Blog

Defeating Anti-Debug Techniques: macOS mach exception ports

Continuing my series on anti-debug technique and how to defeat them, today we have a mach exception ports based trick on macOS.

For those unfamiliar with how the macOS flavor of Unix does things, these ports are used by debuggers to handle exceptions like breakpoints and bad-access. With this knowledge, a piece of software that does not want to be debugged, like a piece of malware trying to prevent analysis, can check if these ports are open and do something else in response, like shutdown.

The code for mach exception handling is fairly complex and poorly documented, but I’ve created a fairly simple example of debugger-detection code so we can dive right in.

Continue reading

Defeating Anti-Debug Techniques: macOS ptrace variants

Every reverse engineer who handles software for macOS knows about ptrace(PT_DENY_ATTACH, 0, 0, 0), the infamous kernel-enforced anti-tracing DRM feature added to OS X years back (somewhere around Leopard) and most-notably used in iTunes. There are plenty of resources out there on how to bypass the common use of this feature, ranging from using a debugger to loading up a custom kernel-extension, but clever hackers have found new ways to abuse this feature to try to prevent researchers from debugging their malicious code.

I debated publishing this for a while as this information could misused, but since these techniques are being used in malware in the wild, I think it’s important to document how to defeat them.

Continue reading

How to get the real require function in Node.js, when using a bundler

Recently I wanted to create a JavaScript module that would use the zlib module in Node, and fallback on pako in browsers. Seems simple enough, but actually proved somewhat difficult. Browser bundlers rewrite the CommonJS require function and by default shim the Node built-in zlib module with a less-performant pseudo-asynchronous pure-JS implementation. So how can we accomplish this you ask?

Continue reading

Is your captcha system secure? captchas.net sure isn’t

Recently I was asked if captchas.net is still secure today. My guess was it probably was not very secure, when compared to the fuzzy text of reCAPTCHA, but I wasn’t sure by how much, so I decided to look into it a bit more.

As you may know, Google has deprecated their old reCAPTCHA V1 API, in favor of their new reputation and image recognition based system. Apparently this may also in-part be because advances in text recognition software is starting to make the fuzzy text challenge obsolete.

As a research experiment, I decided to try my hand at solving captchas.net captchas with only software, and see how well I could do.

Continue reading

Making a Firefox Dev Tools Add-On Look Native

UPDATE: This is now obsolete, with the adoption of WebExtensions.

Now that Firefox has built-in developer tools, it makes sense for developer add-ons integrate with them. MDN has some examples on creating a developer tools panel, but the examples do not look anything like the built-in tools, and do not offer any information on how to do so.

The examples use HTML/CSS/JavaScript to create the panel, however the built-in tools actually use XUL/CSS/JavaScript. Additionally the built-in tools depend on privileged JavaScript files to handle things like theme switching, such as theme-switching.js.

In order to make an add-on look just like the built-in tools, these are the technologies we will have to use.

Continue reading