In this article, I will tell you how to write an anti-debug plugin for OllyDbg v. 2.01. The task is to prevent the application being debugged from detecting the debugger.
Software Developer of Driver Development Team
- General Information
- Plugin Operation Principle
- Plugin Development
- Auxiliary dll for Plugin
- Hooked Function Operation Principle
- Plugin in Action
- Recommendations on Time Setup
- Possible Future Improvements
We’ll consider two steps:
- Writing the plugin,
- Writing the auxiliary module for plugin.
This article is intended for people experienced in C++ and dll writing.
Modern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing.
Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the «HideOD» and «Hide Debugger» anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.
Let’s consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions – most likely the program has been stopped for analysis.
This example measures the time of function execution, which is then compared to standard. This standard equals to the maximal normal function execution time.
The following functions can be used to measure time:
Hiding of OllyDbg by execution time substitutes custom time value for the original time, returned by the function. This is implemented by means of function hooks, as such a solution is painless and unnoticeable by an application.
You can read more details about hooking technique in our Windows API hooking article.
I.e. the pointer of the original function is replaced with the custom function with custom implementation, where the value is substituted. This implementation is written in dll loaded into the target process. dll includes exported functions –
Start sets up the hooks, and
Stop removes them.
3. Plugin Operation Principle
The application is split into two parts:
- Main dll (AntiDebugTimePlugin)
- Auxiliary dll (Plugin)
The main dll is the plugin that interacts with OllyDbg and has the interface for interaction with auxiliary dll. It loads the auxiliary dll into the address space of the target process to perform the required actions.
The auxiliary dll has the code for setting and removing hooks. It also has the altered logic of functions that work with time. This dll replaces the true value of original function with the value set in the main dll. Thus the time for measurement is substituted, which prevents the debugger from being detected.
The plugin operation principle is as follows:
We can see from the scheme how OllyDbg loads the plugin. The plugin writes the values to the registry for interaction with the auxiliary dll. The plugin embeds the auxiliary dll into the process launched by OllyDbg.
Let’s get to the development itself.
OllyDbg performs a search in dll located in the current folder and calls the exported functions it requires. Thus, after the function is found, OllyDbg loads it and adds the corresponding menu.
First, OllyDbg calls ODBG2_Pluginquery function. Inside this function, we check the OllyDbg version. If the version is suitable, we allow the plugin to be loaded into a process.
Then we need to initialize the variables before execution. We need to initialize a variable to create a window in OllyDbg style and set a range of values for auxiliary dll.
Now we need to create a menu for OllyDbg to draw it in its own menu.
To do this, we create an array with the description of all menu items and their processing functions.
The function for returning menu for OllyDbg.
Now let’s consider the basic functions for work with menu.
The first item is intended for creation of the window, in which the range is entered.
Createtablewindow is the function for creating a window in OllyDbg style. In our case – the window without a table, but with edit elements is used.
The second item turns the plugin on and off.
As the second item is checked, we return the menu item state depending on the flag state.
The only thing left is to subscribe to OllyDbg events to receive the information on the process being loaded.
There are 3 interesting events in this function: the emergence of a new process, process termination, and thread termination.
After the notification about a new process is received, we load the auxiliary dll into the process address space.
Before the process is terminated, we remove the hooks set earlier.
In order for auxiliary dll to work properly, we need to set hooks before the process starts to execute the code. To do this, first, we freeze the main thread of the process so that no code is executed.After the process is loaded into OllyDbg completely, we unfreeze the process, and then the functions from auxiliary dll are executed instead of the original functions.
Starting with Windows Vista, it became more complicated to execute custom code in another process by means of
CreateRemoteThread. The complication is that with each new start of the same process the functions are loaded to different adresses each time. Thus it’s impossible to pass
CreateRemoteThread as parameter, so that it loads the auxiliary dll in another process.
The solution is to allocate memory in another process and write code for execution bit-by-bit. I took the CodeProject code as a basis.
Auxiliary dll for plugin
This dll hooks such functions:
It has two exported functions used by the main dll to set and remove hooks.
HookFunction function is used to set hooks. It generates an exception in case of an error and checks if a function has already been hooked.
To simplify the hook setting, let’s wrap this function into a macros with function name and the name of the module, it is located in, as input parameters.
Then we set a flag to indicate the function has been hooked.
To unhook the function, we use macros as well:
Now we use the macros to set hooks:
To remove hooks:
Hooked Function Operation Principle
Let’s consider an example for one function, as all functions have the same logic.
First this function returns the minimum value from the range set in the main dll, then it returns a random value from the same range (min < number < max).
I.e. if the execution time is calculated (the difference between the end and the beginning of the execution), the application will always receive a value in this range: min < number < max.
Plugin in Action
To perform testing, let’s write an application that returns the difference between the beginning of the Sleep function work and its end. We’ll take 1000 milliseconds for the delay. We show this value in MessageBox.
Here is the result of application work:
Now let’s set up the range of values in plugin. Let’s take the range between 2000 and 3000 milliseconds as an example. Now we turn the plugin on and load the process being tested to OllyDbg.
Here is the result:
As you can see from the test example above, the value from the indicated range is returned.
Recommendations on Time Setup
The values are set in milliseconds. The milliseconds threshold below 10 decreases accuracy.
The values may be different, but they depend on the values checked in other program. You may start with a wide range and then gradually decrease it until the application execution begins.
There is an interesting situation: if you take an application that does not use functions connected with time, it calls
QueryPerformanceFrequency one way or another. This may sometimes lead to results being slightly different from the expected ones.
The application was developed for x86 platform, as there is OllyDbg only for x32 version, and there is no OllyDbg x64 at the moment of finishing this article.
We considered the writing of the plugin for OllyDbg 2.01 in this article. We also wrote the plugin that prevents OllyDbg from being detected by function execution time.
This plugin helps in code reversing, if there are functions that detect OllyDbg by measuring time. The code with such functions embedded may close OllyDbg prematurely or may not be executed at all.
This article provides the plugin source code, which you can compile and use.
9. Possible Future Improvements
The auxiliary dll, which sets hooks, is injected into the process during its loading to OllyDbg. However it unloads from it either at application closing or after initiating the restart of the debugging application in OllyDbg.
OllyDbg can detach from an application without stopping the application’s work. If in addition the auxiliary dll was loaded, it will not be unloaded from the process.
The unloading of the dll after pressing “Detach” could be an improvement to this dll’s principle of operation. This would give an application the possibility to continue work in a normal mode.
Take a look at our anti-debugging tecnologies: Linux code protection software development kit