Welcome, Guest: Join Nairaland / LOGIN! / Trending / Recent / New
Stats: 2,690,242 members, 6,337,941 topics. Date: Monday, 14 June 2021 at 07:43 AM

POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote - Programming - Nairaland

Nairaland Forum / Science/Technology / Programming / POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote (756 Views)

React Native Debugging Methods / Differences Between Testing And Debugging In Programming Of Software Application / Programmers Need Better Debugging Ideas. Here's How To Handle Bugs. (2) (3) (4)

(1) (Reply) (Go Down)

POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 9:50pm On Oct 12, 2020
My last topic was how to get started writing your own malwar3, now let's talk about how Malwar3 authors have always looked for new techniques to stay invisible. This includes, of course, being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis. make the post-detection analysis more difficult, threat actors use various anti-analysis techniques, one of the more common ones is Anti-Debugging. Threat actors have proven to be more innovative not only in the malwar3 they are creating, but also the techniques they are employing in order to evade detection and analysis by malwar3 analysts and products. Anti-debugging, therefore, poses a hindrance for malwar3 analysts as it can prolong the process of being able to reverse engineer the code and thus make it more difficult to decipher how it works. Once the malwar3 realizes that it is running under a debugger, it can adjust its usual code execution path or modify the code to provoke a crash, which then hinders the analysts’ attempts to decipher it, all the while adding time and additional overhead to their efforts.
There are many methods to prevent Debugging. In this post I will show some neat and simple method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

//EvilSec
#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
printf("Debugging noticed, Screw You!\n" ) ;
return 1;
}
printf("Normal Execution\n" ) ;
return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;
printf("Debugging noticed, Screw You!\n" ) ;

If not We get the message:
printf("Normal Execution\n" ) ;

How Can We bypass The Control Made In This Situation?
The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function. First of all ptrace (); We’re creating a fake library to replace it as follows:
> long ptrace(int request, int pid, int addr, int data)
> {
> return 0;
> }

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb
printf (“Normal Execution\n” ) ;

We get This message. So we successfully bypassed Control.

3 Likes

Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Bahat(m): 5:58pm On Oct 13, 2020
Neat and simple, but not effective to some serious reversers. Nice post more of this. As I could remember anti debugging technique was brought to life by virus coders who hates to see their work being stopped like this trickbot disturbing the peace of the internet.
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 11:03pm On Oct 13, 2020
Bahat:
Neat and simple, but not effective to some serious reversers. Nice post more of this. As I could remember anti debugging technique was brought to life by virus coders who hates to see their work being stopped like this trickbot disturbing the peace of the internet.
That's true, some reversers will have no problem finding a workaround. But of cause you can harden it too xD
TrickBot is pretty insane, my tracker saw it targeting the States recently (both via malspam and Emotet drops). Seems TrickBot is a multinational crime enterprise not some skid screaming copy and paste code at things.

2 Likes

Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by charlesazeh(m): 9:22am On Oct 14, 2020
Can you help me with iPhone spoofing? Want to change my iPhone location
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 2:27pm On Oct 14, 2020
charlesazeh:
Can you help me with iPhone spoofing? Want to change my iPhone location
Uh! Just use a VPN?? Or go the long route and jailbreak your iPhone to use locationfaker or go another longer route and grab an hardware spoofer like Gfaker
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Akanimoh113(m): 1:54pm On Dec 30, 2020
EvilSec:
My last topic was how to get started writing your own malwar3, now let's talk about how Malwar3 authors have always looked for new techniques to stay invisible. This includes, of course, being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis. make the post-detection analysis more difficult, threat actors use various anti-analysis techniques, one of the more common ones is Anti-Debugging. Threat actors have proven to be more innovative not only in the malwar3 they are creating, but also the techniques they are employing in order to evade detection and analysis by malwar3 analysts and products. Anti-debugging, therefore, poses a hindrance for malwar3 analysts as it can prolong the process of being able to reverse engineer the code and thus make it more difficult to decipher how it works. Once the malwar3 realizes that it is running under a debugger, it can adjust its usual code execution path or modify the code to provoke a crash, which then hinders the analysts’ attempts to decipher it, all the while adding time and additional overhead to their efforts.
There are many methods to prevent Debugging. In this post I will show some neat and simple method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

//EvilSec
#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
printf("Debugging noticed, Screw You!\n" ) ;
return 1;
}
printf("Normal Execution\n" ) ;
return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;
printf("Debugging noticed, Screw You!\n" ) ;

If not We get the message:
printf("Normal Execution\n" ) ;

How Can We bypass The Control Made In This Situation?
The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function. First of all ptrace (); We’re creating a fake library to replace it as follows:
> long ptrace(int request, int pid, int addr, int data)
> {
> return 0;
> }

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb
printf (“Normal Execution\n” ) ;

We get This message. So we successfully bypassed Control.

Please How do I contact you
Can I get your WhatsApp number...
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 8:58pm On Dec 30, 2020
Akanimoh113:


Please How do I contact you
Can I get your WhatsApp number...
You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Akanimoh113(m): 9:18pm On Dec 30, 2020
EvilSec:

You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.

I wanted you to help me out, I really need a smartphone Lumia640 LTE is ancient history and a total headache for me.

Forgive Me If My Questions May Sound Stupid

First Question
So... I came up with an Idea, can you created a software that's able to predict the outcome of matches at mostly 99.9%. So that people could earn profit from betting.


Second Question
Can you find a Loop hole for Zoom Soccer on Bet9ja where you can know which games to pick that is a Guaranteed Win


Third Question
In the photo below, is it possible to reveal the hidden features on the ticket that is covered with '400 Shares' and '200 Likes' .

Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Akanimoh113(m): 9:15pm On Jan 01
EvilSec:

You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.

Hello
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Bahat(m): 9:36am On Jun 09
Akanimoh113:


I wanted you to help me out, I really need a smartphone Lumia640 LTE is ancient history and a total headache for me.

Forgive Me If My Questions May Sound Stupid

First Question
So... I came up with an Idea, can you created a software that's able to predict the outcome of matches at mostly 99.9%. So that people could earn profit from betting.


Second Question
Can you find a Loop hole for Zoom Soccer on Bet9ja where you can know which games to pick that is a Guaranteed Win


Third Question
In the photo below, is it possible to reveal the hidden features on the ticket that is covered with '400 Shares' and '200 Likes' .

Well this looks interesting...

1 Like

Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Akanimoh113(m): 8:57pm On Jun 09
Bahat:


Well this looks interesting...
Ya
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Bahat(m): 6:22am On Jun 10
Akanimoh113:

Ya

You want to give it a trial, you have those soft copies of said software?

If yes, you will fund the project. Am talking about option 2

For the first option there must be an algorithm for that which I don’t know except you want a bad rating(feedback) for the software . 99.9% couldn’t be earned except you owned the platform and this is a worldwide game doing the prediction will be like next to impossible. Bust based on their previous games and ratings you should get a 50/50 chance.

Question 3, will also need the soft copy of the product.
These are works of reversers not just Devs and am not sure we have such pple around that’s because I haven’t met with one. I confirm we have such pple when I clearly meet and work side by side with one of them.

My conclusion is before you can do anything about this there must be serious reversers on ground. Who has the toolset to make it possible after discussing on it.

Cc EvilSec what you say about those points i outlined?

1 Like

Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by AdolphBrian: 5:46pm On Jun 10
Wow this is very informative. I recently started following this YouTuber named John Hammond. I think there's another one I'm also following named LiveOverflow.

Once again this post is quite informative for me (as I'm a noob in the sector). One thing I just want to ask is this. Some time ago, while going through one of the rooms in a KOTH match in TryHackMe, I stumbled upon this binary called "lucky_shell". It turns out that there's like a 1 in 25 chance of you escalating to root of you run it but the catch is this, there is an even higher chance that your shell session gets terminated if you run the same binary. So it's kinda like a high risk, right reward operation. I did some research and got to find out that one can actually compile a custom ld.preload.so binary which would basically overwrite the functions with a corresponding name in the binary running with the environment variable, "LD_PRELOAD" set to the path of the custom ld.preload.so.

TL;DR
If the person debugging the binary runs it using a custom "LD_PRELOAD" environment variable, say it is set to the path of a custom ld.preload.so binary, and the "ptrace" function is overridden in the ld.preload.so binary to always return 1 won't the malwar3 run without realizing that it's being debugged?
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 8:06pm On Jun 10
Bahat:


You want to give it a trial, you have those soft copies of said software?

If yes, you will fund the project. Am talking about option 2

For the first option there must be an algorithm for that which I don’t know except you want a bad rating(feedback) for the software . 99.9% couldn’t be earned except you owned the platform and this is a worldwide game doing the prediction will be like next to impossible. Bust based on their previous games and ratings you should get a 50/50 chance.

Question 3, will also need the soft copy of the product.
These are works of reversers not just Devs and am not sure we have such pple around that’s because I haven’t met with one. I confirm we have such pple when I clearly meet and work side by side with one of them.

My conclusion is before you can do anything about this there must be serious reversers on ground. Who has the toolset to make it possible after discussing on it.

Cc EvilSec what you say about those points i outlined?
Yes, you're right.
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Bahat(m): 2:54pm On Jun 13
EvilSec:

Yes, you're right.

Yes sir. How have you been doing? Great I guess
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by EvilSec: 7:48pm On Jun 13
Bahat:


Yes sir. How have you been doing? Great I guess
Yeah I'm good. Looking to finally publish a writeup on an app I hacked so bad it's going to start advertising as shitapp on steroid.
How are you?
Re: POC Of Bypassing Anti Debugging With Some Dirty Code I Wrote by Bahat(m): 8:09pm On Jun 13
EvilSec:

Yeah I'm good. Looking to finally publish a writeup on an app I hacked so bad it's going to start advertising as shitapp on steroid.
How are you?

Doing great. Glad to hear from you, been up and doing.

(1) (Reply)

2021: Picking Up A New Skill Through Amazon ( AWS ) / Metaqoutes Language / What's Your Take!

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2021 Oluwaseun Osewa. All rights reserved. See How To Advertise. 137
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.