Forum > Windows

WinAPI - examples - post 3

<< < (2/3) > >>

Peter H:
It should be added, in windows it is possible to make an entry to the registry for a specific exe, so this exe, when invoked, is automatically attached to the debugger and stopped.
This permits to debug the startup code.
I dont have a link, this is somewhere described in the M$ debugger documentation.
I dont know, if this works with non-MS debuggers.

I think your postings are useful - go on!

However distributed calls to debugbreak for hacker protection is risky.
It is then very easy to search for the adress and calling instruction of debugbreak and patch it, once the trick is known.  ;D

440bx:

--- Quote from: Peter H on January 22, 2021, 03:32:31 am ---However distributed calls to debugbreak for hacker protection is risky.
It is then very easy to search for the adress and calling instruction of debugbreak and patch it, once the trick is known.  ;D

--- End quote ---
The goal isn't to outsmart a good reverse engineer, the goal is to try his/her patience.  The tricks don't have to be elaborate, what's needed is to force the individual to manually inspect every place where there is int 3 and other simple tricks to determine what should be done in each specific case.

Combine int 3 tricks, int 1 tricks, calls to DebugBreak(), required code that executes in the exception handlers instead of outside of them and, a few other tricks I won't mention and, that can make the life of the reverse engineer totally miserable, not because the tricks are difficult to understand, they aren't, but because now the reverser has to manually inspect as many as 80 different places and determine what the proper corrective action is and, that will test their patience, which is the goal.  Combining those tricks can make running the program under a debugger a completely miserable experience.

It is extremely difficult to outsmart a talented and experienced reverse engineer (Adobe and Autodesk are constantly trying and failing at it.)  Additionally, the trickier and more complex the code is, the greater the motivation becomes to figure out how to neutralize it.   Instead, make it easy and boring and, force the process to be fully manual, i.e, create a disassembly and visually inspect all the code and determine where a "fix" is necessary and what the correct fix is in every case.  Reversers very rarely run out of smart but, they do run out of patience (and coffee.) :)

Don't try to outsmart them, just wear them out.

PascalDragon:

--- Quote from: 440bx on January 21, 2021, 05:56:16 pm ---The above is the "critical" part of the code in the example.  By executing DebugBreak() in a try/except, the application can detect whether or not it is running under a debugger.  If the code in the exception handler is _not_ executed then, the program is not being debugged because, if it were, the DebugBreak() would have transferred control to the debugger instead of activating the exception handler.
--- End quote ---

As Martin_fr said, it's easily possible to avoid this. For example in WinDbg you can simply use gn after an exception to continue it as unhandled thus invoking the application's exception handler (if any).


--- Quote from: 440bx on January 21, 2021, 05:56:16 pm ---It also demonstrates the difference between using DebugBreak() and an inline int 3.  When using DebugBreak(), application debuggers will stop at the DebugBreak() line because the _entire_ DebugBreak() procedure has _not_ yet been executed, specifically, it stops at the "ret" that is inside DebugBreak().
--- End quote ---

With Windows nowadays supporting non-x86 architectures you should mention that using int 3 directly only works on x86 systems. For e.g. Windows on ARM64 you'd need to use brk #0xf000 (yes, exactly like that). I have used that quite often when porting FPC for aarch64-win64. ;)


--- Quote from: 440bx on January 22, 2021, 06:23:15 am ---Don't try to outsmart them, just wear them out.

--- End quote ---

We use a similar philosophy with the copy protection of our software at work. Make it too annoying for the crackers to work with and they'll look for more worthwhile targets ;)

440bx:

--- Quote from: PascalDragon on January 22, 2021, 10:27:58 am ---For example in WinDbg you can simply use gn after an exception to continue it as unhandled thus invoking the application's exception handler (if any).

--- End quote ---
Yes, true.  Using a system debugger really gives a lot of power and flexibility but, the percentage of programmers who use one is fairly small compared to those who use a "normal" application debugger.   If memory serves, I believe I had to set/patch breakpoints ($CC) in TLS callback routines because even the system debugger would not automatically break into them.


--- Quote from: PascalDragon on January 22, 2021, 10:27:58 am ---With Windows nowadays supporting non-x86 architectures you should mention that using int 3 directly only works on x86 systems.

--- End quote ---
Point taken.  I have a tendency to forget Windows runs on other architectures.


--- Quote from: PascalDragon on January 22, 2021, 10:27:58 am ---Make it too annoying for the crackers to work with and they'll look for more worthwhile targets ;)

--- End quote ---
If it can annoy Mr. Spock, it will likely remain uncracked. :)

PascalDragon:

--- Quote from: 440bx on January 22, 2021, 12:43:06 pm ---
--- Quote from: PascalDragon on January 22, 2021, 10:27:58 am ---For example in WinDbg you can simply use gn after an exception to continue it as unhandled thus invoking the application's exception handler (if any).

--- End quote ---
Yes, true.  Using a system debugger really gives a lot of power and flexibility but, the percentage of programmers who use one is fairly small compared to those who use a "normal" application debugger.   If memory serves, I believe I had to set/patch breakpoints ($CC) in TLS callback routines because even the system debugger would not automatically break into them.
--- End quote ---

Please be aware that I used WinDbg as an application debugger not a system debugger.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version