[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Issue with debugger

Posted on 2011-10-30
7
Medium Priority
?
559 Views
Last Modified: 2013-12-17
Hello,

I am reverse engineering a program which has some mysterious anti debug if i can call it that.
I can let the program run with the debugger for eternity without detection, but once i breakpoint and try to step an instruction, the debugger say something like "Cannot read from address 0x00000010, please try set another EIP".

What is the method used by that program to detect the debugger?

Thanks.
0
Comment
Question by:Wiz7
  • 4
  • 3
7 Comments
 
LVL 9

Expert Comment

by:raysonlee
ID: 37055175
One possible method is to measure the time required to run from one point to another. If time is longer than expected, terminate itself.
0
 

Author Comment

by:Wiz7
ID: 37058905
The thing is the debugger pause the program so there is actually no way for the program to check the time... yet the program still catch the debugger.
0
 
LVL 9

Expert Comment

by:raysonlee
ID: 37061123
Do you step through the program from the very beginning and trace it with the control side by side? You should be able to find the difference.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Wiz7
ID: 37067361
No i dont step in through the very beggining.
Thats probably why the program is catching me as it has some code already initialized. It also has a driver running.
But i am really interested in knowing what method its using to catch the debugger.

Thank you.
0
 
LVL 9

Expert Comment

by:raysonlee
ID: 37067493
A few anti debugging techniques for your reference
http://www.symantec.com/connect/articles/windows-anti-debug-reference
0
 

Author Comment

by:Wiz7
ID: 37068000
Thanks, however, none of them helped my problem.
Im pretty sure it has something to do with its kernel driver but i dont understand how the driver can do something when the usermode program is paused by the debugger.
0
 
LVL 9

Accepted Solution

by:
raysonlee earned 2000 total points
ID: 37070366
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question