A time-based anti-debugging technique using the Kernel Transaction Manager

Anti-debugging techniques have been known for a long time. One way to detect the presence of debuggers (and also DBI frameworks like Pin, emulators, etc) is by measuring the time taken to execute a piece of code and comparing it against a maximum tolerated amount of time. This way we can detect if our code is being debugged/instrumented/emulated by detecting the latency introduced by the instrumentation tool.

In this Reverse Engineering StackExchange thread you can find a set of time-related functions that are commonly used in Windows environments in order to detect the presence of debuggers using time-checking strategies:

  • GetTickCount()
  • time()
  • RDTSC instruction
  • RDPMC instruction
  • GetLocalTime()
  • GetSystemTime()
  • KiGetTickCount()
  • QueryPerformanceCount()
  • timeGetTime()

You can find more details on these time-based antidebugging tricks on “The Ultimate Anti-Debugging Reference” by Peter Ferrie [PDF].

So a few weeks ago I found one more way to perform time-based debugger detection; the (mildly) interesting thing is that it doesn’t use functions that are directly related to time stuff, so it can be a bit more subtle than those well-known time functions.

The technique is based on the Windows Kernel Transaction Manager, which can be used to implement both transacted file operations and transacted Registry operations.

Continue reading

Advertisements

Analysis of CVE-2014-8476: a FreeBSD kernel memory disclosure vulnerability

One week ago, on November 4th, 2014, the FreeBSD team published security advisory FreeBSD-SA-14:25.setlogin describing an information disclosure vulnerability in setlogin(2) / getlogin(2), which could allow an unprivileged user to disclose kernel memory contents.

This vulnerability (identified as CVE-2014-8476) affects all supported versions of FreeBSD. This is the problem description, taken from the advisory:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.

The code of the vulnerable function (getlogin in FreeBSD 8.4, sys_getlogin in newer versions) is located at /sys/kern/kern_prot.c:

Continue reading