Adding a few anti-disassembler tricks

Author: Emmanuel Fleury

anti-disassembler/Linux/anti-debug/Makefile

@@ -0,0 +1,28 @@
+CFLAGS   = -Wall -Wextra -g
+CPPFLAGS =
+LDFLAGS  =
+
+PTRACE = anti-ptrace
+BREAKPOINT = breakpoint_detection
+
+EXEC = $(PTRACE)-i386 $(PTRACE)-amd64 \
+       $(BREAKPOINT)-i386 $(BREAKPOINT)-amd64
+
+all: $(EXEC)
+
+$(PTRACE)-i386: $(PTRACE).c
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+$(PTRACE)-amd64: $(PTRACE).c
+	$(CC) -m64 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+$(BREAKPOINT)-i386: $(BREAKPOINT).c
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+$(BREAKPOINT)-amd64: $(BREAKPOINT).c
+	$(CC) -m64 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+clean:
+	@rm -f *~ $(PTRACE)-i386 $(PTRACE)-amd64 \
+	          $(BREAKPOINT)-i386 $(BREAKPOINT)-amd64
+

anti-disassembler/Linux/anti-debug/anti-ptrace.c

@@ -0,0 +1,16 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <sys/ptrace.h>
+
+int
+main ()
+{
+  if (ptrace (PTRACE_TRACEME, 0, 1, 0) == -1)
+    {
+      printf ("don't trace me !!\n");
+      exit (EXIT_FAILURE);
+    }
+
+  return EXIT_SUCCESS;
+}

anti-disassembler/Linux/anti-debug/breakpoint_detection.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <stdint.h>
+
+#if defined(__i386__)
+# define OFFSET 6
+#elif defined(__amd64__)
+# define OFFSET 4
+#else
+# define OFFSET 0
+#endif
+
+void
+foo ()
+{
+  printf ("No breakpoint detected...\n");
+}
+
+int
+main ()
+{
+  /* Looking for a breakpoint at foo() */
+  if ((*(volatile unsigned *) ((uintptr_t) foo + OFFSET) & 0xff) == 0xcc)
+    {
+      printf ("Breakpoint detected!\n");
+      exit (EXIT_FAILURE);
+    }
+
+  /* No breakpoint found */
+  foo ();
+
+  return EXIT_SUCCESS;
+}

anti-disassembler/Linux/dynamic_jump/Makefile

@@ -0,0 +1,19 @@
+CFLAGS   = -Wall -Wextra -nostdlib
+CPPFLAGS =
+LDFLAGS  =
+
+SRC = dynamic_jump
+I386 = $(SRC)-i386
+AMD64 = $(SRC)-amd64
+
+all: $(I386) $(AMD64)
+
+$(I386): $(I386).s
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+$(AMD64): $(AMD64).s
+	$(CC) -m64 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+clean:
+	rm -f $(I386) $(AMD64) *~
+

anti-disassembler/Linux/dynamic_jump/dynamic_jump-amd64.s

@@ -0,0 +1,13 @@
+.globl _start
+	
+.text
+_start:
+	mov	$end, %rax
+	jmpq 	*%rax
+	.long	0x12345
+	add 	$10, %eax
+	nop
+	nop
+end:	mov 	$0x0, %ebx
+	mov 	$0x1, %eax
+	int 	$0x80

anti-disassembler/Linux/dynamic_jump/dynamic_jump-i386.s

@@ -0,0 +1,13 @@
+.globl _start
+	
+.text
+_start:
+	movl	$end, %eax
+	jmp	*%eax
+	.long	0x12345
+	add	$10, %eax
+	nop
+	nop
+end:	mov	$0x0, %ebx
+	mov	$0x1, %eax
+	int	$0x80

anti-disassembler/Linux/exotic_instructions/Makefile

@@ -0,0 +1,19 @@
+CFLAGS   = -Wall -Wextra -nostdlib
+CPPFLAGS =
+LDFLAGS  =
+
+SRC = exotic_instructions
+I386 = $(SRC)-i386
+AMD64 = $(SRC)-amd64
+
+all: $(I386) $(AMD64)
+
+$(I386): $(I386).s
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+$(AMD64): $(AMD64).s
+	$(CC) -m64 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+clean:
+	rm -f $(I386) $(AMD64) *~
+

anti-disassembler/Linux/exotic_instructions/exotic_instructions-amd64.s

@@ -0,0 +1,14 @@
+.globl _start
+	
+.text
+_start:
+	movq	$0xdeadbeef, %rax
+	pushq	%rax
+	movq	%rsp, %rcx
+	movq	(%rcx), %mm0
+	paddb	(%rcx), %mm0
+	movq	%mm0, (%rcx)
+	fwait
+	mov 	$0x0, %rbx
+	mov 	$0x1, %rax
+	int 	$0x80

anti-disassembler/Linux/exotic_instructions/exotic_instructions-i386.s

@@ -0,0 +1,13 @@
+.globl _start
+
+.text
+_start:
+	pushl	$0xdeadbeef
+	movl	%esp, %ecx
+	movq	(%ecx), %mm0
+	paddb	(%ecx), %mm0
+	movq	%mm0, (%ecx)
+	fwait
+	mov 	$0x0, %ebx
+	mov 	$0x1, %eax
+	int 	$0x80

anti-disassembler/Linux/instruction_overlapping/Makefile

@@ -0,0 +1,15 @@
+CFLAGS   = -Wall -Wextra -std=c99 -g -nostdlib
+CPPFLAGS =
+LDFLAGS  =
+
+all: instruction_overlapping-i386
+
+%: %.s
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS)
+
+%.o: %.s
+	$(CC) -m32 $(CFLAGS) $(CPPFLAGS) -c -o $@ $< $(LDFLAGS)
+
+clean:
+	rm -f instruction_overlapping-i386 *~
+