Hey, I'm debugging some win32 application which has loads of anti-debugging, I've tried different stealth options w/ olly and IDA but none of them seem to work. I was wondering if it's possible to debug this userland app from kernelland so the app won't know it's being debugged ? if so - which debugger should I use ?
+1
A:
Debugging user mode code from kernel mode is most definitely possible, but is a bit more complicated - for instance to get a break in the process before it starts you need to put a breakpoint on the kernel's process creation code or on a NTDLL's user mode code that first executes. You can try setting up a kernel debugger, using the kernel debugger included in Debugging Tools for Windows.
Have you tried debugging the process non-invasively? WinDbg, also in debugging tools for windows, includes a non-invasive option. This doesn't formally attach to the process and is not as detectable.
However, most anti-debugging suites should also be able to detect if a kernel debugger has been enabled on the machine or if a non-invasive debugger like windbg is running. Detecting these things isn't too challenging.
Michael
2009-06-08 20:51:35
What should I use then ? Will Bochs be an option ?
2009-06-08 20:53:40
Non-invasive windbg would be easier. I've not used Bochs.
Michael
2009-06-08 21:02:12
Bochs is an option, but I imagine it would be a pain (even with a GUI) if there's more than one thread in the entire system, ie, anything more than a bootloader. You'd have to set a manual breakpoint every context switch.
zildjohn01
2009-06-09 01:00:08