Merge pull request #43 from cecio/master

[FEATURE] AntiDebug Software Breakpoints detection
hasherezade · Aug 25, 2023 · 459c441 · 459c441
2 parents 4c0ca63 + f206fa4
commit 459c441
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 0 deletions.
diff --git a/AntiDebug.cpp b/AntiDebug.cpp
@@ -33,6 +33,36 @@ std::map<std::string, std::string> funcToLink;
 
 typedef VOID AntiDBGCallBack(const ADDRINT Address, const CHAR* name, uint32_t argCount, VOID* arg1, VOID* arg2, VOID* arg3, VOID* arg4, VOID* arg5);
 
+/* ==================================================================== */
+// Compute Effective Address, given an INS
+/* ==================================================================== */
+
+ADDRINT computeEA(const CONTEXT* ctxt, INS ins, UINT32 opIdx)
+{
+    REG baseReg = INS_OperandMemoryBaseReg(ins, opIdx);
+    REG indexReg = INS_OperandMemoryIndexReg(ins, opIdx);
+    INT32 scale = INS_OperandMemoryScale(ins, opIdx);
+    INT32 disp = INS_OperandMemoryDisplacement(ins, opIdx);
+
+    // Calculate the effective memory address
+    ADDRINT memAddress = 0;
+    if (baseReg != REG_INVALID())
+    {
+        ADDRINT baseValue;
+        PIN_GetContextRegval(ctxt, baseReg, reinterpret_cast<UINT8*>(&baseValue));
+        memAddress += baseValue;
+    }
+    if (indexReg != REG_INVALID())
+    {
+        ADDRINT indexValue;
+        PIN_GetContextRegval(ctxt, indexReg, reinterpret_cast<UINT8*>(&indexValue));
+        memAddress += indexValue * scale;
+    }
+    memAddress += disp;
+
+    return memAddress;
+}
+
 /* ==================================================================== */
 // Leveraging the existing paramToStr, extracts only the string after '->'
 /* ==================================================================== */
@@ -146,6 +176,43 @@ VOID AntiDbg::WatchMemoryAccess(ADDRINT addr, UINT32 size, const ADDRINT insAddr
 #endif
 }
 
+/* ==================================================================== */
+// Callback function to be executed when a compare is executed
+/* ==================================================================== */
+
+std::map<ADDRINT, size_t> cmpOccurrences;
+VOID AntiDbg::WatchCompareSoftBrk(const CONTEXT* ctxt, ADDRINT Address, ADDRINT insArg)
+{
+    PinLocker locker;
+    const WatchedType wType = isWatchedAddress(Address);
+    if (wType == WatchedType::NOT_WATCHED) return;
+
+    INS ins;
+    ins.q_set(insArg);
+    if (!ins.is_valid() || INS_OperandCount(ins) < 2) {
+        return;
+    }
+
+    bool isSet = false;
+    const UINT32 opIdx = 1;
+
+    if (INS_OperandIsImmediate(ins, opIdx) && INS_OperandSize(ins, opIdx) == sizeof(UINT8))
+    {
+        UINT8 val = 0;
+        if ((val = (INS_OperandImmediate(ins, opIdx) & 0xFF)) == 0xCC)
+        {
+            cmpOccurrences[Address]++;
+            if (cmpOccurrences[Address] == 3) isSet = true;
+        }
+    }
+
+    if (isSet) {
+        LogAntiDbg(wType, Address, "Software Breakpoint comparison",
+            "https://anti-debug.checkpoint.com/techniques/process-memory.html#anti-step-over");
+    }
+}
+
+
 std::set<THREADID> popfThreads;
 #define CLEAR_TRAP
 VOID AntiDbg::FlagsCheck(const CONTEXT* ctxt, THREADID tid)

diff --git a/AntiDebug.h b/AntiDebug.h
@@ -8,6 +8,7 @@
 namespace AntiDbg {
 	VOID WatchMemoryAccess(ADDRINT addr, UINT32 size, const ADDRINT insAddr);
 	VOID WatchThreadStart(THREADID threadid, CONTEXT* ctxt, INT32 flags, VOID* v);
+	VOID WatchCompareSoftBrk(const CONTEXT* ctxt, ADDRINT Address, ADDRINT insArg);
 	VOID MonitorAntiDbgFunctions(IMG Image);
 	VOID FlagsCheck(const CONTEXT* ctxt, THREADID tid);
 	VOID FlagsCheck_after(const CONTEXT* ctxt, THREADID tid, ADDRINT eip);

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -753,6 +753,10 @@ VOID InstrumentInstruction(INS ins, VOID *v)
     }
 #ifdef USE_ANTIDEBUG
     // ANTIDEBUG: memory read instrumentation
+
+    ////////////////////////////////////
+    // If AntiDebug level is Standard
+    ////////////////////////////////////
     if (m_Settings.antidebug != ANTIDEBUG_DISABLED) {
         if (INS_IsMemoryRead(ins)) {
             // Insert the callback function before memory read instructions
@@ -796,6 +800,22 @@ VOID InstrumentInstruction(INS ins, VOID *v)
                 IARG_END
             );
         }
+
+        ////////////////////////////////////
+        // If AntiDebug level is Deep
+        ////////////////////////////////////
+        if (m_Settings.antidebug >= ANTIDEBUG_DEEP) {
+            // Check all comparison for 0xCC byte (anti stepinto/stepover checks)
+            if (INS_Opcode(ins) == XED_ICLASS_CMP) {
+                INS_InsertCall(
+                    ins,
+                    IPOINT_BEFORE, (AFUNPTR)AntiDbg::WatchCompareSoftBrk,
+                    IARG_CONTEXT,
+                    IARG_INST_PTR,
+                    IARG_ADDRINT, ins.q(),
+                    IARG_END);
+            }
+        }
     }
 #endif
 }