16

I understand that on x86, INT 1 is used for single-stepping and INT 3 is used for setting breakpoints, and some other interrupt (usually 0x80 for Linux and 0x2E for Windows) used to be used for system calls.

If a piece of malware hooks the Interrupt Descriptor Table (IDT) and substitutes its own INT 1 and INT 3 handlers that perform system call-like functionality, how can I use a debugger to trace its execution? Or am I stuck with using static-analysis tools?

Ange
  • 6,694
  • 3
  • 28
  • 62
mrduclaw
  • 4,066
  • 8
  • 27
  • 40
  • 2
    A work around would be to patch the sample so that the hooks are either removed or moved to interrupts that don't interfere with debugging. Out of curiosity do you know if there are any publicly available samples that do this on Windows? – amccormack Mar 31 '13 at 03:26
  • Removing the hooks is easy enough if the code isn't using the hooks for system call-like functionality. Moving them to another interrupt seems like it should work. The problem now is the code is pretty heavily packed so modification is annoying. :/ And no, no publicly available samples that I know of, sorry. – mrduclaw Mar 31 '13 at 03:52
  • Just to be sure, this does interfere with kernel level debuggers as well, right? – amccormack Mar 31 '13 at 04:04
  • This is kind of a Hail Mary approach, but if you were doing this in Linux, you could recompile your kernel with a custom IDT and rebuild your debugger with the new mapping. This would probably only be worth it if you are running into these kind of samples a lot. – amccormack Mar 31 '13 at 04:07
  • 1
    @amccormack: but if the malware relies on the kernel functionality being present at those interrupt vectors, won't it stop working? I expect you will have to be very careful how you do the kernel modification... – nneonneo Mar 31 '13 at 11:05

1 Answers1

9

I would suggest this as a solution http://accessroot.com/arteam/site/download.php?view.185 as I had similar problem in one of crackmes. What I did was to write my own hooks for SoftICE to bypass ring0 hooks of int 3 and int 1. Could be useful for your problem. Interesting section is "SoftICE comes to the rescue".

deroko
  • 114
  • 1