[ARTOOL] xADT 1.4, by Shub-Nigurrath

Posted: September 24, 2008 in RE Tools

Hi all,
version 1.4 is ready to go out, this is a major release of the already released xADT Program.

You can find it at http://releases.accessroot.com/

This is a major release because a lot of work have been done to add novel and missing anti-debugging tests.

The rough list of improvements is:

  • several new tests, a total of 20 (!) new tests have been added to this version
  • complete C++ sources of 8 plugins (1 which was already distributed as binary in version 1.3 and 7 new for version 1.4)
  • 6 tutorials specific for some tests, explaining how the tests works and how to skip the detection.
  • a standalone program made by chupachu performing the same tests I already included in the version 1.3
  • 2 standalone parallel programs: chupachu tester (the same tests are also distributed as xADT’s plugins) and EDD by Hellsp@wn
  • several fixes here and there.

I whish to thanks several people who contributed with ideas, code and testing:
metr0, Evilcry, ChupaChu, MOID, ReWolf, Defsanguje, ap0x, … and all the ARTeam members!

For a complete history and instructions check the complete history written in the file readme.txt

version 1.4
-slightly modified the readme FAQ section
-Everything has been tested with Windows XPSP3 and sources are have been tested with VS2008 and VS60
-fixed an error in the PDK _cdecl convention wasn’t explicitly declared

-minor bugfixing of some previously released plugins
-Updated FindWindow Complex with recent keywords (like PHANTOM, 0LLY, BR3AKPOINTS,…)
-fixed xadt_ollybof.dll. Now it’s named Allybof. PAY ATTENTION: due to the nature of the test whole xADT might crash
if tested outside OllyDbg (see notes within the readme.txt file)
-fixed SIDT Test (now is called ex-SIDT) which was crashing the system on multi-processor machines

new-plugins: total of 20 new tests
+ex-SIDT, a fixup of the old SSIDT test, thanks to deroko who rewrote the driver (now is multprocessor aware). This is a PoC of multi-plugin using drivers
+ex-SIDT also performs a Ring0 test of debug registers
+NtQueryInfoProc_hook_detection (idea of Metr0/SnD), plus standalone Proof-of-concepts
+DeleteFiber (idea of evilcry), plus documentation on the theory of the test
+NtSystemDebugControl (idea of evilcry), plus documentation on the theory of the test. This plugins implements 3 dimostrative tests
+xadt_SofticeServicesTest by deroko, which tests the present of SOFTICE using OpenServiceA/EnumServicesStatusA/EnumServicesStatusExA
(3 internal tests done)
+int2Atrick (idea of ReWolf), plus documentation on the theory of the test
+MiscTricks from ideas documented here http://www.securityfocus.com/infocus/1893 (also included in distribution).
All tests not already implemented in xADT have been included (9 tests)

+full sources (projects tested with VS60/VS2008) of the following plugins, often with explations on theory and how you can hide:
ex-SIDT, sources of driver and plugin
NtQueryInfoProc_hook_detection sources of standalone C and ASM programs and of the whole plugin
+added ZwQueryObject_readme.txt which explains a possible way to solve the ZwQueryObject test (thanks to deroko)

standalone tools:
+All the tests ChupaChu released since version 1.3 as a separate standalone program too: “testbed_chupachu.exe”
+Included in the distribution the program EDD Extreme Debug Detector by Hellsp@wn, this program does less tests but it’s handy to have it in this package too

Some notes on the Tests.

  • 1. Some tests are just PoC and can be improved, I released the sources for them, an example is the test NtQueryInfoProc_hook_detection which can also be used with other anti-debug tests and not only with NtQueryInfoProc
  • 2. The xadt_Allybof test is though to exploit the export name buffer overflow vulnerability of Olly, trying to crash it. This plugin is from Defsanguje. By it’s nature the test works perfectly if xADT is debugged by OllyDbg, but crashes xADT if the program is running normally. Then pay attention and eventually do not launch this test or remove the dlls (the test is made of two dlls: xadt_Allybof.dll and Allybof.dll) from the plugin folder.
  • 3. Several tests are connected to execution time thresholds which detect the presence of a debugger, because the same code goes slower than usual. This timing based tests are sensible to slow machines, because in these cases the thresholds should be higher. I didn’t coded any thresholds adaptation routine, so you might get some false positive on slow machines or virtually emulated machines (which are slow too). You can disassemble the dll or recompile it to adapt the thresholds to your needs.
  • 4. xADT has been tested with all these combinations:
    • Operative Systems on real PCs and Virtual PC:
      • Windows XP SP2/SP3,
      • Windows Vista
    • OllyDbg:
      • SND OllyDbg,
      • normal OllyDbg,
      • OllDbg modded using xFile,
      • hidden using xFile,advancedolly,analyzethis,hidedebugger,ollydump
  1. Good and relevant post.I have

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.