Anti-Debugging Using Hardware BreakPoint

 What is Breakpoint?

  •  Breakpoint is an intentional stopping or pausing a program to acquire knowledge about a program during its execution.
  •  Breakpoint is a means of acquiring knowledge about a program during its execution.

  • Breakpoints are Program locations where we want the processor to halt so that we can do some sort of debugging
  • During the interruption, the programmer inspects the test environment (general purpose registers, memory, logs, files, etc.) to find out whether the program is functioning as expected.

What is Hardware Breakpoint?

  • Hardware breakpoints are actually comparators, comparing the current PC (program counter) with the address in the comparator (when enabled).
  •  Hardware breakpoints watch an internal bus or the program counter, and if it matches a certain condition, it will stop the processor, or will do whatever the hardware implements for that condition.
  • CPUs have only a limited number of hardware breakpoints (comparators). The number of available hardware breakpoints depends on the CPU. x86 usually have 4.
  • Hardware Breakpoint are implemented using DR0-DR7 (Debug Registers). 

Hardware Breakpoint Features :

  • Implemented in Hardware
  • It can be set for both code(Instructions) and  Data(Code- execute  , Data – ReadWrite)
  • We can set Maximum  4 Hardware breakpoint per Thread
  • Hardware Breakpoints are faster than software breakpoint (Due to dedicated registers DR0- DR7   and less overhead)
  • Can be set for both volatile(RAM) and Non Volatile memory(ROM/FLASH))

How it Works :

  • When the code is executing  hardware breakpoint gets triggered
  • Will cause the processor to throw a special exception that causes execution to stop and control to be transferred to the debugger.
  • Main strength of hardware breakpoints is that you can use them to halt on non-execution accesses to memory locations.
  • Hardware breakpoints are implemented by writing the Debug Registers(DR0-DR7) on a given thread. Causing single step exception to be generated when the given address is accessed anywhere in the code of that thread.


Uses of the Debug Registers as below :

  • DR0 to DR3 : 

Each of these registers contains the linear address associated with one of four breakpoint conditions.

  • DR4 - DR5 - Reserved
  • DR6 - Debug status  Register :

The debug status register permits the debugger to determine which debug conditions have occurred, indicates which breakpoint is activated.

  • DR7 - Debug control : 

whether they break on execution (00b), data write (01b), data read or write (11b).

defines the breakpoint activation mode by the access modes: read, write, or execute.

POC :

  1. For POC purpose, I have made simple C program for checking Hardware Breakpoints.
Hardware breakpoints are implemented using Debug Registers (DR0-DR7). so if the Debug register's value is not null that means hardware breakpoint is already enabled in that application. If any hardware breakpoints finds in application then it will show the message that "Anti-Debugging techniques using Hardware Breakpoint".

2. When we execute this application directly or not setting any breakpoints then the output of the application is printing 3 messages only as below :

3. Now if we try to debug this application and set hardware breakpoints then application will show the message that it is hardware breakpoint found in application.

4.Let's try to debug this application 

Initially code contains for simply printing messages first is "Execution Started" and then "Hello World !!!" by using the library function printf().

5. Now we want to check Debug registers values, so to check those value we need the thread context. In thread context, we can get values of all Debug registers.

6.To retrieve thread context we need to call win API of GetThreadContext and parameter to this API is handle of current thread. for retrieving current thread handle will call API name GetCurrentThread.


7. After retrieving the thread context, will check the value of Debug registers. If the value of Debug registers (DR0-DR3) is not null then hardware breakpoint is found in the application.

8.I have added 4 hardware breakpoints as below :


9. And below image we can see the values of all the debug register.

first 4 register (DR0-DR3) which contains the address of breakpoints

DR6 is status register which contains information about which breakpoint is activated.

DR7 is control register which contains information about access mode : read, write, execute.


10.we have already added 4 breakpoints this reason we DR0-DR3 registers values are not null.

from this check we got the hardware breakpoints is enabled in this program and after that it will print the message that hardware breakpoint found here.


and here you can see the full messages as below :


Here you can find the full pseudo code of POC :


Conclusion:

In this article, we saw how hardware breakpoints works and how malware can check hardware breakpoint is enabled by using debug register.




Author By: Rahul Bidgar

Comments

  1. Tushar Desale30 April 2021 at 23:48

    Thank you mr. Rahul sir, you saved my one subject apparently my year drop...

    ReplyDelete
  2. Unknown1 May 2021 at 00:53

    Very useful information thanks Rahul

    ReplyDelete

Post a Comment

Popular posts from this blog

Anti-Debugging Using Software BreakPoint

Image
 In this article we are going to see " How does Malware check is Software breakpoints  is enabled or not in Malware code?" While executing malware files normally malware checks the file is executing under the analysis or not, also checks for the anti debugging tricks. In this article we will see one of the anti debugging tricks of malware with POC. This anti debugging trick is Anti Breakpoints tricks using Software Breakpoints. For this POC I have written code in C programming and for analysis purpose used IDA debugger. I have written simple code and if we execute without putting breakpoints then it will simply show the 3 messages as below:      Execution started                 Hello World!!!      Execution Ended But If u put any software breakpoints while running the samples then it will show extra message that as below: Anti-Debugging techniques using Software Breakpoint...
Read more