Anti Debug With X86

Well, whilst looking through some good tutorials on reversing and unpacking I came across an interesting x86 instruction: RDTSC. The primary job of this instruction is to return the time stamp counter which is the number of processor ticks since reset. An interesting use of this instruction is to allow debugger detection by comparing the counter before and after an important part of code. If the process is being stepped through slowly, or contains a breakpoint within the code, the time stamp will be over the threshold allowing detection.

Beware there is a way for the operating system (or any program operating in Ring0) to disable this being used in Ring3 by setting the TSD flag in the CR4 register.

See this code for an example of this technique (can be built in GCC)

#include

/*****************************************************

* This is not designed to be used directly, rather used

* in a encryption portion of code. The reason is that

* any semi-intelligent person could just NULL the

* 'before_ticks' or 'after_ticks' or even NOP the check

* code. Think of this more as a deterrent for your

* average Joe Haxx0r (or one more trap in an already protected

* executable)

******************************************************/

/* change me depending on code to be protected */

#define TICKS_MAX (unsigned long long)0x0000000000100000

struct ticks {

unsigned long ticks_low;

unsigned long ticks_high;

};

unsigned long long before_ticks;

unsigned long long after_ticks;

void start_anti_counter(void) {

struct ticks *ticks = (struct ticks *)&before_ticks;

__asm__("rdtsc;"

: "=a"(ticks->ticks_low), "=d"(ticks->ticks_high));

}

/***********************************

* Returns 1 on suspect process (being debugged)

* Returns 0 on non suspect

***********************************/

int end_anti_counter(void) {

struct ticks *ticks = (struct ticks *)&after_ticks;

__asm__("rdtsc;"

: "=a"(ticks->ticks_low), "=d"(ticks->ticks_high));

if ((after_ticks - before_ticks) > TICKS_MAX) {

return 1;

}

return 0;

}

int main(void) {

start_anti_counter();

printf("!! PLEASE DON'T DEBUG ME !!\n");

if (end_anti_counter()) {

printf("I see the matrix\n");

} else {

printf("All is fine, chicken tastes good\n");

}

}

Advertisements

Google, the hub of the world wide web

Well, after a few days studying with the open university (M150 if you are interested), I came across something quite interesting in the course material. It was nothing controversial or incorrect, but something that gave me a horrible vision.

I currently work for a large company in a customer service role. Part of my position sees me helping with customer website problems on a daily basis. Many times I have had to provide instructions to customers on how to access the website through their browser and countless times I deal with customers believing that Google is the internet. This isn’t by any means an attack on those people as unfortunately this is the way that many people learn or are introduced with online browsing. It doesn’t stop at the inexperienced either, I myself use Google on a daily, even hourly basis to find my content, browse news, check my email, even review the traffic to this very site. Granted that once I have the destination I am looking for I revert to bookmarks or RSS feeds, but the point is that Google acts as the hub for 99% of the browsing that I and many other people do.

This leads me onto my main point. In the current climate of HTML5 open standard to move away from flash/shockwave/silverlight/WMV websites, why is there no plan to facilitate searching the world wide web without a central company dominating? Ask yourself this, if google was to disappear tomorrow, how would you navigate the web? Perhaps switch to something like ASK, YAHOO, Altavista or Bing but then wouldn’t history would repeat? Think of the initial goals of Arpanet.

Just my 2 cents 😉