Is it possible to add detection of binary translation at runtime to the debugger?

[nogitsune-youkai]

Is it technically possible?

[d-millar]

@nogitsune-youkai I think we need a little clarification.... Are you asking:

• Is it possible for debuggers generally to detect binary translation? If so, which debugger? Kernel-mode or user-mode? Native, emulated, or virtualized?
• Is it possible to add/expose existing debugger functionality in Ghidra? If so, which debugger? And do you have a use case in mind?
• Is it possible to display the effects of binary translation in the existing debugger GUI?

[nogitsune-youkai]

I'm asking is it Is it possible for debuggers generally to detect binary translation? I'm interested in both user-mode and kernel-mode, native only, like x64dbg, ollydbg etc. About use case: what if a program is running in virtual machine, which is morphing instructions at runtime? How do we detect which code has been modified? Also let's assume that the program is heavily obfuscated for security purposes

[d-millar]

OK, gotcha. In my experience, there are essentially two approaches - neither one of them push-button in any sense. The first is to find the loop that's responsible for the translation, trap on its execution, then follow where the data leads. Identifying the loop can be done either purely statically or dynamically, i.e. even sampling execution on a program doing large amounts of binary translation is likely to land in the loop more often than not. Needless to say, this is not a generic solution - it requires analysis of the binary-translation engine you're interested in.

The second approach is a little more direct but requires a debugger capable of watching changes in page permissions. In broad strokes, you're looking for memory marked writable and then executable. This can be done in "normal" debuggers by hooking the relevant syscall APIs. In virtualized environments or emulators, you may be able to leverage various aspects of the system hardware to trap on those events (assuming the environment itself is not using them for other purposes. The PEBS/BTS facilities on Intel processors are one example.

[nogitsune-youkai]

Hmm, that's quite interesting. So there's at least two options, right? Can you suggest some sources where i can learn more on that? Also i guess in order to implement that Intel software-developer manual vol 3b would be quite useful

[d-millar]

Yep, 3B especially Chapters 20, 25 and following.

[d-millar]

Also, there's a fair amount of open-source hypervisor code available now - hypervisors basically use the same feature set you’ll need for option two.

[nogitsune-youkai]

Ok, thank you d-millar, i really appreciate your broad response, it's rare to find people who actually know what they talking about :)

[nogitsune-youkai]

If someone have any other thoughts - please respond