A Virus Program that can Disable or block all USB Ports of your pc

Hey guys In my previous post i teach you all clear and step by step guidance on how to compile any c/c++  program and this time i am going to show how you can disable all usb port of your PC  by making a virus using c language.C is my favorite  programming language to create this type of  virus. Here i provide you simple c source code which helps you to done your work.Anyone with a basic knowledge of C language should be able to understand the working of this virus program.
For your clear understanding i want to give idea about how the source code  work ,In this tutorial you just need to compile & execute the c source code and once you execute successfully you get a .exe file which is your application which responsible for  disables or block all usb ports of your laptops.  As a result you'll will not be able to use your pen drive or any other USB peripheral devices on the computer.

now start today's post which is overall how we can make virus using c source code follow below step by step procedure .

**how to disables usb ports:**

Step:1) first of all you need the .c source code simply open notepad and copy below code as it is  and past it in notepad and save it with the name disable_usb.c (remember .c extension must include)

#include

void main()
{
system("reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\USBSTOR \/v Start \/t REG_DWORD \/d 4 \/f");
} 
 

Step:2) when you make disable_usb.c file you need to compile it, if you don't know how to compile then read my previous article step by step guidence to compile any c program .
 

Step:3) Now friends i assuming that Upon compilation of disable_usb.c you get disable_usb.exe
 

Step:4) after that for block all usb port simply right click on disable_usb.exe file and click on run as administrator mode .
 

Step:5) that's it guys you have done! Now you can see that your pen drive will never get detected when you insert it on your PC.

**how to re-enable all usb port**

If you think how can i unblock all usb port after blocking ?don't worry cool buddy here i provide you second c source code which unblock usb port .follow below steps and re-enable your usb ports.

step:1) first of all open notepad and copy below code as it is  and past it in notepad and save it with the name unblock_usb.c (remember .c extension must be include)

#include

void main()
{
system("reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\USBSTOR \/v Start \/t REG_DWORD \/d 3 \/f");
}



step:2) compile this unblock_usb.c file and get unblock_usb.exe file

step:3) right click on unblock_usb.exe and click on run as administrator mode

that's it friends .

I hope you like this post. Please pass your comments if you faced any problem I am always here for solve your problem.

Read more

by Malik korrich ~ mardi 2 juin 2015 0 commentaires

how to compile & execute c/c++ programs in windows using borland c++ compiler.

hello friends,

Today i am going to make a section where i give you  all  programming article like how to hack a computer or how o make a Trojan using c language . I have used specially C as the programming language for writing the programs.So for this you need to prepare for how to execute c source code ,don't worry this is my first article in programming niche and try to teach you all clear step  by step procedure . If you're new to C programming and find it difficult to compile the C source codes then this post is for you.In this post i'm going to explain you how to compile c program easily.Here i used borland c++ compiler to execute the source code.I know there are lot of article exits on the internet which claim how to compile c program but I also know all have some error ,i was also suffering from these type of error .due to this problem i post very clear step by step guidance to teach you how you can easily execute c program with the help of borland c++ compiler.

What is borland c++  compiler:

Borland C++ is a C and C++ programming environment (that is, an integrated development environment) for MS-DOS and Microsoft Windows. It was the successor to Turbo C++, and included a better debugger, the Turbo Debugger, which was written in protected mode DOS.

Step-by-step procedure to install Borland C++ compiler 5.5 on your PC and compile the C programs.

Step:1) first of all you need to install  Borland C++ compiler?you can download it from below link

<>  (for Windows platform only)
 

Step:2) After you download, simply run the file C++5.51.exe. and click next ,its default installation path would be:

" C:\Borland\BCC55 "

 

 

Step:3) now when you have installed it successfully on your PC this time you need to configure Borland C++ compiler for this you need to make two .cfg files ?Here is a step-by-step instruction on how to configure the compiler and how to make .cfg files:

• a) open notepad or any text editor here i am going to use notepad and past below code as it is and save it with the name bcc32.cfg

-I"c:\Borland\Bcc55\include"

 -L"c:\Borland\Bcc55\lib"

 

• b) now again open blank notepad and past below code as it is and save it with the name ilink32.cfg

                    -L"c:\Borland\Bcc55\lib"

 

 

• c) now you have two files

      

                                                     1-bcc32.cfg

                                                     2-ilink32.cfg

• d) Now copy these two files bcc32.cfg and ilink32.cfg, and past them in the following location.

                       C:\Borland\BCC55\Bin
 

Step:4) After that step 3  you configure borland c++ successfully on your pc , this time you would need to know How to Compile the C Source Code (.C files) using borland.
Here is a detailed instruction on how to compile C source codes:

• a) first of all You need to place the .C (something.c) file to be compiled in the following location:

                               C:\Borland\BCC55\Bin

• b) Now go to the command prompt (Start->Run->type cmd->Enter)

• c) In command prompt you need to type following line without the quotes and hit enter button of your keyboard.

                             " cd/ "

• d) now again type the following line without the quotes and hit enter button of your keyboard.

                     " cd C:\Borland\BCC55\Bin "

 

• e) again To compile the file (something.c) use the following command without the quotes and hit enter.

                    " bcc32 something.c "

 

• f) Now if there exists no error in the source code, you'll get a compiled executable module (something.exe) in the same following location

                    "C:\Borland\BCC55\Bin" 

Note: please insure that open something.exe file in administrator mode otherwise some function not work properly.

• g) Now you have successfully compiled the source code into an executable file(.exe file).

Extra tips  for you:--

1) if you faced a problem during compile the c program or it gives you the error like " unable to open include file 'stdio.h' also for all header files " in this situation you need to reinstall the borland c++ compiler and configure it correctly as it is shown in above steps. 

2) if you faced warning instead of error don't worry check your c program syntax otherwise simply ignore less valuable warning


NOTE: please insure that The above tutorial how to compile c program using borland c++ compiler  assumes that you've installed the Borland c++ compiler onto the C: drive (by default) .



That's it ,this is overall step by step procedure to compile any c program using borland c++ compiler.
 
I hope you enjoy my first article if you faced any problem feel free drop your comment in below comment box.
 
if you like this please share it i really need your support .

Read more

by Malik korrich ~ lundi 1 juin 2015 0 commentaires

Compiling c++ multiple sources file

c++ multiple sources file compiling using g++ is easy but it requires a little manual works. Multiple source file compiling can be more easy and straight using make file. But i will give here only a simple example. If you think you need  example of makefile too then you can Google search or write comments and i will update this post!

Hope you already understand the basic of c++ like functions,class etc.

C++ source file one

#include 
#include "hell.h"

void testing(){
 std::cout<<"Test\n";
 testing1();
}

int main(){
 std::cout<<"Test\n";
 testing();
 
 return 0;
}

C++ source file two

#include "hell.h"

void testing1(){
 Test tt;
 tt.t="LALA";
 std::cout<<"Hello world 2\n"<<tt.t<<std::endl;

        tt.h();

 }

void test::h(){
 std::cout<<"C++ method\n";
} 

I declared object name of the class called "Test".
t is variable declared in the header file so tt.t mean "use the variable from class Test!".
You can write any valid code in the function or in c++ Class method!

C++ Header file

#ifndef HELL_H //if hell.h not defined the go to next preprocessor
#define HELL_H // Well, Include the header!

#include 

void testing1();
void testing();

class Test{
public:
 std::string t;
 void h();
};

#endif //Protection done!

It is just simple compiling the sources using g++ :

g++ main.cpp main2.cpp -o main

pro@pusheax:~/coding/c++/basic/multi$ ./main
Test
Test
Hello world 2
LALA
C++ method

Thanks for reading!

Read more

by Malik korrich ~ samedi 25 janvier 2014 0 commentaires

windows socket programming in c++ , your first socket(networking) program!

Windows socket programming in c/c++ was frustrating for me when it was first time. But winsock2 is not that hard to make your basic networking program in few minutes. Today i will explain the basic of windows socket programming step by step using winsock2 and c++.  If you don't have understanding in c or c++ then you will not understand this article. So before having basic knowledge in c/c++ you should not start with windows/socket programming. I am fan of gcc compiler so i used gcc(mingw-w64) to compile all the codes(Of this blog).

To write any windows program we are required to include the "windows.h" . And for the socket we need only "winsock2.h". Only two required header we need are:




Well, Let's go step by step with example:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#include #include int main() { WSAData version; //We need to check the version. WORD mkword=MAKEWORD(2,2); int what=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"< } else{ std::cout<<"Good - Everything fine!\n"< } return 0; }

In line 7 WSAData is a structure name which holds the information about windows socket implementation. So here we declare our own new object to work with called "version".  About WSAData here you will get more in details.

In line 8 MAKEWORD() is a macro which is type of WORD. MAKEWORD(2,2) is going to be "2.2".

In line 9, We store the WSAStartup() function in variable "what" . This function will check if the version is higher or lower. If the version is correct as we expected then it will return value 0 otherwise something else which should be checked by WSAGetLastError() as i did in line 11.

Compile the code and run , if you are in xp+ then you will get output "Good - Everything fine"




Since everything fine , So we want to create our real socket using structure name "SOCKET":

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

#include #include int main() { WSAData version; //We need to check the version. WORD mkword=MAKEWORD(2,2); int what=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"< } else{ std::cout<<"Good - Everything fine!\n"< } SOCKET u_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; return 0; }

Our second step is creating socket. So in line 17 we declare the variable of SOCKET called u_sock and store the socket() function.

AF_INET specify to use ipv4.

SOCK_STREAM to specify that two connection based and reliable which used by AF_INET.

IPPROTO_TCP specify that its Internet Protocol (TCP/IP).

You can get more details in this link http://msdn.microsoft.com/en-us/library/windows/desktop/ms740506%28v=vs.85%29.aspx  .

If something wrong creating the socket then it return the value "INVALID_SOCKET" which we checked in line 18.




Time to specify address and make connection. For bit theory and basic idea read: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740496%28v=vs.85%29.aspx and connect() function http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx.

The code for address information and using connect() function:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

#include #include int main() { WSAData version; //We need to check the version. WORD mkword=MAKEWORD(2,2); int what=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"< } else{ std::cout<<"Good - Everything fine!\n"< } SOCKET u_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; //Socket address information sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_addr.s_addr=inet_addr("192.168.206.1"); addr.sin_port=htons(80); /*==========Addressing finished==========*/ //Now we connect int conn=connect(u_sock,(SOCKADDR*)&addr,sizeof(addr)); if(conn==SOCKET_ERROR){ std::cout<<"Error - when connecting "< closesocket(u_sock); WSACleanup(); } return 0; }

In the above example line 25 we declare the object to work with. Then in 26 we specify to go with ipv4 , in line 27 we set our target address to connect to and in line 28 we set port number.

Line number 32 declaring a variable type of int and storing full connect() function for using it later. The parameters u_socks is the socket name we have created in line 17, (SOCKADDR*)&addr mean the address information pointing to SOCKADDR and the length of the all information specified.

Line number 33 to 36 checking if there is anything wrong, connect() function return error code SOCKET_ERROR when unsuccessful. If so we check the Error code number then close the socket using closesocket() function.

Assuming everything Went fine. We are almost done. But without getting some data from Remote host may make you thinking bad. So lets use more two function send() and recv(). Using send() function we send whatever to remote host and using recv we store the output to array:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

#include #include #include int main() { WSAData version; //We need to check the version. WORD mkword=MAKEWORD(2,2); int what=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"< } else{ std::cout<<"Good - Everything fine!\n"< } SOCKET u_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; //Socket address information sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_addr.s_addr=inet_addr("192.168.206.1"); addr.sin_port=htons(80); /*==========Addressing finished==========*/ //Now we connect int conn=connect(u_sock,(SOCKADDR*)&addr,sizeof(addr)); if(conn==SOCKET_ERROR){ std::cout<<"Error - when connecting "< closesocket(u_sock); WSACleanup(); } //Send some message to remote host char* mymsg="GET / HTTP/1.1\r\n\r\n"; char vect[512]={0}; int smsg=send(u_sock,mymsg,sizeof(mymsg),0); if(smsg==SOCKET_ERROR){ std::cout<<"Error: "< WSACleanup(); } int get=recv(u_sock,vect,512,0); if(get==SOCKET_ERROR){ std::cout<<"Error in Receiving: "< } std::cout< clossocket(u_sock); return 0; }

In line 42 we define a string to send to remote address. Line 43 declaring an array to hold output of the command.

Line number 45 , we store the send() and the required parameters . u_sock is the name of the created socket , mymsg has the command to send to the remote address, Maximum length of the command, And the flag.

In the line 51 , we used recv() to get output and store to an array.  The parameters of this function same as send().

 Line number 55, Getting the output from the array and printing in the screen then line 56 closing the socket.




I hope i made this article simpler to understand. I don't really like to write too much theory since there are lots and not that useful to me(may be to you too).  If you have any questions , please comment!


Hope you enjoyed!





 

Read more

by Malik korrich ~ dimanche 28 juillet 2013 0 commentaires

Easy example of strstr(),strspn(),strrchr(),strchr(),strbrk(),memcpy(),memset(),memcmp() - #include

I have written quick example of few function such as strspn(),strrchr(),strchr(),strbrk(),memcpy() etc of C language.These function we often use for dealing with string. These code are very easy to read and write. I am just pasting the code here, Please read the comments and if you have any questions , please post comment!

strstr():

/*
 * use and example of strstr() function
 */
/*
 * The  strstr()  function finds the first occurrence of the substring needle in the string haystack. 
 * The terminating null bytes ('\0') are
 * not compared.
 */

#include 
#include 
int main(){
    char *str="what the hell! system got hacked!!!";
    char *str2="what";
    char *str3="system";
    printf("\n%s\n\n",strstr(str,str3));
    printf("%s\n\n",strstr(str,str2));
    return 0;
}

/* gcc strstr1.c -o strstr1
 * ./strstr1
 * system got hacked!!!
 * 
 * what the hell! system got hacked!!!
 * 
 */

strspn():

/* The use and example of strspn() */
/*search a string for a set of bytes. The strspn() 
 * function calculates the length (in bytes) of the initial segment of s which consists entirely of bytes in accept. */

#include 
#include 

int main(){
    char *str="C is a greate system language 1337";
    char *str2="1234567890";
    printf("Lets see %s\n",strspn(str,str2));
    return 0;
    
}

strrchr():

/*use and example of strrchr()*/
/*
 * The strrchr() function returns a pointer to the last occurrence of the character c in the string s.
 * This will search the char from last. For example if we search 'a' then it will point you "ammer"
 * from the "programmer"
 
 */

#include 
#include 

int main(){
    char *str="You are the programmer";
    int str1;
    printf("Enter a char:");
    scanf("%c",&str1);
    //int search=strrchr(str,str1);
    printf("\'%c\' found in \'%s\'\n",str1,strrchr(str,str1));
    return 0;
}

/*
 * pusheax@programming:~/codes/linux1blog$ gcc strrchar.c -o strrchar
 * pusheax@programming:~/codes/linux1blog$ ./strrchar
 * Enter a char:a
'a' found in 'ammer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:u
'u' found in 'u are the programmer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:o
'o' found in 'ogrammer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:y
'y' found in '(null)'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:Y
'Y' found in 'You are the programmer'
pusheax@programming:~/codes/linux1blog$ 
*/

strchr():

/* The use and example of strchr() */

#include 
#include  /*include string.h for all the string related function*/    

int main(){
    char *strng="Mr. Stupid!"; //We will search the char in this string
    char secstr='S';        //Char should be closed in single quote
    int search=(strchr(strng,secstr) != NULL);  //The strchr() is the search function
    
    if (!search)                    //Compare if search variable is not true
        printf("The char is not found!\n");
    else                        //Otherwise it is true
        printf("Wow the char \'%c\' found in strng \"%s\"\n",secstr,strng);
    
    return 0;
}

strbrk():

/* use and example of strpbrk() */
/* strpbrk - search a string for any of a set of bytes */

#include 
#include 

int main(){
    char *str="Programming is another best way to learn hacking";
    char *str2="b";
    int search=*strpbrk(str,str2); //Is "b" in str2 in str?
    if (!search)
        printf("Nothing!\n");
    else 
        printf("Found \'%c\' in \"%s\"\n",search,str); //Yes it is, well print that what char it is. strpbrk is pointer to the char!
    return 0;
}

memcpy():

/*Use and example memcpy() and memmove()*/

/*memcpy - copy memory area*/

//memcpy() does not check the boundary. Be careful!

#include 
#include 


int main(){
    char str[10];
    char str1[]="Hello all hackers!";       
    memcpy(str,str1,sizeof(str1));          
    printf("%s\n",str);
    return 0;
}

memset():

//Use and example of memset()
//memset - fill memory with a constant byte

#include 
#include 

int main(){
    char str[]="Life is boring!";
    int str1='A';
    printf("First string:%s\n",str);
    printf("Now it is:%s\n",memset(str,str1,sizeof(str1)));
    return 0;
}

memcmp():

#include 
#include 

int main(){
    char str[]="ABa";
    char str1[]="AbA";
    int what=memcmp(str,str1,sizeof(str));
    if(what)
        printf("Return:%d not matched\n",what);
    else
        printf("Return:%d mean equal\n",what);
    
    printf("Lets print something different!\n");
    printf("Confused for:%d ?\n",memcmp(str,str1,2));
    printf("Another confusion for :%d ?\n",memcmp(str,str1,1));
    return 0;
}

Read more

by Malik korrich ~ lundi 17 juin 2013 0 commentaires

Guide to Anti-Debugging - Overview , Techniques and Approaches

I have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at Infosec Institute with a good article on Anti Debugging. This is an article by  Dejan Lukan, a security researcher at Infosec Institute, in which he discusses the Anti Debugging techniques in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about how to reverse Winrar or just have a look at a real noobs guide to reverse some more stuff) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.

Before we begin, we must mention that it’s impossible to completely prevent reversing. What is possible is that we can place as many obstacles on the way as we want to make the process slow enough that reverse engineers will give up. Actually there are hardware implementations where you can buy a black box that attaches to your computer which can do the encryption/decryption for you, but this is far from being used in everyday life.

Techniques to Harden Reverse Engineering

The most basic approaches to harden the reverse engineering of programs are the following [1]:

1.          Eliminating Symbolic Information
2.          Obfuscating the Program
3.          Embedding Antidebugger Code

When eliminating symbolic information, we’re taking the textual information from the program, which means we’re striping all symbolic information from the program executable. In bytecode programs, the executable often contains large amounts of internal symbolic information such as class names, class member names, the names of instantiated global objects. By removing every symbol from the executable or by renaming every symbol, the reverser is faced with a bigger problem than usual because symbol names alone can often be used to gather enough information about what the function does, which simplifies the reverse engineering part.

This can easily be done in C/C++ programs where we only have to append a few compiler flags to the command line that actually compiles the program into the executable. It’s much harder with programming languages like Java and .NET, where those symbols are used internally to reference variables, functions, etc. This is also the reason why Java and .NET programs can easily be converted into a pretty good source code of the original program. We can still strip the symbols from such programs by renaming all the symbols from their meaningful names into meaningless representations, which effectively does the job.

Besides stripping the executable symbols, we can also obfuscate the program. When obfuscating a program, we’re basically changing the code of the program without actually changing the logic behind it, so the program does the same as before but its code is far less readable. Here we have two techniques that can achieve that:

•  Encoding: With encoding, we must add the decoding instructions that decode the whole program before it’s being run. This can be done by appending the decoding instruction at the end of the program and changing the entry point to point to the decoding instructions. When the program is run, the decoding instructions are executed first, which decodes the whole program into its original form. After that, we must jump to the start of the program and actually run the original instructions as if the encoding didn’t even happen.
• Packing: When packing the executable, we’re basically reducing the size of the executable as well as encrypting it. When such a program is run, it must first be decoded in memory and then run.
• By obfuscating the program with nonstandard encoders/packers, we can greatly complicate the task of reverse engineering the executable, but at the end, a persistent reverse engineer will nevertheless be able to bypass that and get the non-obfuscated version of the executable, which can easily be reversed.

Last but not least, we can use an antidebugger code, where we can include a code into the executable that can detect if the program is currently being debugged. If that happens, the program terminates itself prematurely without actually executing the functions that would normally be executed if it wasn’t running under a debugger.

Antidebugging

Before discussing how anti-debugging tricks do their magic, we must first talk about how the debugger is able to debug the program. We know that we can stop and resume the program with the use of either software or hardware breakpoints.

When using software breakpoints, we’re replacing the instruction on which we’ve set the breakpoint with the INT 3 instruction (at least on the x86 architecture), which is a special software interrupt. In this case, we’re passing the value 3 to the instruction INT, which means that we’re generating the software interrupt 3. This causes the function pointed to by the 3rd vector in the interrupt address table (IAT) to be executed. I guess we’re all familiar with the INT 80 interrupt that makes a system call on Linux systems.

The INT 3 instruction temporarily replaces the current instruction in a running program. This is also a way for the debugger to know that a software breakpoint has occurred and the program execution should be stopped. After that, the debugger replaces the INT 3 instruction with the original instruction so the program can continue without the loss of instructions, which can otherwise cause abnormal program behavior.

When we use a hardware breakpoint, it’s the processor’s job to know when the breakpoint has been hit and the program has to be stopped. This is why the program is not modified when a hardware breakpoint is set.

When the breakpoint is hit, the program is stopped and we can safely execute instructions in our favorite debugger. At that point, we can run instructions step-by-step by entering into functions, or by executing them the same time. If we’re interested in what the function does, we need to enter into the function; otherwise we can safely ignore the function and step over it. When stepping through the code, each instruction is executed on its own and then the program is again stopped, so we’re able to analyze what the instruction has just done.

When stepping through the code with a debugger, the Trap Flag (TF) in the EFLAGS register is used. When the TF is enabled, an interrupt will be generated after every executed instruction, so we get the feeling of stepping though the program instruction by instruction.

IsDebuggerPresent

The IsDebuggerPresent is a Windows API function, which we can see on the picture below:

The function doesn’t take any arguments and returns a Boolean value notifying us whether the program is running under a debugger or not. This function can be used to trivially detect whether a debugger is being used to run the program. The function uses the Process Environment Block (PEB) to get information about whether the user-mode debugger is used.

Let’s create a simple program that prints the number 0 or 1 if the debugger is present or not. We can do that by first creating an empty console project under Visual Studio C++ and then changing the code of the main cpp file into the following:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

// isdebuggerpresent.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include #include int _tmain(int argc, _TCHAR* argv[]) {     int num;     if(IsDebuggerPresent()) {         num = 0;     }     else {         num = 1;     }     printf("Number: %d\n", num);     /* wait */     getchar();     return 0; }

The program prints “Number: 0″ if the debugger is present and “Number: 1″ if the debugger is not. If we run the application under Visual Studio, the program will display the number 0 because it’s being run under a debugger. This can be seen on the picture below:

Let’s also run the program under OllyDbg to be sure that the number 0 is displayed. This can be quickly confirmed by loading the executable program and running it. On the picture below, we can see that the number 0 was printed when the program was run under OllyDbg debugger:

But if we run the same program under normal cmd.exe, it will display the number 1. This can be seen on the picture below:

We can see that the IsDebuggerPresent API function call works as expected, but that the function call is easy to detect and bypass. This is because we can quickly find this function call in the executable and delete it or bypass it. To do this, we can simply open the executable in Ida debugger and check out the Imports table to verify if that function exists somewhere in there. We’re right, the function IsDebuggerPresent is listed among all the imported functions as we can see on the picture below:

This is a clear indication that the executable is using the function to do something different when the debugger is attached to the executable. We can also locate the exact instructions that are used to call that function. The whole Ida graph of the main function that does exactly the same as the main function from the C++ source code above is presented on the picture below:

We can see that, at first, we’re initializing the stack for the function and calling the IsDebuggerPresent function. After that, we’re testing the returned value in eax against itself to determine whether a true or false value was returned. If the eax holds a value different than 0 (1 in our case), then the zero flag will be set and the first box that sets the [ebp+num] to 0 is called. This is exactly what happens now, because we’re running the program under a debugger, but otherwise the block that sets the [ebp+num] to 1 is called. After that, we’re just moving the value of [ebp+num] into the register eax and printing it with the printf function.

If we now set the breakpoint on the call to the IsDebuggerPresent function and rerun the program, the execution will be stopped right where we want it. After the breakpoint has been hit, we can step into the function to see what the function actually does. On the picture below, we can see the function in question:

We can see that the function is pretty simple: we’re loading the address of the currently active thread (TIB) in the register eax and then accessing the structure member that’s located at the 0×30 offset; the PEB data structures lies at that offset. After that, we’re loading the address of PEB in eax and then accessing its data member at 0×2 offset, which holds the data member named BeingDebugged. Thus, we’ve successfully taken a look at what the IsDebuggerPresent function actually does and how it does it. We can see that it’s very simple and not really hard to bypass.

We can determine that IsDebuggerPresent is being used when we try to reverse engineer an executable and the program terminates prematurely, a different execution path is taken, or something else unexpected happens. In such cases, we must first check the Imports table if the IsDebuggerPresent function is being called anywhere in the executable. If that is the case, we can simply delete the instructions that call the IsDebuggerPresent function call, so it won’t bother us when reversing the executable.

On the other hand, if we’re developing a program and we would like to use the IsDebuggerPresent function call, we can copy the above instructions directly into our code, so that we’re not actually calling the IsDebuggerPresent function directly, but using its function body instructions to figure out whether the debugger is being used to run the executable. This is just another trick so that reverse engineers won’t immediately notice the use of IsDebuggerPresent function call and will make the debugging slightly more complicated.

Conclusion

For a deeper understanding of reverse engineering, check out the reverse engineeringtraining course offered by the InfoSec Institute. In this article we’ve seen a few techniques to harden the reverse engineering process. The technique easiest to bypass is symbol elimination where we have to delete all the symbols presented in the executable. This effectively makes the names of the functions unavailable when debugging, which leaves it up to the debugger to properly name the functions. Another technique is program obfuscation, which can be a pretty simple operation like xoring the whole executable then running it, but it can also be pretty complicated. Things get further complicated if we’re using obfuscation with the anti-reversing techniques, which detects if the program is being reversed and terminates the program prematurely if so, greatly hardening the reverse engineering of the executable.

References:

[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.

Read more

by Malik korrich ~ samedi 4 mai 2013 0 commentaires