Debug Registers, Hardware Breakpoints
Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.
Code Snippets
#include <windows.h>
#include <stdio.h>
int main() {
HANDLE thread = GetCurrentThread();
CONTEXT threadContext;
int errorCode;
memset(&threadContext, 0, sizeof(CONTEXT));
threadContext.ContextFlags = CONTEXT_ALL;
if( !GetThreadContext(thread, &threadContext) ){
errorCode = GetLastError();
puts("Could not get thread context");
return errorCode;
}
if( threadContext.Dr0 || threadContext.Dr1 || threadContext.Dr2 || threadContext.Dr3 ){
puts("Detected");
}
else{
puts("Undetected");
}
return 0;
}Detection Rules
rule:
meta:
name: check for hardware breakpoints
namespace: anti-analysis/anti-debugging/debugger-detection
author: michael.hunhoff@fireeye.com
scope: function
mbc:
- Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp
examples:
- al-khaser_x86.exe_:0x42035D
features:
- and:
- api: kernel32.GetThreadContext
- number: 0x10010 = CONTEXT_DEBUG_REGISTERS
- offset: 0x4 = DR0
- offset: 0x8 = DR1
- offset: 0xC = DR2
- offset: 0x10 = DR3
- count(mnemonic(cmp)): 4 or more