Obfuscation_Techniques

BeingDebugged under IDA Pro

Recently I was watching GynvaelEN’s Old Stream about ELF Packers, and I thought why not make a PE Packer. I decided that I will write a python script to Parse PE Headers from scratch, I was able to parse some headers and then I got stuck and decided that I will use PEFILE.
──────▄▌▐▀▀▀▀▀▀▀▀▀▀▀▀▀​▀▀▀▀▀▀▌
───▄▄██▌█ BEEP BEEP
▄▄▄▌▐██▌█ POOR SCRIPT AHEAD
███████▌█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▌
▀(@)▀▀▀▀▀▀▀(@)(@)▀▀▀▀▀▀▀▀(@)▀
so I made a poor packer which is available here packer. Keep in mind it only works for some 32bit Windows Executables. Now the question comes that what are some anti-debugging techniques in windows like we have in Linux.

I looked around on the internet and found some techniques. I will keep updating this post as I find more techniques


Windows

1. BeingDebugged in PEB:

struct _PEB {
    0x000 BYTE InheritedAddressSpace;
    0x001 BYTE ReadImageFileExecOptions;
    0x002 BYTE BeingDebugged; // fs:[0x30]
    /*
    ..... .... ..............
    ..... .... ..............
    ..... .... ..............
    ..... .... ..............
    */
    0x204 void* SystemAssemblyStorageMap;
    0x208 DWORD MinimumStackCommit;
};

you can access the Process Environment Block in assembly using “fs”. the following inline assembly code fetches the value of BeingDebugged

/* MINGW add -masm=intel while compiling */
BOOL found = FALSE;
__asm__(
	"xor eax, eax\n"
	"mov eax, fs:[0x30]\n"
	"mov eax, [eax + 0x02]\n"
	"and eax, 0x000000FF\n"
	"mov %0, eax\n" :"=r" (found)
);
if(found){
	printf("YES\n");
} else {
	printf("NO\n");
}

/* VISUALC++ */
BOOL found = FALSE;
_asm
{
	xor eax, eax; 			// clear eax
	mov eax, fs:[0x30]; 	// Reference start of the PEB
	mov eax, [eax + 0x02]; 	// PEB+2 points to BeingDebugged
	and eax, 0x000000FF; 	// only reference one byte
	mov found, eax; 		// Copy BeingDebugged into 'found'
}
if(found){
	printf("YES\n");
} else {
	printf("NO\n");
}

2. Detecting Breakpoints :

/* VISUALC++ */
void detect_breakpoint() {
	BOOL found = TRUE;
	__try {
		_asm {
			int 3; // \xCC
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER) {
		found = FALSE;
	}
	if (found) {
		printf("NO DEBUGGING\n");
	} else {
		printf("GOOD\n");
	}
}

3. Erase PE Headers From Memory:

This trick helps in ruining any attempt of dumping unpacked binary from memory

// from AntiRE.h
inline void ErasePEHeaderFromMemory()
{
	DWORD OldProtect = 0;
	
	// Get base address of module
	char *pBaseAddr = (char*)GetModuleHandle(NULL);

	// Change memory protection
	VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
			PAGE_READWRITE, &OldProtect);

	// Erase the header
	ZeroMemory(pBaseAddr, 4096);
}

4. OutputDebugString() :

CheckOutputDebugString checks whether OutputDebugString causes an error to occur or not .if the error does occur then we know there’s no debugger, otherwise if there IS a debugger no error will occur

inline bool CheckOutputDebugString(LPCTSTR String)
{
	OutputDebugString(String);
	if (GetLastError() == 0)
		return true;
	else
		return false;
}

LINUX

  1. Ptrace :
/* trying-to-make-your-binary-shut-up.txt : https://www.exploit-db.com/raw/13188 */
#include <stdio.h>

#include <sys/ptrace.h>


void main(void)
{
 FILE *fd;
 if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1)
 {
   printf("so you wanna trace me?...\n");
   return(-1);
 }

 fd = fopen("/etc/passwd", "r");
 if(fd == NULL) return;
 else printf("file opend\n");
 exit(-1);
}

2. You Tell :