Log in

View Full Version : Debugger Detection Via NtSystemDebugControl


evilcry
September 14th, 2008, 02:42
Hi,
NtSystemDebugControl() is a really powerful undocumented function, that allows you Direct Manipulation of System's Structures.

Here a definition of NtSystemDebugControl:

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Debug/NtSystemDebugControl.html

The use of this function is only limited to the fancy of the coder

I've rewritten some basical Anti Debugging Techniques with Direct Structure Reading with NtSystemDebugControl. Obviously there are shorter ways to implement these Anti-Dbg Apps, but I think that more reimplementations exists and more are possibilities to trick an attacker, that may not know/understands the application..especially if embedded in many..many.. Junk Code

Here you can download the Source Code sample:

http://evilcry.netsons.org/other/ntsd.zip

Have a nice Day,
Evilcry

evaluator
September 14th, 2008, 14:40
this applies only to m$ debugger, or also Sice & Olly??

evilcry
September 15th, 2008, 00:07
It's debugger independent, because it checks the usual System's structs influenced by the presence of debuggers

Shub-nigurrath
September 15th, 2008, 04:10
excellent mate!

evlncrn8
September 15th, 2008, 05:54
if you look closely though its nothing 'new' regarding debugger detection, just another way to go about it...
checking globalflags, checking peb for isdebugged and so on...

Shub-nigurrath
September 15th, 2008, 07:11
yes of course, the information on which rely are the same of well known tests, anyway interesting API.

evilcry
September 15th, 2008, 08:13
Hi,

evlncrn8, I've clearly specificated this:

Quote:

I've rewritten some basical Anti Debugging Techniques


I've not claimed that these are new detection methods, but other ways

My only intent is to illustrate NtSystemDebugControl.

@Shub-nigurrath: Thank you man


Regards,
Evilcry

deroko
September 15th, 2008, 10:59
hi there, I remember seeing anti-rootkit tool which used this specific API to perform rootkit detection without the driver. Can't remember it's name, but I will try to find it and post ref to it.

Kayaker
September 16th, 2008, 00:17
Quote:
this applies only to m$ debugger, or also Sice & Olly??


No, not with Sice. EPROCESS.DebugPort is never enabled when running under Softice, so they're all usermode only.


Nice evilcry, I threw the code into a blank VC6++ console project. I get a weird somewhat random error when running on my system (xpsp2) with NO debuggers present. Under a debugger it runs fine. It also seems to run fine under VMWare under either condition. McAfee is the only ~thing~ I have running.


The error occurs either the 1st OR the 2nd time NtSystemDebugControl tries to read the PEB, or EPROCESS, the return is the unhelpful STATUS_UNSUCCESSFUL. GetLastError doesn't provide any info.

The 1st time is when it reads the PEB, OR the 2nd is when it accesses one of the fields (IsDebuggerPresent, NtGlobalFlags).

It doesn't matter which of the 3 tests is called first, it always happens on the *first* occurence of accessing the PEB (or sometimes initially the Peb field), the rest of the NtSystemDebugControl calls seems to be able to access the PEB ok after that. In the case of DebugPort, there was also an error, this time when accessing EPROCESS I think.

But it doesn't happen all the time! It seems to happen more when I open the file from a command line, instead of double clicking on the application, but not always. The behaviour is also a little different between Debug and Release versions of the file. One tends to error when the PEB itself is read, the other errors when the PEB.0xxx field is read by NtSystemDebugControl.


It's a weird error, but it seems to indicate that the PEB and EPROCESS may not be immediately accessible to NtSystemDebugControl, 100% of the time. The function itself might be a bit buggy, or maybe it indicates some failure to immediately verify the proper privileges.

I suppose I should also test it on another system and a different compiler, but it makes me question the undocumented NtSystemDebugControl as a bombproof function - or method.

Dunno if anyone else experienced this.

Cheers,
Kayaker

evilcry
September 16th, 2008, 01:00
Hello,

I've worked with VS2k5 and XP Sp2

Also I've noticed one or two NtSystemDebugControl failure, but they "seems" random, and I've had your same impression Kayaker, NtSystemDebugControl
is buggy I think it fails on the occurrence of some unknown condition.

Quote:

It seems to happen more when I open the file from a command line, instead of double clicking on the application, but not always. The behaviour is also a little different between Debug and Release versions of the file. One tends to error when the PEB itself is read


Nice discovery!
I'll step into NtSystemDebugControl under command line condition to see what happens

@Deroko:
eheh yes this function has been used for anti-rootkit technology, here you can see a sample code of it:

http://www.openrce.org/blog/view/354/Tips_&_Tricks_Part_2_-_Putting_ZwSystemDebugControl_to_good_use

Regards,
Evilcry

deroko
September 16th, 2008, 05:12
nah it's not the one I was reffering to. At rootkit.com a few months ago there was full working anti-rootkit using this api. Really can't find it now

NeOXOeN
September 16th, 2008, 13:30
nice contribution..