nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

05.03.2020 | Original Paper

Exploiting flaws in Windbg: how to escape or fool debuggers from existing flaws

verfasst von: François Plumerault, Baptiste David

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 2/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In order to perform their goals without being detected, Malware should have a battle of wits with the analyzer. Such a way, they use a large variety of stealth methods to perform their missions. These methods allow to slow or block analysis. Most of the time, these tricks are often operating system or CPU oriented (dll injection, exception handler or API abuse). In addition, they are although focused on the most used analyst tools. These attacks, allow, among other things, to display erroneous information on the analysis tools or to silently detect it so that the malware can change its behavior in case of analysis. Depending of the degree of error of the analyzing tools used, it could become partially or totally ineffective. More than just flowed malware analysts, it is a great drawback in order to find bugs in regular software. In this article, we show how to exploits errors inside debuggers and mainly inside one of the most use: Windbg. This list of errors impacting this Microsoft’s tool mainly concerns few flaws in the disassembly engine or in the debug procedure. Some are present in the debugger from years... More directly, we show different ways to block or disturb the normal behaviour of Windbg. Thus, even if these errors are not always critical, they can negatively impact the use of software by any user. For instance, we describe a new way to know if the current process is running under the control of Windbg. This is exactly what malware author are looking for to detect analysis. Due to the complexity of architecture such as x64 and x86, it is hard to design and develop a complete disassembling tool. In fact, no disassembling tool is perfect and most of those we tested have at least one of the flaws which are shown in this article. Among the different flaws, we have int 3 misinterpretation, wrong jump interpretation, partial instruction prefix handling and unsupported instruction. Moreover, nothing prevents these tools to have other kind of errors. Thus, in order to analyze software efficiently, it is necessary to improve the analyzer tools. In this way, we offer different solution to correct the bug we encounter on the different tools.

Vorheriger Artikel Deep learning for image-based mobile malware detection

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://ref.x86asm.net/coder32.html#x0F19.

GDB community, GDB: The GNU Project Debugger, GDB (2019). www.gnu.org/software/gdb

LLVM community, The LLVM Compiler Infrastructure, LLVM Foundation (2019). https://llvm.org

Microsoft, First look at the Visual Studio Debugger, MSDN (2019). https://docs.microsoft.com/fr-fr/visualstudio/debugger/debugger-feature-tour?view=vs-2019

Radar community, Radar2, Radar Community (2019). https://github.com/radare/radare2/

Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2011)

Microsoft, Download the Windows Driver Kit (WDK), MSDN (2018). https://docs.microsoft.com/fr-fr/windows-hardware/drivers/download-the-wdk

Bochs community, Bochs x86 PC emulator, Bochs, 16 July 2019 (2019). https://sourceforge.net/projects/bochs/

Quynh, N.A., Vu, D.H.: Unicorn The ultimate CPU emulator, Unicorn (2017). https://www.unicorn-engine.org

Intel, Intel 64 and IA-32 Architectures Software Developer’s Manual, Intel documentation, vol. 1, pp. 3–17 (2019)

10.

Intel, Intel 64 and IA-32 Architectures Software Developer’s Manual, Intel documentation, vol. 1, pp. 6–13 (2019)

11.

Kulchytskyy, O., Kukoba, A.: Anti Debugging Protection Techniques With Examples, Apriorit (2019). https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software

12.

Ferrie, P.: The ”Ultimate” Anti-Debugging Reference, Ferrie (2011)

13.

Afianian, A.: Malware Dynamic Analysis Evasion Techniques: A Survey, Arxiv, November 2018, arXiv:1811.01190

14.

Yuschuk, O.: OllyDbg, OllyDbg (2014). http://www.ollydbg.de

15.

Microsoft, OutputDebugStringA function, MSDN (2018). https://docs.microsoft.com/fr-fr/windows/win32/api/debugapi/nf-debugapi-outputdebugstringa

16.

Securityfocus, OllyDbg Debugger Messages Format String Vulnerability, securityfocus (2004). https://www.securityfocus.com/bid/10742

17.

Ferrie P.: Anti-unpacker tricks—part twelve, Microsoft (2010). https://www.virusbulletin.com/virusbulletin/2010/09/anti-unpacker-tricks-part-twelve

18.

NASM community, NASM, The NASM development team (2018). https://www.nasm.us

19.

Tully, J.: An Anti-Reverse Engineering Guide, code project (2008). https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#BpInt3

20.

Yang Reiley, Data Breakpoints, Microsoft (2011). https://blogs.msdn.microsoft.com/reiley/2011/07/21/data-breakpoints/

21.

Ferrie P.: ANTI-UNPACKER TRICKS, Microsoft (2005). http://pferrie.host22.com/papers/unpackers.pdf

22.

Zhang, Y.K.: Software Debugging. Publishing House of Electronics Industry, Beijing (2008)

23.

Bowes, R.: In-depth malware: Unpacking the ”lcmw” Trojan, SkullSecurity (2014). https://blog.skullsecurity.org/2014/in-depth-malware-unpacking-the-lcmw-trojan

24.

Microsoft, Try-except Statement, MSDN (2018). https://docs.microsoft.com/en-us/cpp/cpp/try-except-statement?view=vs-2019

25.

Microsoft, Thread Environment Block (Debugging Notes), MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/debug/thread-environment-block--debugging-notes-

26.

Microsoft, TEB structure, MSDN (2018). https://docs.microsoft.com/fr-fr/windows/win32/api/winternl/ns-winternl-teb?redirectedfrom=MSDN

27.

Microsoft, Structured Exception Handling, MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/debug/structured-exception-handling

28.

Microsoft, Using an Exception Handler, MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/debug/using-an-exception-handler

29.

Microsoft, Using a Vectored Exception Handler, MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/debug/using-a-vectored-exception-handler

30.

Microsoft, Vectored Exception Handling, MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/debug/vectored-exception-handling

31.

Czumak, M.: Windows Exploit Development—Part 6: SEH Exploits, Security Sift (2014). https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/

32.

Swiat at Security Research & Defense, Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP, Microsoft (2009). https://msrc-blog.microsoft.com/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/

33.

Microsoft, EXCEPTION_RECORD structure, MSDN (2018). https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record

34.

Intel, Intel 64 and IA-32 Architectures Software Developer’s Manual, Intel documentation, vol. 2, pp. 2–1 (2019)

35.

Wikipedia, x86-64, Wikipedia foundation (2019). https://en.wikipedia.org/wiki/X86-64#Differences_between_AMD64_and_Intel_64

36.

Intel, Intel 64 and IA-32 Architectures Software Developer’s Manual, Intel documentation, vol. 2, pp. 2–8 (2019)

37.

William Swanson, Understanding Intel Instruction Sizes, Swanson Technologies (2003). https://www.swansontec.com/sintel.html

38.

Intel, Intel 64 and IA-32 Architectures Software Developer’s Manual, Intel documentation, vol. 2, pp. 2–20 (2019)

39.

x64dbg community, x64dbg debugger (2013). https://x64dbg.com/

40.

Oleksenko, O., et al.: Intel MPX explained: a cross-layer analysis of the intel MPX system stack. In: Proceedings of the ACM on Measurement and Analysis of Computing Systems (2018). https://intel-mpx.github.io/code/submission.pdf

Titel: Exploiting flaws in Windbg: how to escape or fool debuggers from existing flaws
verfasst von: François Plumerault
Baptiste David
Publikationsdatum: 05.03.2020
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 2/2020
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-020-00347-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2020

Lightweight versus obfuscation-resilient malware detection in android applications

Leveraging branch traces to understand kernel internals from within

Deep learning for image-based mobile malware detection

Hiding a fault enabled virus through code construction