Obfuscation_Techniques

Recently I was watching GynvaelEN’s Old Stream about ELF Packers, and I thought why not make a PE Packer. I decided that I will write a python script to Parse PE Headers from scratch, I was able to parse some headers and then I got stuck and decided that I will use PEFILE.
──────▄▌▐▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▌
───▄▄██▌█ BEEP BEEP
▄▄▄▌▐██▌█ POOR SCRIPT AHEAD
███████▌█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▌
▀(@)▀▀▀▀▀▀▀(@)(@)▀▀▀▀▀▀▀▀(@)▀
so I made a poor packer which is available here packer.
Keep in mind it only works for some 32bit Windows Executables.
Now the question comes that what are some anti-debugging techniques in windows like we have in Linux.
I looked around on the internet and found some techniques. I will keep updating this post as I find more techniques
Windows
1. BeingDebugged in PEB:
struct _PEB {
0x000 BYTE InheritedAddressSpace;
0x001 BYTE ReadImageFileExecOptions;
0x002 BYTE BeingDebugged; // fs:[0x30]
/*
..... .... ..............
..... .... ..............
..... .... ..............
..... .... ..............
*/
0x204 void* SystemAssemblyStorageMap;
0x208 DWORD MinimumStackCommit;
};
you can access the Process Environment Block in assembly using “fs”. the following inline assembly code fetches the value of BeingDebugged
/* MINGW add -masm=intel while compiling */
BOOL found = FALSE;
__asm__(
"xor eax, eax\n"
"mov eax, fs:[0x30]\n"
"mov eax, [eax + 0x02]\n"
"and eax, 0x000000FF\n"
"mov %0, eax\n" :"=r" (found)
);
if(found){
printf("YES\n");
} else {
printf("NO\n");
}
/* VISUALC++ */
BOOL found = FALSE;
_asm
{
xor eax, eax; // clear eax
mov eax, fs:[0x30]; // Reference start of the PEB
mov eax, [eax + 0x02]; // PEB+2 points to BeingDebugged
and eax, 0x000000FF; // only reference one byte
mov found, eax; // Copy BeingDebugged into 'found'
}
if(found){
printf("YES\n");
} else {
printf("NO\n");
}
2. Detecting Breakpoints :
/* VISUALC++ */
void detect_breakpoint() {
BOOL found = TRUE;
__try {
_asm {
int 3; // \xCC
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
found = FALSE;
}
if (found) {
printf("NO DEBUGGING\n");
} else {
printf("GOOD\n");
}
}
3. Erase PE Headers From Memory:
This trick helps in ruining any attempt of dumping unpacked binary from memory
// from AntiRE.h
inline void ErasePEHeaderFromMemory()
{
DWORD OldProtect = 0;
// Get base address of module
char *pBaseAddr = (char*)GetModuleHandle(NULL);
// Change memory protection
VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
PAGE_READWRITE, &OldProtect);
// Erase the header
ZeroMemory(pBaseAddr, 4096);
}
4. OutputDebugString() :
CheckOutputDebugString checks whether OutputDebugString causes an error to occur or not .if the error does occur then we know there’s no debugger, otherwise if there IS a debugger no error will occur
inline bool CheckOutputDebugString(LPCTSTR String)
{
OutputDebugString(String);
if (GetLastError() == 0)
return true;
else
return false;
}
LINUX
- Ptrace :
/* trying-to-make-your-binary-shut-up.txt : https://www.exploit-db.com/raw/13188 */
#include <stdio.h>
#include <sys/ptrace.h>
void main(void)
{
FILE *fd;
if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1)
{
printf("so you wanna trace me?...\n");
return(-1);
}
fd = fopen("/etc/passwd", "r");
if(fd == NULL) return;
else printf("file opend\n");
exit(-1);
}
2. You Tell :