Exploiting flaws in Windbg: how to escape or fool debuggers from existing flaws

Abstract

In order to perform their goals without being detected, Malware should have a battle of wits with the analyzer. Such a way, they use a large variety of stealth methods to perform their missions. These methods allow to slow or block analysis. Most of the time, these tricks are often operating system or CPU oriented (dll injection, exception handler or API abuse). In addition, they are although focused on the most used analyst tools. These attacks, allow, among other things, to display erroneous information on the analysis tools or to silently detect it so that the malware can change its behavior in case of analysis. Depending of the degree of error of the analyzing tools used, it could become partially or totally ineffective. More than just flowed malware analysts, it is a great drawback in order to find bugs in regular software. In this article, we show how to exploits errors inside debuggers and mainly inside one of the most use: Windbg. This list of errors impacting this Microsoft’s tool mainly concerns few flaws in the disassembly engine or in the debug procedure. Some are present in the debugger from years... More directly, we show different ways to block or disturb the normal behaviour of Windbg. Thus, even if these errors are not always critical, they can negatively impact the use of software by any user. For instance, we describe a new way to know if the current process is running under the control of Windbg. This is exactly what malware author are looking for to detect analysis. Due to the complexity of architecture such as x64 and x86, it is hard to design and develop a complete disassembling tool. In fact, no disassembling tool is perfect and most of those we tested have at least one of the flaws which are shown in this article. Among the different flaws, we have int 3 misinterpretation, wrong jump interpretation, partial instruction prefix handling and unsupported instruction. Moreover, nothing prevents these tools to have other kind of errors. Thus, in order to analyze software efficiently, it is necessary to improve the analyzer tools. In this way, we offer different solution to correct the bug we encounter on the different tools.