Click here to Skip to main content
Click here to Skip to main content
Go to top

Anti BPX

, 8 Sep 2004
Rate this:
Please Sign up or sign in to vote.
Simple check for break-points on eXecution of a system debugger!

Sample Image - Anti_BPX.jpg

Introduction

Any software can be analyzed step-by-step from a debugger! A debugger is a valid instrument in order to discover bugs, but most times it is used by the hackers/crackers in order to alter the routines of protection of our programs, or worse, in order to reverse engineer an entire algorithm!

Background

It is present, in Windows systems, an API function called IsDebuggerPresent (contained in kernel32.dll). It serves to verify the presence of a debugger. This function does not exist in Windows 95. It is also interesting to see using Pointers from VB.NET!

Example code (VB.NET):

Declare Function IsDebuggerPresent Lib "kernel32" () As Integer

Dim chkDebug as Integer = IsDebuggerPresent
chkDebug = 0 --> not debugged
chkDebug = 1 --> debugged

Using the code

It is supposed, in this demonstration, to use the SoftIce debugger.

It seems all simple, I can stop a hacker! Unfortunately, the truth is very different as our adversary can behave itself:

  1. Starts the debugger;
  2. It presses ctrl+d;
  3. It writes BPX IsDebuggerPresent;
  4. Presses F5 in order to send in execution of the program, and magically a window similar to this appears (code assembler x86):

    001B:77E52740    64A118000000    MOV    EAX, FS:[00000018] 
    001B:77E52746    8B4030          MOV    EAX, [EAX+30] 
    001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02] 
    001B:77E5274D    C3              RET

Therefore, it does not have to make other changes than to modify the value of return of the function and/or to make the patch directly for the library kernel32.dll:

001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02]

It becomes:

001B:77E52749    33C0            XOR    EAX, EAX    ;return always 0 !
001B:77E5274B    90              NOP                ;nothing
001B:77E5274C    90              NOP

Our adversary is a good reverser! But from that what can we make? We can make a check on the BPX presence. BPX means to virtually put the value hex 0CCh in a determined memory area. In order to resolve this problem, we gain the address of the memory that interests us (in this case, on my WinXP home) 77E52740h, and verifies if it exists, in one of the 14 bytes, an equal value to 0CCh! It seems all very simple.

We use the APIs:

Declare Function LoadLibrary Lib "kernel32" Alias _
      "LoadLibraryA" (ByVal lpLibFileName As String) As Integer
Declare Function FreeLibrary Lib "kernel32" Alias _
      "FreeLibrary" (ByVal hLibModule As Integer) As Integer
Declare Function GetProcAddress Lib "kernel32" Alias _
      "GetProcAddress" (ByVal hModule As Integer, _
      ByVal lpProcName As String) As Integer

And we proceed as follows:

  1. We load in memory the library kernel32.dll;
  2. We find with GetProcAddress the address of the API IsDebuggerPresent;
  3. We analyze the memory area.

Example code (VB.NET):

Dim hLib As Integer = LoadLibrary("kernel32") 'address base
Dim apiaddress as integer = GetProcAddress(hLib, _
                "IsDebuggerPresent") 'return value: 77E52740h
Dim memdebug(13) As Byte 'lenght 14-1
'<<<
Marshal.Copy(IntPtr.op_Explicit(apiaddress), _
        memdebug, _
        0, _
        memdebug.Length) 'read to memory pointer
'+++
Dim bFlag as Boolean = False
Dim ij As Integer
For ij = 0 To memdebug.Length - 1
    If memdebug(ij) = &HCC Then
            '[i] no bpx please
        bFlag = True
        Exit For
    End If
Next ij
FreeLibrary(hLib) 'release library
'+++
If bFlag Then
    '[i] some actions: reset, hd format ;-p, ...your creativity!
End If

Clearly, this is only an example! You can analyze and check any portion of memory to leave from its address.

Points of Interest

Stopping the Reverse engineering of our programs puts in difficulty hackers/crackers...at least those who are not too much good!

Other articles from the author:

For other information, please visit my web site (in continuous modernization).

History

September 2004: First public release. (Sorry for my bad English...I'm Italian.)

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Marcello Cantelmo
President Cantelmo Software
Italy Italy
President of "Cantelmo Software" (micro-ISV situated in Lizzanello (Lecce) - Italy): Development Software and Professional Component for .NET Platform. Author of Goliath .NET Obfuscator
Follow on   Twitter

Comments and Discussions

 
GeneralAnti-BPX checker PinmemberVitoto1-Jan-06 12:31 
GeneralRe: Anti-BPX checker PinmemberMarcello Cantelmo1-Jan-06 22:17 
GeneralRe: Anti-BPX checker PinmemberVitoto2-Jan-06 1:56 
GeneralProtect .Net Process for Attach to Debuger PinmemberVitoto5-Oct-05 10:20 
GeneralGoliath.NET Obfuscator PinsussMarcello Cantelmo24-Jan-05 10:54 
GeneralMaking code harder to analise PinmemberSlawek Piotrowski4-Nov-04 1:12 
GeneralRe: Making code harder to analise PinsussMarcello Cantelmo4-Nov-04 4:57 
GeneralNice idea [modified] PinmemberCap'n Code8-Sep-04 14:58 
GeneralRe: Nice idea PinsussMarcello Cantelmo8-Sep-04 22:28 
GeneralRe: Nice idea PinmemberTQN8-Sep-04 23:09 
GeneralRe: Nice idea PinsussMarcello Cantelmo8-Sep-04 23:36 
GeneralRe: Nice idea PinmemberPumqara29-Sep-04 1:38 
GeneralRe: Nice idea PinmemberMarcello Cantelmo29-Sep-04 2:26 
GeneralRe: Nice idea PinsussJoseph Hapkom29-Sep-04 9:27 
GeneralRe: Nice idea PinmemberMarcello Cantelmo29-Sep-04 10:34 
GeneralRe: Nice idea PinsussMarcello Cantelmo27-Jan-05 11:31 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140916.1 | Last Updated 8 Sep 2004
Article Copyright 2004 by Marcello Cantelmo
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid