eXait

What's eXait?

eXait is a benchmark-like tool to test all the anti-instrumentation techniques presented in the "Dynamic Binary Frameworks: I know you're there spying on me" talk at RECon 2012.

How to use eXait?

eXait comes in two different versions: console and GUI.

In the GUI version you only need to pick the techniques you want to test and hit the "Start Test" button.
eXait has 5 different columns:

- Enable: has the checkboxes to select the anti-instrumentation techniques you want to test.
- Plugin name: the name of the plugin.
- Result: shows whether pin was detected or not.
- Status: indicates if the execution of the plugin has terminated.
- Plugin description: a little description about the technique implemented in the plugin.

In the console version you need to execute eXait in the following way: exait.exe <arguments>

-l: List all available plugins
-a: Executes all the available plugins
-n: <name of the plugin dll> Gets the name of the Plugin (i.e: detect_by_eip.dll)
-d: <name of the plugin dll> Gets description of the Plugin (i.e: detect_by_eip.dll)
-p: <name of the plugin dll> Executes the specified plugin (i.e: detect_by_eip.dll)
-s: <list of plugins> Loads the plugins indicated in <list of plugins> ((i.e: detect_by_eip.dll detect_by_argv.dll ...))
-f: <filename.txt> Loads a file name with a list of plugins to load (i.e: blah.txt)
-h: Prints this help

Documentation

eXait has a plugin architecture. Each anti-instrumentation technique is implemented in a separated DLL library.
In order to write your own plugin for eXait you only need to compile a DLL exporting the following functions:

#define DllExport extern "C" __declspec(dllexport)

DllExport char* GetPluginName(void);
DllExport char* GetPluginDescription(void);
DllExport int DoMyJob(void);

- GetPluginName: must return the plugin name.
- GetPluginDescription: must return a little description about the implemented technique.
- DoMyJob: this function is the one that implements the anti-instrumentation technique. This function returns one of these values:

- DETECTED: when Pin was detected.
- NOTDETECTED: when Pin was not detected.
- PLUGINERROR: if something wrong happened.
- PLATFORMNOTSUPPORTED: when you are testing a technique under a non-supported platform.

Additional notes

eXait (GUI and console version) and plugins are dynamically linked. You need to install the Microsoft Visual C++ 2008 Redistributable Package (x86) in order to use eXait.

License

eXait is distributed under a BSD-like license.

Authors

eXait was developed by:

- Francisco Falcón
- Nahuel Riva

Contact Info

You can contact us through oss@coresecurity.com

Title
eXait
Platforms
Windows
Release date
2012-06-16
License type
2-clause BSD
Releases
eXait-v0.1 (presented at ReCon 2012) DOWNLOAD .zip 16-06-2012

Attachments

eXait-v0.1.zip - eXait-v0.1.zip