21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

• “Anti-Debugging Tricks” by CrackZ: http://mail.hep.by/mirror/wco/T99/<br />

Antidbug.htm<br />

• “Win32 Anti-Debugging Tricks” by Billy Belcebu: http://library.succurit.com/<br />

virus/ANTIDEBG.TXT<br />

• “Anti-debugging in Win32” by Lord Julus: http://vx.netlux.org/texts/html/lj_<br />

vx03.html<br />

• “The IceDump project”: http://ghiribizzo.virtualave.net/icedump/icedump.html<br />

12.16 Countering Disassembly<br />

<strong>Problem</strong><br />

An object file disassembler can produce an assembly language version of a binary,<br />

which can then be used to understand and possibly modify the binary.<br />

Solution<br />

Anti-disassembly tricks are useful in frustrating automatic analysis, but they generally<br />

will not hold up to a human review of the disassembly. Make sure to combine<br />

the methods presented in the discussion with data or code obfuscation techniques.<br />

Discussion<br />

Many disassemblers assume that long runs of NULL bytes are data, although some will<br />

continue to disassemble regardless. In the Intel instruction set, 0x00 is the opcode for<br />

add al, [eax]—a valid instruction. The following macros use NULL bytes to increment<br />

the eax register by pushing eax, loading the address of the pushed value into<br />

eax, and executing add al, [eax] instructions as many times as the user specifies.<br />

#define NULLPAD_START asm volatile ( \<br />

"pushl %eax \n" \<br />

"movl %esp, %eax\n")<br />

#define NULLPAD asm volatile ("addb %al, (%eax)\n")<br />

#define NULLPAD_END asm volatile ("popl %eax\n")<br />

#define NULLPAD_10 NULLPAD_START; \<br />

NULLPAD; NULLPAD; NULLPAD; NULLPAD; NULLPAD; \<br />

NULLPAD_END<br />

This is particularly effective if the value referenced by eax—that is, the value at the<br />

top of the stack—is used later in the program. Note that many disassemblers that<br />

ignore runs of NULL bytes allow the user to override this behavior.<br />

688 | Chapter 12: Anti-Tampering<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!