The Ptrace Anti-RE Trick (opens in new tab)

(hkopp.github.io)

97 pointshkopp2y ago33 comments

33 comments

We used to place an INT3 vectored exception handler on function entry points and do everything interesting inside the exception handler. This made the execution stack basically invisible to every debugger since it doesn't debug exception handlers. You can enable/disable interrupts and tracing and whatever you need to do inside the exception handler to guarantee that nobody can see what you are doing and/or verify that no other program has registered another exception handler before doing anything interesting.

If you need to hook functions in third party software, this trick can be used to hook the function without modifying any of the functions code. All you need to do is modify some pointer used by the function to zero, and it will raise an exception as soon as something like p-> is executed on that pointer, then your exception handler can execute whatever code you need (i.e. write over stack, write to memory, exfiltrate handles) and on exit all you need to do is restore the correct register containing the pointer and wind back the execution counter by the size of the de-reference instruction.

Please don't use this knowledge to hurt people ...

newgre2y ago

A debugger sees exceptions before the application does, and it knows which exceptions it should handle by itself (e.g. breakpoints set by the user) vs passing them to the application. I don't have a windows machine rn to verify but I'd expect your assumption that it's impossible to debug an INT3 VEH to be incorrect.

aetherspawn2y ago

Yes, however you can easily detect when a debugger is attached and avoid placing the VEH. There are only two mechanisms for a debugger to operate: by placing its own VEH (or UHE), or by populating one of the four hardware breakpoint registers, and both are very easy to detect.

1 more reply

151552y ago

How is the VEH target not immediately visible during static analysis?

aetherspawn2y ago

The VEH target is visible if you know where to look. You can use something like Themida to virtualize/obsfucate the VEH if you really need the VEH to be encrypted.

It's actually not so easy to find the VEH because if you are injecting the VEH into a third party process from another process, then not only does the VEH not exist during static analysis of the binary at rest, but its program address changes on each execution. Moreover, the VEH can be encrypted at rest before it is injected into the second process.

harryfyx2y ago

Do you mean using this trick in malware?

aetherspawn2y ago

Actually our competitor was reverse engineering our LOB app and we used this to protect trade secrets.

bubblematrix2y ago

No he is referring to happyware.

1 more reply

userbinator2y ago

This "self-debugging" technique is common in the Windows world too:

http://profile.maff1t.com/AntiDebugging/

Interestingly enough, VirtualBox does this too, and they call it "hardening", but IMHO it's quite an unexpected and hostile behaviour which is more characteristic of malware.

josephcsible2y ago

Thankfully this is easy to circumvent: have your debugger catch the ptrace syscall and lie about the result. Also, if antivirus programs haven't already added a signature for any programs that do that, they should.

adtac2y ago

The malware will then rely on actual ptrace behaviour as a check. You could instead use seccomp_unotif and let the target ptrace itself as much as it wants: https://man.archlinux.org/man/seccomp_unotify.2.en

harryfyx2y ago

I don't know reverse engineering. But, I guess the ultimate solution would be running a custom OS to fake ptrace results in the kernel level?

2 more replies

lapcat2y ago

> Thankfully this is easy to circumvent: have your debugger catch the ptrace syscall and lie about the result.

Yeah, Apple iTunes did that IIRC, and it was super easy to bypass.

sjtgraham2y ago

On Apple platforms ptrace supports an additional flag "PT_DENY_ATTACH", which is what iTunes uses. It causes the target process to exit.

1 more reply

MuffinFlavored2y ago

> have your debugger catch the ptrace syscall

Cat + mouse: Have your program catch any signals/stops (which debuggers do on Linux when they attach I believe)

badrabbit2y ago

Windows also has many similar evasion techniques, like checking if there is a top level exception handler. I use scyllahide, but even on gdb you can break at ptrace and patch it or for automated analysis, just flag anything that used ptrace but isn't a debugger and run it in a sandbox without ptracing it. Audit subsystem might be enough.

https://github.com/x64dbg/ScyllaHide

hyperman12y ago

If I remember it right, only 1 ptrace can be attached. So this seems easy to fix:. Just ptrace yourself, and nobody else will.

As a bonus, write important state to memory supposed to be read-only. If someone hooked your ptrace, the hook has to reimplement ptrace in a lot more detail. Or use breakpoints as a mechanism to call subroutines.

jepler2y ago

In an old $DAY_JOB I used a variant of this as a way to make certain internal errors execute a breakpoint when debugged, and generate an error log if not debugged. iirc this did not happen until after an error had already occurred, so it was not very useful as anti-RE.

tlb2y ago

I'm curious what the context is where you can't just set a breakpoint on the logging function.

dwattttt2y ago

It's possible there's no single logging function (maybe it's a macro). Or you only want some invocations of the logging function to stop.

maffydub2y ago

I've seen this used preemptively - have the process ptrace itself on startup (and then do nothing with it) to make it impossible (or at least far-from-trivial) for other interested parties to ptrace it.

complex_exp2y ago

You can just patch the call then, right? I.e. turn it into NOPs

ysfr2y ago

Yes. Or if it's using dynamic libraries and not compiled static, you can use LD_PRELOAD and overwrite ptrace() to do nothing. You don't have to patch anything then, which might be easier.

   int ptrace(int request, int pid, void *addr, void *data) {
       return 0;
   }

And compile it:

  gcc -shared myptrace.c -o myptrace.so

Afterwards you can eiher

  LD_PRELOAD=./mytrace.so ./thebinary     # shell
  ltrace -S -l ./mytrace.so ./thebinary   # strace in shell

or for gdb

  set environment LD_PRELOAD=./mytrace.so

1 more reply

Cloudef2y ago

Some android malware also checks TracerPid in /proc/*/status https://github.com/Cloudef/android2gnulinux/blob/master/src/...

o11c2y ago

There are also differences in the handling of `SIGTRAP`. For a serious use, this can implement `breakpoint()` function.

jasondoty2y ago

Tricks for windows

https://anti-debug.checkpoint.com

j / k navigate · click thread line to collapse

33 comments

aetherspawn2y ago

Please don't use this knowledge to hurt people ...

newgre2y ago

aetherspawn2y ago

1 more reply

151552y ago

How is the VEH target not immediately visible during static analysis?

aetherspawn2y ago

The VEH target is visible if you know where to look. You can use something like Themida to virtualize/obsfucate the VEH if you really need the VEH to be encrypted.

harryfyx2y ago

Do you mean using this trick in malware?

aetherspawn2y ago

Actually our competitor was reverse engineering our LOB app and we used this to protect trade secrets.

bubblematrix2y ago

No he is referring to happyware.

1 more reply

userbinator2y ago

This "self-debugging" technique is common in the Windows world too:

http://profile.maff1t.com/AntiDebugging/

Interestingly enough, VirtualBox does this too, and they call it "hardening", but IMHO it's quite an unexpected and hostile behaviour which is more characteristic of malware.

josephcsible2y ago

adtac2y ago

harryfyx2y ago

I don't know reverse engineering. But, I guess the ultimate solution would be running a custom OS to fake ptrace results in the kernel level?

2 more replies

lapcat2y ago

> Thankfully this is easy to circumvent: have your debugger catch the ptrace syscall and lie about the result.

Yeah, Apple iTunes did that IIRC, and it was super easy to bypass.

sjtgraham2y ago

On Apple platforms ptrace supports an additional flag "PT_DENY_ATTACH", which is what iTunes uses. It causes the target process to exit.

1 more reply

MuffinFlavored2y ago

> have your debugger catch the ptrace syscall

Cat + mouse: Have your program catch any signals/stops (which debuggers do on Linux when they attach I believe)

badrabbit2y ago

https://github.com/x64dbg/ScyllaHide

hyperman12y ago

If I remember it right, only 1 ptrace can be attached. So this seems easy to fix:. Just ptrace yourself, and nobody else will.

jepler2y ago

tlb2y ago

I'm curious what the context is where you can't just set a breakpoint on the logging function.

dwattttt2y ago

It's possible there's no single logging function (maybe it's a macro). Or you only want some invocations of the logging function to stop.

maffydub2y ago

complex_exp2y ago

You can just patch the call then, right? I.e. turn it into NOPs

ysfr2y ago

Yes. Or if it's using dynamic libraries and not compiled static, you can use LD_PRELOAD and overwrite ptrace() to do nothing. You don't have to patch anything then, which might be easier.

   int ptrace(int request, int pid, void *addr, void *data) {
       return 0;
   }

And compile it:

  gcc -shared myptrace.c -o myptrace.so

Afterwards you can eiher

  LD_PRELOAD=./mytrace.so ./thebinary     # shell
  ltrace -S -l ./mytrace.so ./thebinary   # strace in shell

or for gdb

  set environment LD_PRELOAD=./mytrace.so

1 more reply

Cloudef2y ago

Some android malware also checks TracerPid in /proc/*/status https://github.com/Cloudef/android2gnulinux/blob/master/src/...

o11c2y ago

There are also differences in the handling of `SIGTRAP`. For a serious use, this can implement `breakpoint()` function.

jasondoty2y ago

Tricks for windows

https://anti-debug.checkpoint.com

j / k navigate · click thread line to collapse