Scribd Logo
Upload

Welcome to Scribd!

  • 35 views

    Event Pairs Handle

    Uploaded by

    spedhome1
    The document discusses techniques used by debuggers to detect if a process is being debugged. It describes how debuggers manipulate EventPairHandles and DebugEvents to differ from normal processes. Code is provided to check the EventPairHandle and remote section base of a process to determine if it is being debugged or not. The document aims to help reverse engineers understand anti-debugging tricks used by malware authors.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Event Pairs Handle

    Uploaded by

    spedhome1
    35 views3 pages
    The document discusses techniques used by debuggers to detect if a process is being debugged. It describes how debuggers manipulate EventPairHandles and DebugEvents to differ from normal processes. Code is provided to check the EventPairHandle and remote section base of a process to determine if it is being debugged or not. The document aims to help reverse engineers understand anti-debugging tricks used by malware authors.

    Original Description:

    Event Pairs Handle

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses techniques used by debuggers to detect if a process is being debugged. It describes how debuggers manipulate EventPairHandles and DebugEvents to differ from normal processes. Code is provided to check the EventPairHandle and remote section base of a process to determine if it is being debugged or not. The document aims to help reverse engineers understand anti-debugging tricks used by malware authors.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    35 views3 pages

    Event Pairs Handle

    Uploaded by

    spedhome1
    The document discusses techniques used by debuggers to detect if a process is being debugged. It describes how debuggers manipulate EventPairHandles and DebugEvents to differ from normal processes. Code is provided to check the EventPairHandle and remote section base of a process to determine if it is being debugged or not. The document aims to help reverse engineers understand anti-debugging tricks used by malware authors.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 3

    EventPairHandle as Anti-Dbg Trick

    Author: Giuseppe 'Evilcry' Bonfa' E-Mail: evilcry {AT} gmail {DOT} com Website: http://evilcry netsons org ! http://evilco"ecave #or"press com

    EventPairHandle
    An EventPair Object is an Event constructe" $y t#o %KE E!T structures #hich are conventionally name" High an" "o# Event&airs are use" for synchroni'ation in $uick "P%( they allo# the calle" threa" to continue the current )uantum( re"ucing sche"uling overhea" an" latency *o# $y loo+ing to the $asic operations that a "e$ugger nee" to accomplish( #e can see that these tas+s are conceptually simple( #hen the target is normally running( the "e$ugger is sleeping( $ut #hen certain events occur D$g ,a+es -p Became clear that there is a strict relation $et#een generic Event Objects an" De$uggers cause they have to create a custom Event calle" DebugEvent a$le to han"le e.ceptions Due to the presence of Events o#ne" $y the De$ugger( every information relative to the Events of a normal process "iffers from a "e$ugge" process This is the struct that "escri$es an Event&air: t&'ede( struct )KE E!T)PA*+ , -.HO+T T&'e/ -.HO+T .i0e/ KE E!T Event1/ KE E!T Event2/ 3 KE E!T)PA*+4 5PKE E!T)PA*+/ *othing more than a couple of )KE E!T. !t%reateEventPair is the responsi$le of Event&air creation( here the prototype: !T.6.AP* !T.TAT-. !TAP* !t%reateEventPair7 O-T PHA!D"E *! A%%E..)MA.K *! PO89E%T)ATT+*8-TE. EventPairHandle4 DesiredAccess4 ObjectAttributes OPT*O!A" :/

    PA+AMETE+. hEventPair: &ointer to the varia$le that receives han"le to the event!pair o$/ect AccessMask: Type of access re)ueste" to the event!pair o$/ect a com$ination of any of the follo#ing flags: E0E*T%1-E23%4TATE( E0E*T%5OD673%4TATE( an" E0E*T%A88%A99E44 This can $e

    ObjectAttributes: &oints to the OB:E9T4%ATT26B-TE4 structure containing the information a$out the event!pair o$/ect to $e create"( such as name( parent "irectory( o$/ectflags( an" so on Event&airs are use" $y the ,in;< su$system to provi"e notification #hen the client threa" has copie" a message to the ,in;< server( or vice versa 8&9 messages are passe" in the section o$/ect( an" synchroni'ation is performe" $y the event!pair o$/ect The event!pair o$/ect eliminates the overhea" of using the port o$/ect to pass messages containing pointers an" lengths "P% #as use" into 7Kernel;-ser:-<ode Debug .u''ort $efore ,in"o#s =& for various

    notifications The ne# De$ugging 4upport ma+es use of )DE8-=)O89E%T This struct is a #rapper aroun" the event use" $y Wait>orDebugEvent( conse)uently #e nee" to see ho# )DE8-=)E E!T is structure"( here the struct: t&'ede( struct )DE8-=)E E!T , "*.T)E!T+6 Event"ist/ KE E!T %ontinueEvent/ %"*E!T)*D %lient*d/ PEP+O%E.. Process/ PETH+EAD Thread/ !T.TAT-. .tatus/ -"O!= >lags/ PETH+EAD 8ackoutThread/ D8=KM)M.= A'iMsg/ 3 DE8-=)E E!T4 5PDE8-=)E E!T/

    As you can see $et#een the mem$ers of this struct #e have the last one that soun"s really intersting D8=KM)M.= that $y the name #e can un"erstan" is referre" to De$ug 5essaging >5essaging means implications #ith 8&9 mechanism?( so let's see D8=KM)M.= struct: t&'ede( struct )D8=KM)M.= , PO+T)ME..A=E h/ D8=KM)AP*!-M8E+ A'i!u<ber/ -"O!= +eturned.tatus/ union , D8=KM)E?%EPT*O! E@ce'tion/ D8=KM)%+EATE)TH+EAD %reateThread/ D8=KM)%+EATE)P+O%E.. %reateProcess/ D8=KM)E?*T)TH+EAD E@itThread/ D8=KM)E?*T)P+O%E.. E@itProcess/ D8=KM)"OAD)D"" "oadDll/ D8=KM)-!"OAD)D"" -nloadDll/ 3/ 3 D8=KM)M.=4 5PD8=KM)M.=/

    PO+T)ME..A=E "efines the "P% Message Header that is use" for every communication $et#een client an" server Became clear that( "espite to the fact that 8&9 is not use"( the presence of &O2T%5E44AGE reveals that 8&9 is supporte" an" conse)uently influences Event&air count( rea" as Event&air @an"le ,e have seen that 8&9 is use" into De$ugging 4ystem( so a "e$ugge" process #ill present an Event&air @an"le "ifferent from a not "e$ugge" 6've teste" this fact into a ,in"o#s =& sp< machine an" this metho" #or+s >on OllyD$g( other "e$uggers are unteste"? @ere the 9o"e:

    Ade(ine W*!B2)"EA!)A!D)MEA! Ainclude CstdioDhE Ainclude CstdlibDhE Ainclude C#indo#sDhE Ainclude Fde(sDhF A'rag<a co<<ent7lib4FntdllDlibF: A'rag<a co<<ent7lib4F'sa'iDlibF: void $uer&ProcessHea'Method7void: , PDE8-=)8->>E+ bu((er/ bu((er G +tl%reate$uer&Debug8u((er7H4>A".E:/ +tl$uer&ProcessHea'*n(or<ation7bu((er:/ i( 7bu((er-E+e<ote.ection8ase GG 7P O*D: H@IHHHHHJ2: Message8o@A7!-""4FDebuggedF4FWarningF4M8)OK:/ else Message8o@A7!-""4F!ot DebuggedF4FWarningF4M8)OK:/ i( 7bu((er-EEventPairHandle GG 7P O*D: H@HHHH2bKL: Message8o@A7!-""4FDebuggedF4FWarningF4M8)OK:/ else Message8o@A7!-""4F!ot DebuggedF4FWarningF4M8)OK:/ 'rint(7FEventPairHandleG M@F47int:bu((er-EEventPairHandle:/ 3 int <ain7: , $uer&ProcessHea'Method7:/ 3 return 7E?*T).-%%E..:/

    2eferences: http://www.alex-ionescu.com/dbgk-3.pdf 7eel free to contact me( test this feature an" ma+e me +no# #ith a mail if you can 2egar"s( Giuseppe 'Evilcry' Bonfa' The rest of the #orl" as 6T suc+ers that trie" to "eceive me #ith their fa+e #or+ proposal can "ie

    You might also like