure can be detected within the process exception-handling mechanism.
shows OllyDbg’s default settings; all exceptions will be trapped unless the box is checked. These options are accessed via Options ▶ Debugging Options ▶ Exceptions.
INT 3 to force the code to continue.The INT 2D anti-debugging technique functions like INT 3—the INT 0x2D instruction is used to access the kernel debugger. Because INT 0x2D is the way that kernel debuggers set breakpoints, the method shown in Listing 16-9 applies.
One of Intel’s undocumented instructions is the In-Circuit Emulator (ICE) breakpoint, icebp (opcode 0xF1). This instruction is designed to make it easier to debug using an ICE, because it is difficult to set an arbitrary breakpoint with an ICE.
Executing this instruction generates a single-step exception. If the program is being traced via single-stepping, the debugger will think it is the normal exception generated by the single-step and not execute a previously set exception handler. Malware can take advantage of this by using the exception handler for its normal execution flow, which would be disrupted in this case.
In order to bypass this technique, do not single-step over an icebp instruction.
Войти в систему
Войти с помощью соц. сетей: