Anti-Debugging Using Software BreakPoint

 In this article we are going to see "How does Malware check is Software breakpoints is enabled or not in Malware code?"

While executing malware files normally malware checks the file is executing under the analysis or not, also checks for the anti debugging tricks.

In this article we will see one of the anti debugging tricks of malware with POC.

This anti debugging trick is Anti Breakpoints tricks using Software Breakpoints.

For this POC I have written code in C programming and for analysis purpose used IDA debugger.

I have written simple code and if we execute without putting breakpoints then it will simply show the 3 messages as below:

    Execution started

                Hello World!!!

    Execution Ended

But If u put any software breakpoints while running the samples then it will show extra message that as below:

Anti-Debugging techniques using Software Breakpoints Found Here !!!!

 

Let’s start with executing sample without putting any breakpoints, and the output of the program as below:




Now let’s try to debug this program using putting software breakpoints.






Now I have started debugging of the file, you can see in image I have added software breakpoint at address 40100D.

Below breakpoint there is simple code for printing messages on console using printf.

After that next code is searching code is present



In this code,

direction flag is cleared  using CLD

edi register is set to start of code section

ecx register is assigned to the Code section size

and byte which you want to search in that code section is stored in register eax.

After that the search is done using the instruction repne scasb .

This instruction will search the byte value in register eax which is actually 0xCC. This reason malware is searching the 0xCC bytes in the code section to find out the breakpoint .

(When we set breakpoints the debugger simply writes an int 3 instruction (opcode 0xCC - one-byte interrupt with a vector 3, also known as a "trap to debugger")  over the first byte of the target instruction. This causes an interrupt 3 to be fired whenever execution is transferred to the address you set a breakpoints on.) 





In this image you can see the value of edi register which is address of the breakpoint address of  our instruction.

In this code it clear that when we put any software breakpoint then debugger internally replace the first byte of that instruction with 0xCC bytes.





After that control goes to the printing message for software breakpoint found and full message is below :

Anti-Debugging techniques using Software Breakpoint Found Here !!!!

 





 

Full pseudo code of the POC as below:




Author By:     Rahul Bidgar




Comments

  1. Tushar Desale30 April 2021 at 04:50

    Thanks mr. Rahul Bidgar... This is so helpful...👍

    ReplyDelete

Post a Comment

Popular posts from this blog

Anti-Debugging Using Hardware BreakPoint

Image
 What is Breakpoint?  Breakpoint is an intentional stopping or pausing a program to acquire knowledge about a program during its execution.  Breakpoint is a means of acquiring knowledge about a program during its execution. Breakpoints are Program locations where we want the processor to halt so that we can do some sort of debugging During the interruption, the programmer inspects the test environment (general purpose registers, memory, logs, files, etc.) to find out whether the program is functioning as expected. What is Hardware Breakpoint? Hardware breakpoints are actually comparators, comparing the current PC (program counter) with the address in the comparator (when enabled).  Hardware breakpoints watch an internal bus or the program counter, and if it matches a certain condition, it will stop the processor, or will do whatever the hardware implements for that condition. CPUs have only a limited number of hardware breakpoints (comparators). The number of ava...
Read more