Anti-Debugging - A Developer'S Viewpoint presented at SOURCE Boston 2009

by Tyler ( Txs ) Shields,

Tags: Security Access Analysis Malware Development

Summary : Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging of a target binary. Anti-debugging techniques can be seen in use as commercial software protection, binary packing protection, and even in a nefarious way in today's malware. While no single layer of security is a silver bullet, an understanding of the latest anti-debugging techniques and their use in common code can help developers to implement an additional layer of security into their applications. Adding anti-debugging routines into the development process can make the analysis and subsequent breakdown of the application a significantly more difficult and time consuming process. The bulk of research conducted in the area of anti-debugging is positioned from the point of view of a security researcher or reverse engineer. Advanced debugging is traditionally the realm of high expertise QA efforts, exploit development, reverse engineering, malware analysis experts, and software pirates. Because of this, much of the researched data is presented using assembly language constructs and requires a reasonably deep working knowledge of machine level programming. Limited output has been produced that allows developers straight forward access to the high level code and methods used in anti-debugging.
The problem this presents is a lack of education and awareness of anti-debugging methods by software engineers and a low adoption rate of even the most trivial anti-debugging methods. During this presentation I will cover a number of the known methods of anti-debugging in a fashion that should be easy to implement for a developer of moderate expertise. Specific classes of anti-debugging to be covered include API based anti-debugging, exception based anti-debugging, direct process and thread block detections, modified code detection, hardware and register based anti-debugging, and timing checks. Upon completion of the presentation the audience should leave with a reasonable awareness of anti-debugging techniques in use today and an understanding of the basic methods with which they can implement them in their own development projects. A brief background will be given on the history of anti-debugging and a clear definition of the problem and terms. Next, the positive role anti-debugging can play in making reverse engineering a difficult process will be discussed. I will conclude with a walkthrough of a number of anti-debugging methods. The presentation will contain demonstration source code, whenever possible, and a line by line explanation of how each anti-debugging technique operates. The goal of the presentation is to educate software engineers with regard to anti-debugging methods and to ease the burden of implementation.