Covert Debugging: Circumventing Software Armoring
These are the presentation materials we presented at Blackhat USA 2007 and Defcon 15. Thanks to everyone who came to the talks.
Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.
Read more for the release notes for Saffron DI.
Release Notes for Saffron-DI
Saffron Dynamic Instrumentation Code
Released 8/2/2007 at Blackhat USA 2007
This was tested on PIN 2.1-12211 on Windows XP SP2 and Vista both in 32-bit mode.
I recommend getting the Visual Studio targetted release of PIN, as I've had good
luck with. Once you have installed it, put this file into the "SimpleExamples"
directory. Next edit the Nmakefile add saffron-di.dll to the COMMON_TOOLS variable. It should read like this:
COMMON_TOOLS= dcache.dll edgcnt.dll pinatrace.dll trace.dll icount.dll opcodemix.dll \ malloctrace.dll calltrace.dll jumpmix.dll toprtn.dll catmix.dll regmix.dll \ ldstmix.dll saffron-di.dll
In Visual Studio go to Build->Build Solution. Everything should build correctly.
Change to the SimpleExamples directory inside of the pin folder. Have the executable
you are interested in ready to run. To run Saffron, execute this command:
C:\pin-2.1...\SimpleExamples>..\bin\pin.exe -t saffron-di -- yourexehere.exe
Saffron will then deposit a dumped version of the executable into the directory. Inspect
each one till you find the one that yields the most information. A good choice tends
to be the last one.
A log will be made in saffron-di.out in the SimpleExamples directory which contains some
useful (maybe) information.
Thanks to Lorie Liebrock, Valsmith, Ty Bodell, and Houdini for their help