15 illustrates another screenshot of reporting memory contents while debugging įIG. 14 illustrates a screenshot of reporting memory contents while debugging įIG. 13 illustrates a screenshot of a debugging process of setting a new breakpoint and running to the new breakpoint įIG. 12 illustrates a screenshot of the help screen of an IF debugger įIG.
Disassembling code ida pro and softice software#
11 illustrates a screenshot taken while running software with an embodiment of a stealthy debugger įIG. 10 illustrates a program to be debugged įIG. 9 illustrates a method 900 of stealthy debugging įIG. 8 illustrates a comparison between software control flow detour process graphs with and without MS Detours įIG. 7 illustrates a comparison between user memory spaces with and without MS Detours įIG. 6 illustrates a software control flow detour process graph, adaptable for use as a stealthy internal function (IF) debugger and data miner įIG. 5 illustrates a computing system having a user application embodied on a computer readable medium, the program comprising instructions configured to be executed by a processor įIG. 4 illustrates the output of a software program capable of detecting standard debuggers įIG. 3 illustrates another software program capable of detecting standard debuggers įIG. 2 illustrates another software program capable of detecting standard debuggers įIG. 1 illustrates a software program capable of detecting standard debuggers įIG. BRIEF DESCRIPTION OF THE DRAWINGSįor a more complete understanding of the present invention, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:įIG. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the invention. The novel features which are believed to be characteristic of the invention, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the claims. It should be appreciated by those skilled in the art that the conception and specific embodiments disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the invention. Additional features and advantages of the invention will be described hereinafter. The foregoing has outlined the features and technical advantages of the invention in order that the description that follows may be better understood.
Data mining through an IF utility can aid reverse engineering by constructing a data and code flow analysis after a single run of an executable program. Attempts to impede reverse engineering via dynamic analysis, by using anti-debugging or packing measures, can be thwarted by using a stealthy IF debugger. SUMMARYĪ stealthy internal function (IF) debugger that leverages control flow detours to emulate breakpoints can escape detection by traditional anti-debugging methods. Unfortunately, many debuggers are detectable using these techniques. Some anti-debugging techniques attempt to determine whether a debugger has registered with the operating system (OS). Typical anti-debugging techniques attempt to detect debugging breakpoints, for example by searching for INT 3, or CC values, or the use of DR0-DR7 hardware registers.
Anti-debugging increases the amount of time it takes for identifying, understanding malware algorithms, which may delay the time before a fix becomes available.
However, malicious software, such as viruses, worms, Trojan horse programs, spyware, and other malware, may use anti-debugging or packing measures in order to make dynamic analysis more difficult. The invention relates generally to software security and more particularly, to debugging and reverse engineering of malicious or viral-type software BACKGROUNDĭynamic analysis is a powerful tool for reverse engineering.
0 kommentar(er)
