10

I came across some malware that raised an exception while I was single stepping through it. IDA gives me the option to pass the exception to the application or not. What exactly is going on here? When would I not want to pass the exception to the application?

user2142
  • 1,537
  • 2
  • 14
  • 17

1 Answers1

6

Often times malware and/or obfuscated code (such as unpacking stubs) will do something such as the following:

  1. Set up an exception handler.
  2. Throw an exception.
  3. See if the exception handler caught the exception.

If the exception handler didn't catch the exception then the debugged code knows that a debugger was attached and "swallowed" the exception, thus indicating that the code is being debugged. In order to hide your debugger from such detection techniques, you always want to pass exceptions to the application when dealing with malware and/or obfuscated code.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • The popup I saw from IDA warned that I might lose control of the application. Can you expand your answer to talk about how that might happen? Do I need to single step through the exception handler? – user2142 Jun 12 '13 at 03:43
  • @user2142 It means if exception is not handled by application correctly, it might crush the application. Yes, you might want to step through it if you are interested in how it is been handled. – PSS Jun 12 '13 at 03:48
  • 7
    One exception to this is general rule is when the analyst and/or the debugger "caused" the exception to happen. For example, if you single-step over a pushf instruction, the trap flag bit will be set. If the flags are later popped, IDA might give a warning along the lines of what you describe regarding a single-step exception. You would not want to pass that one on to the application. – Rolf Rolles Jun 12 '13 at 03:58
  • 2
    you don't always want to pass the exception, because one might not be generated except in the presence of a debugger (eg CloseHandle(invalid)). In that case, the very existence of the exception exposes the debugger (see http://pferrie.host22.com/papers/unp2011.htm). – peter ferrie Jun 13 '13 at 00:12