Full Disclosure mailing list archives
sandboxing
From: silvio () big net au (silvio () big net au)
Date: Sun, 15 Sep 2002 17:43:52 -0700
On Sun, Sep 15, 2002 at 08:31:21PM -0400, Michal Zalewski wrote:
So far, the general approach many people have chosen for *nix anti-debugging is to simply "go nowhere" when a debugger is detected - crash, exit, trash the debugger - making it apparent there's an anti-debugging routine. If such a code was well-hidden and would decide about calling some obscure, self-modifying subroutine, perhaps not even contained within the binary itself, I wonder how many people would miss it. It is the author's courtesy to let you know there's an anti-debugging code that detected your debugger / tracer, period. Don't take it for granted ;> -- m
heh.. great email btw :) I remember i was analysing a linux binary once.. I was sort of in a rush, and I didn't want to spend any time on it, unless I thought it was worth it. so i simply disassembled part of the binary, looked at all the syscalls to see if it was network aware in some way.. well.. no syscalls involving socketcall etc (erk), so i left it lie for a few days.. well.. someone said to me at that time, "yes. i'm seeing network connections here!".. so i figure.. ok. maybe i should just look at it a bit closer, and not assume its ur typical "evil" binary.. silly me.. there was extra code appended near the end of the binary, which _was_ network aware :( i had simply ignored looking over the entire binary for possible code, because i was busy with other things (analysing binaries is not my profession!), and looked at the standard place being used today for inserting of code/data. yes.. a 2 minute tool can automate this process to find unaccounted for bits in binaries, and help analysis alot more in terms of parasite code etc.. one day i need to get organized ;-) it sorta pissed me off though.. i thought i was getting ok at the reverse engineering thing before that happened ;-) -- Silvio
Current thread:
- sandboxing silvio () big net au (Sep 15)
- sandboxing Michal Zalewski (Sep 15)
- sandboxing silvio () big net au (Sep 15)
- sandboxing Michal Zalewski (Sep 15)