Blog

New Website: 2020

After almost 7 years it’s time for a change. I now present the rebooted alexomara.com now with a bolder and cleaner interface which respects your preference for light and dark mode using the new CSS prefers-color-scheme feature. There’s even a little toggle switch you can use to switch themes (I prefer dark mode myself).

Resolving modules in JavaScript ESM

In JavaScript ES modules we can’t rely on CommonJS-style module resolution to add extensions to our import statements. Even Node.js has recently dropped automatic extension resolution in an effort to be more compatible with the ESM specification. Bare imports for Node modules is still possible, but as a side-effect dual-modules are no longer possible, except via deep-imports (import foo from 'bar/module.mjs';).

Obviously nobody wants to write these out manually, but this presents some new challenges for transpilers, which unfortunately no transpilers have yet tried to solve.

So what can we do about this?

Defeating Anti-Debug Techniques: macOS mach exception port stealing

Previously I showed you an anti-debug technique using the macOS exception ports API to detect the presence of a debugger. Today, I’m going to show you a different exception-port-based anti-debug trick which actually detaches the debugger by stealing the exception ports it is using. Some readers may be familiar with similar tricks done on Windows, however it’s very rare to see something like this done on macOS, though I have seen this kind of thing in the wild so here goes.

Defeating Anti-Debug Techniques: macOS mach exception ports

Continuing my series on anti-debug technique and how to defeat them, today we have a mach exception ports based trick on macOS.

For those unfamiliar with how the macOS flavor of Unix does things, these ports are used by debuggers to handle exceptions like breakpoints and bad-access. With this knowledge, a piece of software that does not want to be debugged, like a piece of malware trying to prevent analysis, can check if these ports are open and do something else in response, like shutdown.

The code for mach exception handling is fairly complex and poorly documented, but I’ve created a fairly simple example of debugger-detection code so we can dive right in.

Defeating Anti-Debug Techniques: macOS ptrace variants

Every reverse engineer who handles software for macOS knows about ptrace(PT_DENY_ATTACH, 0, 0, 0), the infamous kernel-enforced anti-tracing DRM feature added to OS X years back (somewhere around Leopard) and most-notably used in iTunes. There are plenty of resources out there on how to bypass the common use of this feature, ranging from using a debugger to loading up a custom kernel-extension, but clever hackers have found new ways to abuse this feature to try to prevent researchers from debugging their malicious code.

I debated publishing this for a while as this information could misused, but since these techniques are being used in malware in the wild, I think it’s important to document how to defeat them.

How to get the real require function in Node.js, when using a bundler

Recently I wanted to create a JavaScript module that would use the zlib module in Node, and fallback on pako in browsers. Seems simple enough, but actually proved somewhat difficult. Browser bundlers rewrite the CommonJS require function and by default shim the Node built-in zlib module with a less-performant pseudo-asynchronous pure-JS implementation. So how can we accomplish this you ask?