Thwarting Piracy Anti-debugging Using GPU-assisted Self-healing Codes Adhokshaj Mishra

2025-05-06 0 0 309.01KB 9 页 10玖币
侵权投诉
Thwarting Piracy: Anti-debugging Using
GPU-assisted Self-healing Codes
Adhokshaj Mishra
Uptycs India Pvt. Ltd.
Bengaluru, India
me@adhokshajmishraonline.in
Manjesh K. Hanawal
MLiONS Lab, IEOR, IIT Bombay
Mumbai, India
mhanawal@iitb.ac.in
Abstract—Software piracy is one of the concerns in the IT
sector. Pirates leverage the debugger tools to reverse engineer the
logic that verifies the license keys or bypass the entire verification
process. Anti-debugging techniques are used to defeat piracy
using self-healing codes. However, anti-debugging methods can
be defeated when the licensing protections are limited to CPU-
based implementation by writing custom codes to deactivate the
anti-debugging methods. In the paper, we demonstrate how GPU
implementation can prevent pirates from deactivating the anti-
debugging methods by using the limitations of debugging on
GPU. Generally, GPUs do not support debugging directly on
the hardware, and therefore all the debugging is limited to CPU-
based emulation. Also, a process running on CPU generally does
not have any visibility on codes running on GPU, which comes as
an added benefit for our work. We provide an implementation on
GPU to show the feasibility of our method. As GPUs are getting
widespread with the raise in popularity of gaming software,
our technique provides a method to protect against piracy. Our
method thwarts any attempts to bypass the license verification
step thus offering a better anti-piracy mechanism.
Index Terms—Cyber security, Anti piracy, Anti-debugging,
GPU-assisted Self-healing
I. INTRODUCTION
Anti-debugging techniques are specially crafted chunks of
code that involve one or more methods to detect, and possibly
prevent debugging attempts on the target process. Most of
the time, these codes are integrated into the final binary blob
of the program they are trying to protect; however ”out of
process” anti-debugging is also possible by employing system-
level hooking in user mode, or kernel mode.
Since most of the debuggers rely on modification of de-
buggee process to large extent (e.g. break-points are set by
overwriting instructions, changing permissions, altering error
handler chains, etc.), anti-debugging techniques mostly rely
on detecting such modifications and possibly reverting them
to their original state. Since reverting to the original state
requires modification of our own process, we commonly see
some variation of self-modifying codes being used for such
purposes.
Self-healing codes are a special case of self-modifying
codes, which have the ability to detect any modifications in
their code and revert it to its original state before executing
it. Although these techniques can restore sufficiently large
modifications, in practice these are kept limited to only critical
parts of the code. These are often used to subvert debugging
techniques allowing the protected processes to evade from the
eyes of debugger tools (e.g. process not stopping on a break-
point).
Anti-debugging techniques generally can be grouped in the
following categories though not all techniques are applicable
to all platforms:
1. Timing and Latency Analysis: These techniques rely on
the difference in time taken to run a known calibrated code.
Debugging tools generally make the underlying process run a
bit slower due to their invasive nature.
2. Process Detection: These techniques rely on detecting the
presence of known debugging and related tools. If such tools
are running on a system, the chances of the process being
under watch is fairly high.
3. Memory Analysis: Many debugging tools tend to alter
memory maps in different ways (different parts of code and
data being loaded in slightly different locations, differences in
stack, heap, etc), which can be used to detect debugging in
such cases.
4. Break-point Detection: These techniques rely on the
fact that setting a software break-point alters machine code
in memory. The program scans its own memory to search
machine code for software break-point (e.g. 0xCC on x86 and
AMD64) in code regions.
5. Patching Detection: These techniques are one step ahead
of techniques described in (4), and these are able to detect
arbitrary patching (machine code modification) in process
memory.
6. Monitoring Debugger APIs: These techniques rely on the
fact that only one process can act as a debugger for another
given process at a time. In other variations, debugger APIs
exposed by the platform are hooked and monitored globally
to detect debugging attempts (e.g. DebugActiveProcess(...) /
WaitForDebugEvent(...) on Windows, ptrace on Linux).
7. Monitoring Exception Handlers: Many times when a
debugger is attached to a process, exceptions are trapped and
handled by the debugger without passing the exception back
to the application for continued execution. Occasionally these
exceptions can even crash or terminate a process when run
under a debugger and be handled gracefully when running
without a debugger attached. These discrepancies can be used
arXiv:2210.11047v1 [cs.CR] 20 Oct 2022
Fig. 1. Memory Access Diagram
to detect debugging attempts.
8. Blocking Debuggers: These techniques rely on either
blocking Debugger APIs (using self-debugging codes), or
removing debugger-related artifacts like break-points or in-
memory patching from protected code.
Software piracy is one of the biggest problems facing the
IT industry. The act of piracy revolves around figuring out
the licensing method used by the target software, reverse
engineering it, or making the software bypass license checks.
Debuggers are the go-to tools for this purpose. To defeat
this, anti-debugging codes are commonly used for anti-piracy,
IP protection, and digital rights management. These codes
generally make it hard for pirates to figure out licensing or
IP/digital rights protection logic, making it infeasible or more
costly to bypass license checks than paying for a legitimate
copy of the software. In certain cases, such techniques may
also make it almost impossible to pirate content without using
special hardware. For example, video streaming platforms
often rely on High-Bandwidth Digital Content Protection
(HDPC) copy-protection which encrypts the signals between
computer and display, thereby making it almost impossible
to copy the video content in order to pirate it. Most of
the software licensing protections are limited to CPU-based
implementations which can be defeated by writing custom
tools (e.g. custom key management server implementations
used to be really popular to illegally activate Windows OS
installations [1], or by employing techniques specific to anti-
debugging techniques being used. We will cover a survey
of common CPU-based anti-debugging techniques and their
shortcomings in upcoming sections.
Since hardware components like GPU are becoming com-
monplace, and are coming with general compute capabilities,
even in consumer-grade versions, these can also be potentially
used to implement various anti-debugging techniques almost
entirely on GPU. This can be done even more easily for
software that needs a dedicated GPU to function properly, like
image editing, video editing, gaming, rendering software, and
CAD software. Since the GPU stack generally does not have
very detailed debugging, analysis, and instrumentation capa-
bilities similar to CPU stack, these techniques can raise the
bar very significantly. For example, NVIDIA toolkit provides
GPU code debugging using GPU emulation on many cards
but not on the GPU card itself.
In the past, pirated copies of many licensed software were
distributed widely (e.g., Photoshop). This was possible as they
implemented CPU-based piracy protection mechanisms which
could be bypassed by disabling anti-debugging features. To
overcome these issues, software license verification is moved
to the cloud, but this needs an additional layer of authentica-
tion. However, for many software, especially, gaming software,
it is preferable that the license verification is performed locally.
Our method provides a mechanism for such verification with-
out requiring additional layer authentication while overcoming
the issues faced in CPU-based license verification.
In this paper, we present another technique that involves
running anti-debugging code on GPU and monitoring the
process on the CPU to protect it from getting debugged. Our
method exploits the fact that CPU hardware breakpoints do
not have visibility in GPU code. We run the anti-debugging
code to remove the breakpoints in GPU. The GPU performs
the task by using Direct Memory Access (DMA) on which
the CPU does not have visibility. Due to the lack of visibility,
it is not possible to prevent breakpoints erasures in the CPU.
Once breakpoints are erased, the CPU continues the normal
execution of the verification process. Thus our method thwarts
any attempt to deactivate the anti-debugging method and
achieve piracy.
Figure 1 gives the memory access architecture. Note that
only the CPU has direct access to the host memory through
CPU logical connections. GPU access host memory only
through the DMA controller. Hence CPU does not have
visibility of the memory access activities of the GPU.
摘要:

ThwartingPiracy:Anti-debuggingUsingGPU-assistedSelf-healingCodesAdhokshajMishraUptycsIndiaPvt.Ltd.Bengaluru,Indiame@adhokshajmishraonline.inManjeshK.HanawalMLiONSLab,IEOR,IITBombayMumbai,Indiamhanawal@iitb.ac.inAbstract—SoftwarepiracyisoneoftheconcernsintheITsector.Piratesleveragethedebuggertoolstor...

展开>> 收起<<
Thwarting Piracy Anti-debugging Using GPU-assisted Self-healing Codes Adhokshaj Mishra.pdf

共9页,预览2页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:9 页 大小:309.01KB 格式:PDF 时间:2025-05-06

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 9
评分 收藏
分享
立即下载
客服
关注