O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Globalcode – Open4education
SP15:Trilha Segurança
Globalcode – Open4education
Locks are so old-fashioned…
SP15:Trilha Segurança
Globalcode – Open4education
Anti-debugging: eu
não quero que você
mexa no meu código
Globalcode – Open4education
Wanderley Caloni
Sócio-Desenvolvedor da
Globalcode – Open4education
Wanderley Caloni
Sócio-Desenvolvedor da
Globalcode – Open4education
Agenda
Globalcode – Open4education
Agenda
Jabá Time!
Globalcode – Open4education
Onde sou? Quem estou?
2013-2014-…
Globalcode – Open4education
Onde sou? Quem estou?
2013-2014-…
Prova incontestável de autenticidade!
Globalcode – Open4education
Onde sou? Quem estou?
2000 e bolinha (??)
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Exemplos de projetos/clientes da Intelitrader/BitForge:
Globalcode – Open4education
Onde sou? Quem estou?
Exemplos de projetos/clientes da Intelitrader/BitForge:
Globalcode – Open4education
Onde sou? Quem estou?
Segurança da informação
Mercado financeiro
Software de baixo nível
Siste...
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
Onde sou? Quem estou?
Globalcode – Open4education
É isso aí pe-pe-pe-pe-pe…
Jabá End
Globalcode – Open4education
Agenda
Interpretação baseada em exceção
int 3
Ocupando a debug port
Debug Port
Detectando atta...
Globalcode – Open4education
int 3
?
Globalcode – Open4education
int 3
int x = 3;
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
asm
Globalcode – Open4education
int 3
assembly
Globalcode – Open4education
int 3
assembly
Globalcode – Open4education
int 3
assem
Globalcode – Open4education
int 3
nop
nop
nop
nop
…
Globalcode – Open4education
int 3
nop
nop
int 3
nop
…
F9
Globalcode – Open4education
int 3
nop
nop
int 3
nop
…
Globalcode – Open4education
int 3
nop
nop
int 3
nop
…
Globalcode – Open4education
int 3
nop
nop
int 3
nop
…
EXCEPTION!!
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
INTERRUPT
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
Structured E...
Globalcode – Open4education
int 3
hardware
program
windows
CPU
T
H
R
E
A
D
nop
nop
nop
nop
int3
nop
nop
nop
…
try
{
}
catc...
Globalcode – Open4education
int 3
program
try
{
}
catch() (ou except)
{
}
debugger
Globalcode – Open4education
int 3
program
try
{
}
catch() (ou except)
{
}
invasor
Globalcode – Open4education
int 3
program
try
{
}
catch() (ou except)
{
}
program
Globalcode – Open4education
int 3
program
try
{
}
catch() (ou except)
{
}
program
?
Globalcode – Open4education
int 3
try
{
// nonsense
int 3 (DebugBreak())
}
except( ExceptFilter() )
{
// nonsense
}
Except...
Globalcode – Open4education
int 3
try
{
// nonsense
int 3 (DebugBreak())
}
except( ExceptFilter() )
{
// nonsense
}
Except...
Globalcode – Open4education
int 3
try
{
// nonsense
int 3 (DebugBreak())
}
except( ExceptFilter() )
{
// nonsense
}
Except...
Globalcode – Open4education
int 3
“Run, code, run!” – No One
Globalcode – Open4education
int 3
Problemas:
Multithreading (e lock, e mutex, e inferno).
Fluxo não-contínuo de execução
P...
Globalcode – Open4education
int 3: v. 2
Long Jump Silver!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
Code
Code
Code
Code
SetLongJump
Code
Code
Code
…
Jump!
Globalcode – Open4education
int 3: v. 2
#define ANTIDEBUG(code)
{
jmp_buf env;
if( setjmp(env) == 0 )
{
LongJmp(&env);
}
e...
Globalcode – Open4education
int 3: v. 2
#define ANTIDEBUG(code)
{
jmp_buf env;
if( setjmp(env) == 0 )
{
LongJmp(&env);
}
e...
Globalcode – Open4education
int 3: v. 2
DWORD LongJmp(jmp_buf* env)
{
__try
{
__asm int 3
}
__except( EXCEPTION_EXECUTE_HA...
Globalcode – Open4education
int 3: v. 2
DWORD LongJmp(jmp_buf* env)
{
__try
{
__asm int 3
}
__except( EXCEPTION_EXECUTE_HA...
Globalcode – Open4education
int 3: v. 2
“Run, Forrest, run!” – Long Dong
Globalcode – Open4education
Debug Port
Globalcode – Open4education
Debug Port
Lock!
Globalcode – Open4education
Debug Port
program
try
{
}
catch() (ou except)
{
}
debugger
Globalcode – Open4education
Debug Port
program
try
{
}
catch() (ou except)
{
}
debugger
Debug Port
Globalcode – Open4education
Debug Port
Como é o código de um depurador:
Globalcode – Open4education
Debug Port
Como é o código de um depurador:
Loop:
WaitForDebugEvent(&debugEvt, INFINITE);
Cont...
Globalcode – Open4education
Debug Port
Como é o código de um depurador:
Loop:
WaitForDebugEvent(&debugEvt, INFINITE);
Cont...
Globalcode – Open4education
Debug Port
program
Debug Port
Globalcode – Open4education
Debug Port
program
Debug Port
invasor
Globalcode – Open4education
Debug Port
program
Debug Port
invasor
WTF? Access Denied!
Globalcode – Open4education
Debug Port
“Knock
Knock
Knockin'
on debug's port”
Globalcode – Open4education
Debug Port
“Knock
Knock
Knockin'
on debug's port”
- Bob Dybug
Globalcode – Open4education
Attach
Did you say…
Globalcode – Open4education
Attach
assembly
????????
Globalcode – Open4education
Attach
// opcodes to run a jump to
// the function AntiAttachAbort
BYTE jmpToAntiAttachAbort[]...
Globalcode – Open4education
Attach
program
invasor
Globalcode – Open4education
Attach
program
invasor
Globalcode – Open4education
Attach
program
invasor
T
H
R
E
A
D
ntdll!DbgUiRemoteBreakin
Globalcode – Open4education
Attach
ntdll!DbgUiRemoteBreakin
773F10A0 push 8
773F10A2 push 773F10F8h
773F10A7 call __SEH_pr...
Globalcode – Open4education
Attach
ntdll!DbgUiRemoteBreakin
773F10A0 push 8
773F10A2 push 773F10F8h
773F10A7 call __SEH_pr...
Globalcode – Open4education
Attach
ntdll!DbgUiRemoteBreakin
Globalcode – Open4education
Attach
ntdll!DbgUiRemoteBreakin
773F10A0 jmp NaNaNiNaNaaaaooooo
773F10A7 call __SEH_prolog4 (7...
Globalcode – Open4education
Attach
ntdll!DbgUiRemoteBreakin
773F10A0 jmp AntiAttachAbort
773F10A7 call __SEH_prolog4 (7738...
Globalcode – Open4education
Attach
AntiAttachAbort?
Globalcode – Open4education
Attach
AntiAttachAbort?
Globalcode – Open4education
Attach
AntiAttachAbort?
TerminateProcess
Globalcode – Open4education
Attach
Globalcode – Open4education
Conclusão
Globalcode – Open4education
Conclusão
Globalcode – Open4education
Conclusão
Técnicas anti-debugging são complicadas
TODO: Encapsular em uma LIB
Nenhuma técnica ...
Globalcode – Open4education
Contato
wanderley@caloni.com.br
twitter
saite
e-mail
Globalcode – Open4education
Agradecimentos
Próximos SlideShares
Carregando em…5
×

Antidebugging eu não quero que você mexa no meu código

541 visualizações

Publicada em

Essa palestra é para desenvolvedores interessados em se proteger de atacantes que irão tentar analisar sua ferramenta depurando-a. Vamos explicar, conforme o tempo disponível, como funciona os seguintes ""ataques"" e suas defesas: - Depuração baseada em exceções. - Ocupando a DebugPort - Detectando attach

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Antidebugging eu não quero que você mexa no meu código

  1. 1. Globalcode – Open4education SP15:Trilha Segurança
  2. 2. Globalcode – Open4education Locks are so old-fashioned… SP15:Trilha Segurança
  3. 3. Globalcode – Open4education Anti-debugging: eu não quero que você mexa no meu código
  4. 4. Globalcode – Open4education Wanderley Caloni Sócio-Desenvolvedor da
  5. 5. Globalcode – Open4education Wanderley Caloni Sócio-Desenvolvedor da
  6. 6. Globalcode – Open4education Agenda
  7. 7. Globalcode – Open4education Agenda Jabá Time!
  8. 8. Globalcode – Open4education Onde sou? Quem estou? 2013-2014-…
  9. 9. Globalcode – Open4education Onde sou? Quem estou? 2013-2014-… Prova incontestável de autenticidade!
  10. 10. Globalcode – Open4education Onde sou? Quem estou? 2000 e bolinha (??)
  11. 11. Globalcode – Open4education Onde sou? Quem estou?
  12. 12. Globalcode – Open4education Onde sou? Quem estou?
  13. 13. Globalcode – Open4education Onde sou? Quem estou?
  14. 14. Globalcode – Open4education Onde sou? Quem estou?
  15. 15. Globalcode – Open4education Onde sou? Quem estou?
  16. 16. Globalcode – Open4education Onde sou? Quem estou? Exemplos de projetos/clientes da Intelitrader/BitForge:
  17. 17. Globalcode – Open4education Onde sou? Quem estou? Exemplos de projetos/clientes da Intelitrader/BitForge:
  18. 18. Globalcode – Open4education Onde sou? Quem estou? Segurança da informação Mercado financeiro Software de baixo nível Sistemas críticos Linguagens C, C++, .NET, VB6, Python, Delphi, Assembly, ASP.NET, SQL, HTML5, PostGres, Oracle, Inglês, Português, Russo, Polonês e todas as outras.
  19. 19. Globalcode – Open4education Onde sou? Quem estou?
  20. 20. Globalcode – Open4education Onde sou? Quem estou?
  21. 21. Globalcode – Open4education Onde sou? Quem estou?
  22. 22. Globalcode – Open4education É isso aí pe-pe-pe-pe-pe… Jabá End
  23. 23. Globalcode – Open4education Agenda Interpretação baseada em exceção int 3 Ocupando a debug port Debug Port Detectando attach Attach Conclusão
  24. 24. Globalcode – Open4education int 3 ?
  25. 25. Globalcode – Open4education int 3 int x = 3;
  26. 26. Globalcode – Open4education int 3
  27. 27. Globalcode – Open4education int 3
  28. 28. Globalcode – Open4education int 3
  29. 29. Globalcode – Open4education int 3 asm
  30. 30. Globalcode – Open4education int 3 assembly
  31. 31. Globalcode – Open4education int 3 assembly
  32. 32. Globalcode – Open4education int 3 assem
  33. 33. Globalcode – Open4education int 3 nop nop nop nop …
  34. 34. Globalcode – Open4education int 3 nop nop int 3 nop … F9
  35. 35. Globalcode – Open4education int 3 nop nop int 3 nop …
  36. 36. Globalcode – Open4education int 3 nop nop int 3 nop …
  37. 37. Globalcode – Open4education int 3 nop nop int 3 nop … EXCEPTION!!
  38. 38. Globalcode – Open4education int 3
  39. 39. Globalcode – Open4education int 3
  40. 40. Globalcode – Open4education int 3
  41. 41. Globalcode – Open4education int 3
  42. 42. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop …
  43. 43. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop …
  44. 44. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop … INTERRUPT
  45. 45. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop …
  46. 46. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop … Structured Exception Handling
  47. 47. Globalcode – Open4education int 3 hardware program windows CPU T H R E A D nop nop nop nop int3 nop nop nop … try { } catch() (ou except) { }
  48. 48. Globalcode – Open4education int 3 program try { } catch() (ou except) { } debugger
  49. 49. Globalcode – Open4education int 3 program try { } catch() (ou except) { } invasor
  50. 50. Globalcode – Open4education int 3 program try { } catch() (ou except) { } program
  51. 51. Globalcode – Open4education int 3 program try { } catch() (ou except) { } program ?
  52. 52. Globalcode – Open4education int 3 try { // nonsense int 3 (DebugBreak()) } except( ExceptFilter() ) { // nonsense } ExceptFilter() { // here is the gold }
  53. 53. Globalcode – Open4education int 3 try { // nonsense int 3 (DebugBreak()) } except( ExceptFilter() ) { // nonsense } ExceptFilter() { // here is the gold }
  54. 54. Globalcode – Open4education int 3 try { // nonsense int 3 (DebugBreak()) } except( ExceptFilter() ) { // nonsense } ExceptFilter() { // here is the gold }
  55. 55. Globalcode – Open4education int 3 “Run, code, run!” – No One
  56. 56. Globalcode – Open4education int 3 Problemas: Multithreading (e lock, e mutex, e inferno). Fluxo não-contínuo de execução Performance Fica feio
  57. 57. Globalcode – Open4education int 3: v. 2 Long Jump Silver!
  58. 58. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  59. 59. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  60. 60. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  61. 61. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  62. 62. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  63. 63. Globalcode – Open4education int 3: v. 2 Code Code Code Code SetLongJump Code Code Code … Jump!
  64. 64. Globalcode – Open4education int 3: v. 2 #define ANTIDEBUG(code) { jmp_buf env; if( setjmp(env) == 0 ) { LongJmp(&env); } else { code; } }
  65. 65. Globalcode – Open4education int 3: v. 2 #define ANTIDEBUG(code) { jmp_buf env; if( setjmp(env) == 0 ) { LongJmp(&env); } else { code; } }
  66. 66. Globalcode – Open4education int 3: v. 2 DWORD LongJmp(jmp_buf* env) { __try { __asm int 3 } __except( EXCEPTION_EXECUTE_HANDLER ) { longjmp(*env, 1); } return ERROR_SUCCESS; }
  67. 67. Globalcode – Open4education int 3: v. 2 DWORD LongJmp(jmp_buf* env) { __try { __asm int 3 } __except( EXCEPTION_EXECUTE_HANDLER ) { longjmp(*env, 1); } return ERROR_SUCCESS; }
  68. 68. Globalcode – Open4education int 3: v. 2 “Run, Forrest, run!” – Long Dong
  69. 69. Globalcode – Open4education Debug Port
  70. 70. Globalcode – Open4education Debug Port Lock!
  71. 71. Globalcode – Open4education Debug Port program try { } catch() (ou except) { } debugger
  72. 72. Globalcode – Open4education Debug Port program try { } catch() (ou except) { } debugger Debug Port
  73. 73. Globalcode – Open4education Debug Port Como é o código de um depurador:
  74. 74. Globalcode – Open4education Debug Port Como é o código de um depurador: Loop: WaitForDebugEvent(&debugEvt, INFINITE); ContinueDebugEvent(pid, tid, DBG_SBRUBLES);
  75. 75. Globalcode – Open4education Debug Port Como é o código de um depurador: Loop: WaitForDebugEvent(&debugEvt, INFINITE); ContinueDebugEvent(pid, tid, DBG_SBRUBLES); That’s it!
  76. 76. Globalcode – Open4education Debug Port program Debug Port
  77. 77. Globalcode – Open4education Debug Port program Debug Port invasor
  78. 78. Globalcode – Open4education Debug Port program Debug Port invasor WTF? Access Denied!
  79. 79. Globalcode – Open4education Debug Port “Knock Knock Knockin' on debug's port”
  80. 80. Globalcode – Open4education Debug Port “Knock Knock Knockin' on debug's port” - Bob Dybug
  81. 81. Globalcode – Open4education Attach Did you say…
  82. 82. Globalcode – Open4education Attach assembly ????????
  83. 83. Globalcode – Open4education Attach // opcodes to run a jump to // the function AntiAttachAbort BYTE jmpToAntiAttachAbort[] = { 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, // mov eax, 0xCCCCCCCC 0xFF, 0xE0 // jmp eax };
  84. 84. Globalcode – Open4education Attach program invasor
  85. 85. Globalcode – Open4education Attach program invasor
  86. 86. Globalcode – Open4education Attach program invasor T H R E A D ntdll!DbgUiRemoteBreakin
  87. 87. Globalcode – Open4education Attach ntdll!DbgUiRemoteBreakin 773F10A0 push 8 773F10A2 push 773F10F8h 773F10A7 call __SEH_prolog4 (77384420h) 773F10DB xor eax,eax 773F10DD inc eax 773F10DE ret 773F10DF mov esp,dword ptr [ebp-18h] 773F10E2 mov dword ptr [ebp-4],0FFFFFFFEh 773F10E9 push 0 773F10EB call RtlExitUserThread (77362B10h) 773F10F0 int 3
  88. 88. Globalcode – Open4education Attach ntdll!DbgUiRemoteBreakin 773F10A0 push 8 773F10A2 push 773F10F8h 773F10A7 call __SEH_prolog4 (77384420h) 773F10DB xor eax,eax 773F10DD inc eax 773F10DE ret 773F10DF mov esp,dword ptr [ebp-18h] 773F10E2 mov dword ptr [ebp-4],0FFFFFFFEh 773F10E9 push 0 773F10EB call RtlExitUserThread (77362B10h) 773F10F0 int 3
  89. 89. Globalcode – Open4education Attach ntdll!DbgUiRemoteBreakin
  90. 90. Globalcode – Open4education Attach ntdll!DbgUiRemoteBreakin 773F10A0 jmp NaNaNiNaNaaaaooooo 773F10A7 call __SEH_prolog4 (77384420h) 773F10DB xor eax,eax 773F10DD inc eax 773F10DE ret 773F10DF mov esp,dword ptr [ebp-18h] 773F10E2 mov dword ptr [ebp-4],0FFFFFFFEh 773F10E9 push 0 773F10EB call RtlExitUserThread (77362B10h) 773F10F0 int 3
  91. 91. Globalcode – Open4education Attach ntdll!DbgUiRemoteBreakin 773F10A0 jmp AntiAttachAbort 773F10A7 call __SEH_prolog4 (77384420h) 773F10DB xor eax,eax 773F10DD inc eax 773F10DE ret 773F10DF mov esp,dword ptr [ebp-18h] 773F10E2 mov dword ptr [ebp-4],0FFFFFFFEh 773F10E9 push 0 773F10EB call RtlExitUserThread (77362B10h) 773F10F0 int 3
  92. 92. Globalcode – Open4education Attach AntiAttachAbort?
  93. 93. Globalcode – Open4education Attach AntiAttachAbort?
  94. 94. Globalcode – Open4education Attach AntiAttachAbort? TerminateProcess
  95. 95. Globalcode – Open4education Attach
  96. 96. Globalcode – Open4education Conclusão
  97. 97. Globalcode – Open4education Conclusão
  98. 98. Globalcode – Open4education Conclusão Técnicas anti-debugging são complicadas TODO: Encapsular em uma LIB Nenhuma técnica é perfeita Performance, complexidade, instabilidade… Linus Torvalds pode aparecer em um slide de um MVP e ele não será expulso da congregação O contrário não é verdadeiro
  99. 99. Globalcode – Open4education Contato wanderley@caloni.com.br twitter saite e-mail
  100. 100. Globalcode – Open4education Agradecimentos

×