Scientific But Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti - VM Technologies

Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-
VM Technologies
Rodrigo Rubira Branco, Gabriel Negreira Barbosa, Pedro Drimel Neto
{rbranco,gbarbosa,pdrimel} *NOSPAM* ual!s"com
#ual!s $ %ulnerabilit! & Mal'are Researc( )abs *%MR)+
%ersion ,"-
Abstract
Mal'are is 'idel! ac.no'ledged as a gro'ing t(reat 'it( (undreds o/ t(ousands o/ ne' samples
reported eac( 'ee." Anal!sis o/ t(ese mal'are samples (as to deal 'it( t(is signi/icant uantit! but
also 'it( t(e de/ensi0e capabilities built into mal'are1 Mal'are aut(ors use a range o/ e0asion
tec(niues to (arden t(eir creations against accurate anal!sis" 2(e e0asion tec(niues aim to disrupt
attempts o/ disassembl!, debugging or anal!se in a 0irtuali3ed en0ironment"
2(is tal. catalogs t(e common e0asion tec(niues mal'are aut(ors emplo!, appl!ing o0er 4- di//erent
static detections, combined 'it( a /e' d!namic ones /or completeness" 5e 0alidate our catalog b!
running t(ese detections against a database o/ 6 million samples *t(e s!stem is constantl! running and
t(e numbers 'ill be updated /or t(e presentation+, enabling us to present an anal!sis on t(e real state o/
e0asion tec(niues in use b! mal'are toda!" 2(e resulting data 'ill (elp securit! companies and
researc(ers around t(e 'orld to /ocus t(eir attention on ma.ing t(eir tools and processes more e//icient
to rapidl! a0oid t(e mal'are aut(ors7 countermeasures"
2(is /irst o/ its .ind, compre(ensi0e catalog o/ countermeasures 'as compiled b! t(e paper7s aut(ors
b! researc(ing eac( o/ t(e .no'n tec(niues emplo!ed b! mal'are, and in t(e process ne' detections
'ere proposed and de0eloped" 2(e underl!ing mal'are sample database (as an open arc(itecture t(at
allo's researc(ers not onl! to see t(e results o/ t(e anal!sis, but also to de0elop and plug8in ne'
anal!sis capabilities" 2(e s!stem 'ill be made a0ailable in beta at Blac. 9at, 'it( t(e purpose o/
ser0ing as a basis /or inno0ati0e communit! researc("
! "ntroduction
Besides t(e common sentences among researc(ers
and industr! regarding t(e amount o/ ne' samples
e0er! da! *near to t(e (undred t(ousand dail!+, still
t(e anal!sis e//orts /ocus on automating a speci/ic
tas. or automate t(e anal!sis o/ onl! one sample"
Researc(ers around t(e globe (a0e man!
c(allenges to contribute in combating ne'
mal'are, since t(e! eit(er lac.s t(e access to t(e
samples or access to t(e computing po'er to
process t(em *or bot(+" 2(is limits t(e amount o/
contributions coming /rom t(e academia and /rom
indi0idual contributors"
2(e situation created an industr! /ull o/ incomplete
results and opinions" Anal!sis comprising :ust a
/e' t(ousands o/ mal'are samples are not a
basement /or decisions, but still t(e! are t(e
ma:orit! o/ t(e cases"
2(is 'or.s anal!3ed millions o/ mal'ares /ocusing
in t(eir protection mec(anisms" 5e di0ided t(e
protection mec(anisms in 6 di//erent categories;
Anti8Debugging; 2ec(niues to
compromise debuggers and<or t(e
debugging process
Anti8Disassembl!; 2ec(niues to
compromise disassemblers and<or t(e
disassembling process
Ob/uscation; 2ec(niues to ma.e t(e
signatures creation more di//icult and t(e
disassembled code (arder to be anal!3ed b!
a pro/essional
Anti8%M; 2ec(niues to detect and<or
compromise 0irtual mac(ines
2ec(niues t(at are not being currentl! being
detected in t(e mal'are samples are also e=plained;
'e are constantl! updating t(e s!stem"
2(e paper is organi3ed as /ollo's" Section ,",
discusses our met(odolog!, t(e automated anal!sis
s!stem and some ot(er c(oices made /or t(is
researc(" Section > pro0ides t(e results o/ our
anal!sis, '(ile t(e rest o/ t(e paper discusses t(e
tec(nical details o/ t(e implementations
t(emsel0es" Section ? enumerates and details eac(
o/ t(e anti8debugging tec(niues" Section 6
discusses disassembl! concepts and anti8
disassembl! and ob/uscation tec(niues" Section 4
discusses anti8%M tec(niues" Section @ illustrates
ne' tec(niues and ad0ancements proposed b! t(is
'or." Section A comprises t(e do'nloading lin.s
/or getting updated 0ersions o/ t(is paper and /or
do'nloading t(e de0eloped e=amples to 0alidate
eac( o/ t(e detection anti8re0erse engineering
mec(anisms" Section B concludes and pro0ides
/uture directions" Section C (as some
ac.no'ledges" Dinall!, in Section ,-, t(e
re/erences used in t(is 'or."
!! Methodology
2(e anal!sis per/ormed in t(is 'or. relied in a total
o/ A> cores and a ,--GB o/ RAM distributed in C
di//erent mac(ines"
5e anal!3ed a bit more t(an 6 million samples
*6,-?-,C64+" Pac.ed samples 'ere not anal!3ed
indi0iduall!; all pac.ed samples using t(e same
pac.er (a0e been considered as one single uniue
sample"
All our samples 'ere ?"CMB or less in si3e
*per/ormance reasons+" 2(e onl! e=ception 'as t(e
Dlame mal'are due to its importance"
5e used mostl! static tec(niues, but included a
/e' d!namic ones /or completeness; some
tec(niues cannot be detect using onl! a static
approac("
2(e automated mal'are anal!sis s!stem, called
Dissect EE PF, relies in plugins" Fac( application
t(at reads a mal'are and produces an output is
considered a plugin" 2(ere are;
D!namic plugins; plugins t(at run inside a
5indo's %M1
Static plugins; plugins t(at run outside o/
t(e %M
Gt 'as de0eloped a plugin t(at is a /rame'or. /or
disassembl!8related anal!sis;
Dacilitates t(e de0elopment o/ disassembl!
anal!sis code1
Speeds up t(e disassembl! process /or
plugins1
Halls8bac. t(e plugins /or speci/ic
instruction t!pes1
Disassembl! once, anal!3e all1
Hare must be ta.en to detect disassembl!
attac.s t(emsel0es"
Dor t(is 'or., 'e disassembled and anal!3ed onl!
PF sections e=plicitl! mar.ed as e=ecutable or
'(ere t(e entr! point is located"
2(e anti8re0erse engineering tec(niues 'ere
detected in t(e mal'are samples t(roug( plugins"
Be/ore its deplo!, eac( plugin 'as tested against
BB? PF /iles loo.ing /or bugs and /or t(e ualit! o/
t(e detection co0erage itsel/"
#! $%ecutive Summary
Dor t(is researc(, 'e anal!3ed 6"-?-"C64 mal'are
samples in our lab" As depicted in H(art ,, ?6,ACI
'ere pac.ed, and t(e top pac.er /amilies are s(o'n
in H(art >"
H(art , $ Pac.er Statistics
H(art > $ 2op Pac.er Damilies
)oo.ing /or anti8re0erse engineering tec(niues in
t(e top pac.er /amilies, 'e (ad di//erent results /or
t(e same pac.er /amil! because o/ di//erent
0ersions" Being so, 'e detailed t(e tec(niues
/ound in eac( 0ersion in 2able ,"
1
UPX
UPXV200V290MarkusOberhumerLaszloMolnarJohnR
eiser
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
Instruction Counting
PEB NtGloal!lag
PEB"s B#ingD#ugg#$ (St#alth
IsD#ugg#rPr#s#nt)
UPXv20MarkusLaszloReiser
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
SS r#gist#r
UPX290LZMAMarkusOberhumerLaszloMolnarJohnR
eiser
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
SS r#gist#r
UPX20030XMarkusOberhumerLaszloMolnarJohnReis
er
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
UPX293300LZMAMarkusOberhumerLaszloMolnarJoh
nReiser
Anti-VM (IN)
PEB NtGloal!lag
IsD#ugg#rPr#s#nt)
UPXProtetorv!0"%
Nothing
2
Armadillo
Arma#illov!$!
Instruction Sustitution (push & r#t)
Arma#illov!""v2""
Nothing
3
PECompact
Anti-VM (ST')
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
PEB NtGloal!lag
IsD#ugg#rPr#s#nt)
So(tICE & Int#rrupt )
So(t*ar# Br#a+point D#t#ction
SS r#gist#r
4 BobSoftMiniDelphiBoBBobSoft
Anti-VM (ST')
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
SS r#gist#r
5
ASPack
A%Pakv2!2Ale"e&%olo#ovnikov
A%ProtetV2X(LLAle"e&%olo#o
Anti-VM (IN)
IsD#ugg#rPr#s#nt)
SS r#gist#r
A%Pakv!0)03Ale"e&%olo#ovniko,
Anti-VM (IN)
IsD#ugg#rPr#s#nt)
A%Pakv2!Ale"e&%olo#ovniko,
IsD#ugg#rPr#s#nt)
SS r#gist#r
ProtectShare!are"11eComp#er$CMS
Anti-VM (SLDT)
Anti-VM (IN)
IsD#ugg#rPr#s#nt)
Instruction Sustitution (push & r#t)
%
ASProtect13321&e'i#teredAle(e)Solodo$ni
ko$ ASProtect$12
Anti-VM (ST')
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
So(t*ar# Br#a+point D#t#ction
SS r#gist#r
+ ,i#e-n#tallerSt.b
Nothing
/ Ma#kPE"20)1k1ero
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
IsD#ugg#rPr#s#nt)
SS r#gist#r
2able , $ Pac.ers Anti8Re0erse Fngineering
2(e top pac.er /amilies /or mal'are samples
targeting bra3ilian ban.s 'ere also anal!3ed" As
s(o'n in H(art ?, 'e /ound t(at 4-,6CI 'ere
pac.ed, and t(e top pac.er /amilies are depicted in
H(art 6"
H(art ? $ Pac.er Statistics o/ Samples 2argeting
Bra3ilian Ban.s
H(art 6 $ Pac.er Damilies o/ Mal'are Samples
2argeting Bra3ilian Ban.s
Drom t(is point on, and according to t(e proposed
met(odolog! in '(ic( eac( pac.er 'as anal!3ed
once, t(e /ollo'ing numbers are related to t(e not
pac.ed samples" Additionall!, in t(e ne=t statistics,
mal'are anal!sis algorit(ms t(at produce
e0idences 'ere not considered"
H(art 4 s(o's t(at BB,C@I o/ t(e samples (ad at
least one anti8re0erse engineering tec(niue
detected"
H(art 4 $ Samples 'it( Anti8Re0erse Fngineering
As s(o'n in H(art @, @,6>I o/ t(e anal!3ed
samples (a0e implemented at least one protection
mec(anism in eac( o/ t(e /our categories *named as
/ull! armored samples in t(is 'or.+"
H(art @ $ Dull! Armored Samples
Dor a sample to be considered as part o/ a categor!,
at least one tec(niue o/ suc( a categor! (a0e to be
detected" 2(e pre0alence o/ eac( considered anti8
re0ersing engineering categories in t(e anal!3ed
samples are detailed in H(art A"
H(art A $ Anti8Re0erse Fngineering Hategories
So, anti8%M and ob/uscation categories are
considerabl! more pre0alent in t(e samples 'it(,
respecti0el!, B,,6-I and @B,C4I"
2(e considered anti8debugging tec(niues in all o/
t(e statistics in t(is 'or. relied on t(e tec(niues
depicted in H(art B" Additionall!, t(e percentage o/
eac( considered anti8debugging tec(niue
regarding t(e total samples in t(is categor! is also
present in H(art B"
2(e same in/ormation are present in c(arts C, ,-
and ,,, but /or, respecti0el!, anti8disassembl!,
ob/uscation and anti8%M categories"
H(art B $ Anti8Debugging 2ec(niues
H(art C $ Anti8Disassembl! 2ec(niues
H(art ,- $ Ob/uscation 2ec(niues
H(art ,, $ Anti8%M 2ec(niues
&! Anti-Debugging Techni'ues
Some anti8debugging tec(niues are described in
t(e ne=t sections"
2ec(niues currentl! co0ered b! detection plugins
'ill (a0e an additional in/ormation; t(e algorit(m
used to detect suc( a tec(niue"
&!! ($) Nt*lobal+lag
NtGlobalDlag is a /ield o/ PFB at o//set -=@B J,K"
2(e presence o/ suc( 0alues is not a reliable
debugger detection tec(niue, but can be
considered as an e0idence;
D)GL9FAPLFNAB)FL2AG)LH9FHM *-=,-+,
D)GL9FAPLFNAB)FLDRFFLH9FHM *-=>-+
and D)GL9FAPL%A)GDA2FLPARAMF2FRS
*-=6-+" 2(is mig(t be used to detect t(e presence o/
a debugger"
Adopted Static Detection;
A MO% instruction *mo0, mo0s=, mo03=+ cop!ing
PFB address */s;J-=?-K+ some'(ere *N+ is loo.ed
/or and N is sa0ed /or /uture use;
mo0<mo0s=<mo03= N,/s;J-=?-K
2(en, later in t(e same /unction, a HMP *cmp,
cmp=c(g+ or a MO% *mo0, mo0s=, mo03=+
instruction re/erencing t(e NtGlobalDlag
*JNO-=@BK in some o/ t(e operands+ is loo.ed /or;
cmp<cmp=c(g<mo0<mo0s=<mo03= op,,op> P
'(ere JNO-=@BK is a substring o/ op, or op>
RF2 'as used to consider t(e end o/ a /unction"
G/ t(is scenario (appens, t(is anti8debugging
tec(niue is considered as detected"
&!#! "sDebugger(resent
GsDebuggerPresent*+ is a .ernel?> /unction t(at
returns 2RQF i/ a debugger is present J,K"
Gnternall!, it uses PFB7s BeingDebugged Dield"
Suc( approac(es can be used to detect t(e presence
o/ a debugger"
*,+
GsDebuggerPresent is loo.ed /or in GA2" G/ /ound,
t(e tec(niue is considered as detected"
*>+
mo0<mo0s=<mo03= N,/s;J-=?-K
2(en, later in t(e same /unction, anot(er MO%
instruction *mo0, mo0s=, mo03=+ re/erencing t(e
BeingDebugged /ield *JNO-=>K in some o/ t(e
operands+ is loo.ed /or;
mo0<mo0s=<mo03= op,,op> P '(ere RJNO-=>KS is
a substring o/ op, or op>
&!&! ,hec-.emoteDebugger(resent
H(ec.RemoteDebuggerPresent*+ is a .ernel?>
/unction t(at sets -=//////// in pbDebuggerPresent
parameter i/ a debugger is present J,K" Gnternall!, it
uses Nt#uer!Gn/ormationProcess*+ 'it(
ProcessDebugPort as a ProcessGn/ormationHlass
parameter" 2(is /unction can be used to detect t(e
presence o/ a debugger"
*,+
H(ec.RemoteDebuggerPresent is loo.ed /or in
GA2" G/ /ound, t(e tec(niue is considered as
detected"
*>+
Nt#uer!Gn/ormationProcess is loo.ed /or in GA2" G/
/ound, t(e tec(niue is considered as an e0idence
detected"
&!/! 0ea1 flags
Process de/ault (eap *retrie0ed t(roug(
GetProcess9eap*+ or PFB+ (as t(e /ollo'ing t'o
/ields o/ interest t(at are in/luenced b! PFB8
TNtGlobalDlags; Dlags, at o//set -=-c in t(e (eap,
and DorceDlags at o//set -=,- in t(e (eap J,K" 2(e
/ollo'ing 0alues /or eac( o/ t(e /ields are not a
reliable approac( to detect a debugger, but can be
considered as an e0idence;
Dlags; 9FAPLGRO5AB)F *>+,
9FAPL2AG)LH9FHMGNGLFNAB)FD
*-=>-+,
9FAPLDRFFLH9FHMGNGLFNAB)FD
*-=6-+,
9FAPLSMGPL%A)GDA2GONLH9FHMS
*-=,-------+ and
9FAPL%A)GDA2FLPARAMF2FRSLFNA
B)FD *-=6-------+"
DorceDlags;
9FAPL2AG)LH9FHMGNGLFNAB)FD
*-=>-+,
9FAPLDRFFLH9FHMGNGLFNAB)FD
*-=6-+ and
9FAPL%A)GDA2FLPARAMF2FRSLFNA
B)FD *-=6-------+"
*,+
GetProcess9eap is loo.ed /or in GA2" G/ /ound, t(e
tec(niue is considered as an e0idence detected"
*>+
An instruction re/erencing PFB */s;J-=?-K+ is
loo.ed /or" G/ /ound, t(e /irst operand *N+ is sa0ed
/or /uture use;
U N,U P2(e substring R/s;J-=?-KS is loo.ed /or in
all t(e operands" G/ /ound, t(e /irst operand *N+ is
sa0ed
2(en, later in t(e same /unction, an! ot(er
instruction re/erencing t(e process de/ault (eap
*JNO-=,BK in some o/ t(e operands+ is loo.ed /or;
U operands P '(ere RJNO-=,BKS is a substring o/
an! o/ t(e operands
&!2! Nt3uery"nformation(rocess 4
(rocessDebug(ort
Halling Nt#uer!Gn/ormationProcess*+ 'it(
ProcessDebugPort as a ProcessGn/ormationHlass
parameter 'ill set -=//////// in t(e
ProcessGn/ormation parameter i/ a process is being
debugged J,K" Gnternall!, suc( /unction ueries /or
a non83ero state o/ FPROHFSS8TDebugPort" 2(is
/unction can be used to detect a debugger"
/ound, t(e tec(niue is considered as e0idence
detected"
&!5! Debug Ob6ects 4
(rocessDebugOb6ect0andle ,lass
A debug ob:ect is created and a (andle is associated
to it '(en a debugging session begins J,K"
Nt#uer!Gn/ormationProcess*+ can be called 'it(
ProcessDebugOb:ect9andle as a
ProcessGn/ormationHlass parameter to uer! /or t(e
debug ob:ect (andle" 2(is can be used to detect t(e
presence o/ a debugger"
/ound, t(e tec(niue is considered as an e0idence
detected"
&!7! Debug Ob6ects 4 (rocessDebug+lags ,lass
Nt#uer!Gn/ormationProcess*+ can be called 'it(
ProcessDebugDlags as a ProcessGn/ormationHlass
parameter to set t(e in0erse o/ FPROHFSS8
TNoDebugGn(erit bit in ProcessGn/ormation
parameter J,K" So, DA)SF is set '(en a debugger is
present" 2(is can be used to detect a debugger"
detected"
&!8! Nt3uerySystem"nformation 4
System9ernelDebugger"nformation
Nt#uer!S!stemGn/ormation*+ /unction o/ ntdll can
be used 'it( t(e undocumented
S!stemMernelDebuggerGn/ormation as a
S!stemGn/ormationHlass parameter to detect t(e
presence o/ a debugger J,K" 2(e result, t(at is
stored in t(e bu//er pointed b! S!stemGn/ormation
parameter J>?K, (as > b!tes representing t'o /lags,
eac( one 'it( B bits; MdDebuggerFnabled *least
signi/icant b!e+ and MdDebuggerNotPresent *most
signi/icant b!te+" MdDebuggerNotPresent is
DA)SF i/ a debugger is present"
Gt is possible to ob/uscate suc( a /unction call b!
retrie0ing MdDebuggerNotPresent directl! /rom
MQSFRLS9ARFDLDA2A, at o//set -=A//e->d6
/or >Gb user8space con/igurations" 2(e 0alue
retrie0ed b! t(e Nt#uer!SustemGn/ormation*+ call
does not come /rom t(is location" J>K
2(is can be used to t(e detect t(e presence o/ a
.ernel8mode debugger J>>K"
Nt#uer!S!stemGn/ormation is loo.ed /or in GA2" G/
detected"
&!:! O1en(rocess 4 SeDebug(rivilege
5it( SeDebugPri0ilege pri0ilege, a non8de/ault
pri0ilege J4K, a process can gain /ull control o0er
t(e s!stem process HSRSS"e=e J,K" Additionall!,
suc( a pri0ilege is passed to c(ild processes" So, i/
a debugger acuires suc( a pri0ielge, t(e debugged
binar! can (a0e /ull control o0er HSRSS"e=e also"
J4K 2(is tec(niue (as > steps;
," Fnumerate processes to get t(e process GD
o/ HSRSS"e=e" 2(is can be ac(ie0e t(roug(
Hreate2ool(elp?>Snaps(ot*+O
*Process?>Dirst*++OProcess?>Ne=t*+"
Anot(er 'a! could be using
Nt#uer!S!stemGn/ormation*+ 'it(
S!stemProcessGn/ormation as a
S!stemGn/ormationHlass parameter"
Alternati0el!, 5indo's NP introduced t(e
ntdll HsrGetProcessGd*+ '(ic( ma.es suc( a
tas. easier and can also be used"
>" Open HSRSS"e=e process 'it( /ull access"
G/ t(e operation succeeds, t(an it is an
e0idence o/ t(e presence o/ a debugger"
2(is tas. can be ac(ie0ed 'it(
OpenProcess*+ using
PROHFSSLA))LAHHFSS as a
d'DesiredAccess parameter"
Oll!Dbg and 5inDbg acuires SeDebugPri0ilege
pri0ilege"
2(is tec(niue mig(t be used to indirectl! detect
t(e presence o/ some debuggers"
2(e string Rcsrss"e=eS is loo.ed /or in t(e binar! in
a case8insensiti0e 'a!" G/ /ound, t(is tec(niue is
considered as e0idence detected"
&!;! Alternative Des-to1
5indo's N28based plat/orms supports multiple
des.tops, and it is possible to select a di//erent
acti0e des.top, (iding t(e 'indo's o/ t(e
pre0iousl! selected one 'it( no ob0ious 'a! to
s'itc( bac. to t(e old des.top J,K" 2(is can be
done calling HreateDes.top*+ /ollo'ed b!
S'itc(Des.top*+" 2(e d'DesiresAccess parameter
o/ HreateDes.top*+ can be;
DFSM2OPLHRFA2F5GNDO5 E
DFSM2OPL5RG2FOBVFH2S E
DFSM2OPLS5G2H9DFSM2OP" 2(is tec(niue
can be used to ma.e t(e debugging process (arder
/or an anal!st"
HreateDes.topA<HreateDes.top5 are loo.ed /or in
GA2" G/ /ound, and S'itc(Des.top is also present,
t(e tec(niue is considered as detected"
&!! Self-Debugging
RSel/8debugging is t(e act o/ running a cop! o/ a
process, and attac( to it as a debugger"S J,K" Since
onl! one debugger can be attac(ed to a process,
suc( process could not be debugger b! ordinar!
means *t(ere are b!passes+" Gt is possible to e=ecute
t(is tec(niue creating a cop! o/ t(e process to be
debugged *HreateProcessA*+ 'it(
DFBQGLPROHFSS as a d'HreationDlags
parameter+, and (andling its debug e0ents
*5aitDorDebugF0ent*+ and
HontinueDebugF0ent*++" 2(is tec(niue can be
used to di//icult a debugger to be attac(ed to t(e
process"
HreateProcessA<HreateProcess5 are loo.ed /or in
GA2" G/ /ound, and bot( 5aitDorDebugF0ent and
HontinueDebugF0ent are also present, t(e
tec(niue is considered as e0idence detected"
&!#! .tl3uery(rocessDebug"nformation
Rtl#uer!ProcessDebugGn/ormation*+ is used to
load some process in/ormation in DebugBu//er
parameter including some (eap in/ormation *(eap
/lags is among t(em+ J>KJ?KJ6K" 2(is call can be
made 'it( PDGL9FAPS E PDGL9FAPLB)OHMS as
a DebugGn/oHlassMas. parameter" Gnternall!, it
uses Rtl#uer!Process9eapGn/ormation*+, and t(is
/unction can be used to de0elop a 0ariation o/ t(is
tec(niue" 2(e /ollo'ing (eap /lags 0alue indicates
t(at a process is being debugged; GRO5AB)F E
2AG)LH9FHMGNGLFNAB)FD E
DRFFLH9FHMGNGLFNAB)FD E
%A)GDA2FLPARAMF2FRSLFNAB)FD" 2(is
tec(niue can be used to detect t(e presence o/ a
debugger"
Rtl#uer!ProcessDebugGn/ormation and
Rtl#uer!Process9eapGn/ormation are loo.ed /or in
GA2" G/ some ot t(em are /ound, tec(niue is
&!&! 0ardware )rea-1oints
5(en an e=ception occurs, 5indo's passes to t(e
e=ception (andler a conte=t structure '(ic( (a0e,
among ot(er in/ormation, t(e debug registers
content J,K" G/ t(ere is a debugger 'it( (ard'are
brea.points being used and it passes t(e e=ception
to t(e debuggee, t(en t(e debug registers can be
anal!3ed loo.ing /or a debugger" 2(is can be used
to detect t(e presence o/ a debugger"
t(e FSP register to t(e SF9 */s;J-=-K+ is loo.ed /or;
mo0<mo0s=<mo03= op,,esp P 5(ere R/s;J-=-KS is
a substring o/ op,
2(en, later in t(e same /unction, anot(er MO%
instruction *mo0, mo0s=, mo03=+ re/erencing t(e
HON2FN2 *JespO-=cK+ is loo.ed /or in t(e source
operand and t(e destination one *N+ is sa0ed /or
/uture use;
mo0<mo0s=<mo03= N,op> P '(ere RJespO-=cKS is
a substring o/ op>
2(en, later in t(e same /unction, instructions HMP
*cmp, cmp=c(g+, MO% *mo0, mo0s=, mo03=+ or
OR, bot( 'it(, in t(e source operand, (a0ing an
o//set o/ a debug register relati0e to t(e sa0ed N
*-=6, -=B, -=H -=,-+ is loo.ed /or;
mo0<mos=<mo3= op,,op>
cmp<cmp=c(g op,,op>
or op,,op>
P All op> (a0ing RJNO-=6KS, RJNO-=BKS,
RJNO-=HKS or RJNO-=,-KS substrings"
&!/! Out1utDebugString
2(e .ernel?> OutputDebugString*+ (as di//erent
be(a0ior depending on t(e presence, or not, o/
debugger J,K" One o/ t(em is t(at .ernel?>
Get)astFrror*+ returns - i/ t(e debugger is present"
2(is tec(niue can be used to detect t(e presence
o/ a debugger"
OutputDebugStringA<OutputDebugString5 are
loo.ed /or in GA2" G/ /ound, and Get)astFrror is
also present, t(e tec(niue is considered as
detected"
&!2! )loc-"n1ut
Bloc.Gnput*+ /unction RBloc.s .e!board and mouse
input e0ents /rom reac(ing applications"S J@K" 2(is
/unction can be used to di//icult t(e access o/ an
anal!st to t(e debugger J,KJ4K"
Bloc.Gnput is loo.ed /or in GA2" G/ /ound, t(e
&!5! (arent (rocess
2(e parent process o/ an application e=ecuted b! an
user 'ill usuall! be RF=plorer"e=eS, and it can be
considered as a debugger e0idence '(en suc( a
c(aracteristic does not (appen J,K" 2(e /ollo'ing
/unctions can be used /or t(is purpose;
GetHurrentProcessGd*+ O
Hreate2ool(elp?>Snaps(ot*+O
*Process?>Dirst*++OProcess?>Ne=t*+"
GetHurrentProcessGd*+ O
Nt#uer!S!stemGn/ormation*+ 'it(
S!stemProcessGn/ormation as a
S!stemGn/ormationHlass parameter"
A simpler met(od; get F=plorer"e=e process
GD *GetS(ell5indo'*+
OGet5indo'2(readProcessGd*++ and get t(e
parent process GD
*Nt#uer!Gn/ormationProcess*+ 'it(
ProcessBasicGn/ormation as a
ProcessGn/ormationHlass parameter+"
2(is tec(niue mig(t be used to detect t(e presence
o/ a debugger"
*,+
GetHurrentProcessGd and
Hreate2ool(elp?>Snaps(ot are loo.ed /or in GA2" G/
bot( are /ound, t(is tec(niue is considered as
e0idence detected"
*>+
GetHurrentProcessGD and
Nt#uer!S!stemGn/ormation are loo.ed /or in GA2"
G/ bot( are /ound, t(e tec(niue is considered as
e0idence detected"
*?+
GetS(ell5indo', Get5indo'2(readProcessGd and
Nt#uer!Gn/ormationProcess are loo.ed /or in GA2"
G/ bot( are /ound, t(is tec(niue is considered as
e0idence detected"
&!7! Device Names
Debuggers t(at uses .ernel8mode dri0ers ma! use
named de0ices to communicate 'it( t(em J,K" So,
i/ an open attempt in suc( de0ices succeeds, it does
not necessaril! means t(at a debugger is acti0e, but
t(at it is present" 2(e implementation can use
HreateDile*+ /unction 'it( OPFNLFNGS2GNG as a
d'HreationDisposition parameter" Some de0ice
names;
So/tGHF; WW"WSGHF, WW"WSG5%GD, WW"WN2GHF
RegMon; WW"WDG)F%NG, WW"WRFGSXS
DileMon; WW"WDG)F%NG, WW"WDG)FM
WW"W2R5
So/tGHF e=tender; WW"WGHFFN2
2(is tec(niue mig(t be used to detect t(e presence
o/ a debugger" 2(e presence o/ a debugger does not
necessaril! means t(at t(e debugger is acti0e"
De0ice name strings *RWW"WSGHFS, RWW"WSG5%GDS,
RWW"WN2GHFS, RWW"WDG)F%NGS, RWW"WRFGSXSS,
RWW"WDG)FMS, RWW"W2R5S, RWW"WGHFFN2S+ are loo.ed
/or in t(e binar! itsel/ in a case insensiti0e 'a!" G/
/ound, t(is tec(niue is considered as detected"
&!8! OllyDbg 4 Out1utDebugString
Oll!Dbg is a debugger t(at (a0e a /ormat string
0ulnerabilit! 'it( t(e .ernel?>
OutputDebugString*+ /unction, leading to a cras( or
an arbitrar! code e=ecution J,KJ4K" 2(e current /inal
0ersion *,",-+ is still 0ulnerable" 2(is can be used
to brea. a debugging process 'it( an a//ected
0ersion o/ Oll!Dbg"
OutputDebugStringA<OutputDebugString5 are
loo.ed /or in GA2" G/ /ound, t(is tec(niue is
&!:! +ind<indow
Dind5indo'*+ /unction can be used to /ind opened
debuggers using bot( parameters, lpHlassName and
lp5indo'Name J,K" Some parameters t(at can be
used;
lpHlassName; Oll!Dbg; RO))XDBGS1
5inDbg; R5inDbgDrameHlassS1 MS)R9;
R2FS2DBGS, R..,S, RFe'4AS, RS(ado'S"
lp5indo'Name; MS)R9; RGmport
RFHonstructor 0,"@ DGNA) *H+ >--,8>--?
Mac.2<uHDS"
2(is can be used to detect t(e presence o/ a
debugger"
Dind5indo'A<Dind5indo'5 are loo.ed /or in
GA2" G/ /ound, t(is tec(niue is considered as
e0idence detected"
&!#;! Sus1endThread
Qser8mode debuggers li.e Oll!Dbg and 2urbo
Debug can be disabled b! calling .ernel?>
Suspend2(read*+ *or t(e ntdll NtSuspend2(read*++
in its t(reads J,KJ>K" 2o /ind t(e t(reads, process
enumeration and named 'indo' searc(ing are t'o
met(ods t(at can be used"
Suspend2(read and NtSuspend2(read are loo.ed
/or in GA2" G/ some o/ t(em /ound, t(is tec(niue is
&!#! Soft",$ 4 "nterru1t
Normall!, t(e DP) o/ interrupt , is set to -,
meaning t(at a ring ? attempt to e=ecute int ,
*R-=cd-,S+ results in a HPQ general protection
/ault *int R-=-dS+ and in t(e end 5indo's raises an
FNHFP2GONLAHHFSSL%GO)A2GON
*-=c------4+ J,K"
So/tGHF (oo.s GD2 entr! o/ interrupt , and sets t(e
DP) to ?, allo'ing it to single8step /rom user8mode
code" 2(e problem is t(at So/tGHF does not identi/!
and (andle di//erentl! t(e situations t(at caused
suc( an int ,, and al'a!s e=ecute t(e de/ault
interrupt , (andler"
So, a ring ? attempt to e=ecute int , results in t(e
5indo's raising FNHFP2GONLSGNG)FLS2FP
instead o/ FNHFP2GONLAHHFSSL%GO)A2GON
*-=B------6+" 2(is c(aracteristic can be used to
detect i/ t(e So/tGHF is running"
GN2, instruction is loo.ed /or" 2(en, later in t(e
same /unction, a HMP instruction 'it( -=B------6
in an! o/ t(e operands is loo.ed /or;
Y
int,
Y
cmp operands P '(ere an! o/ t(e operands are
-=B------6
"""
&!##! SS register
5(ile single8stepping t(roug( trap /lag, debuggers
t!picall! tr! to clean suc( a /lag '(en it is pus(ed
in t(e stac. J,KJ>KJAK"
5(en SS register is loaded *POP SS, /or e=ample+,
t(e interrupts are disabled until t(e end o/ t(e ne=t
instruction to a0oid in0alid stac. troubles in some
cases JBK"
So, a/ter t(e SS loading, t(e ne=t instruction 'ill be
e=ecuted but t(e debugger 'ill not brea. on it"
5it( t(e debugger una'are o/ t(e /lags pus(ing
*PQS9DD, /or e=ample+, t(e trap /lags 'ill not be
cleaned in t(e stac. and its presence indicates a
single8stepping t(oug(t trap /lags debugging"
A POP instruction 'it( SS register as operand, or a
MO% instruction *mo0, mo0s=, mo03=+ (a0ing SS
register as a destination operand are loo.ed /or;
pop ss
mo0<mo0s=<mo03= ss,U P Gt does not matter '(at
is t(e second operand
2(en, t(e ne=t instruction is anal!3ed to c(ec. i/
t(e ne=t mnemonic starts 'it( t(e string Rpus(/S"
&!#&! =nhandled$%ce1tion+ilter
5(en an e=ception is generated and t(ere 'as no
e=ception (andlers to processes it, a de/ault (andler
e=ists to do suc( a :ob J,KJ4KJAK" As part o/ t(e
de/ault (andler procedures, .ernel?>
Qn(andledF=ceptionDilter*+ is called" Gn suc( a
/unction, Nt#uer!Gn/ormationProcess*+ is called
'it( ProcessDebugPort as a
ProcessGn/ormationHlass parameter to detect i/ t(e
process t(at raised t(e e=ception is being debugged"
G/ SetQn(andledF=ceptionDilter*+ 'as used and t(e
process is not being debugged, t(e top8le0el
e=ception /ilter set b! suc( a /unction 'ill be
e=ecuted" Ot(er'ise, i/ t(e process is being
debugged, t(e debugger 'ill be noti/ied about t(e
e=ception" JCK
2(is be(a0ior can be used to detect t(e presence o/
a debugger b! de/ining a top8le0el e=ception /ilter
t(roug( SetQn(andledF=ceptionDilter*+ and t(en
/orcing an e=ception to occur" G/ t(e top8le0el
e=ception /ilter gets e=ecuted, t(en t(e process is
not being debugged"
SetQn(andledF=ceptionDilter is loo.ed /or in GA2"
G/ /ound, t(is tec(niue is considered as e0idence
detected"
&!#/! *uard (ages
An attempt to access an address 'it(in a guard
page *page mar.ed 'it( PAGFLGQARD+ results in
a S2A2QSLGQARDLPAGFL%GO)A2GON
*-=B------,+ being raised b! t(e s!stem J,KJ,-K"
G/ a debugger is present, it mig(t (andle suc( an
e=ception and allo' t(e access" 2(is be(a0ior
mig(t be used to detect t(e presence o/ a debugger"
An implementation o/ suc( a tec(niue, as s(o'n
in J,K, relies on 'riting -=H? *RF2 instruction+ in a
memor! area and mar.ing t(is page 'it(
PAGFLGQARD" G/ t(e RF2 gets e=ecuted, t(e
debugger is detected1 ot(er'ise, a cra/ted e=ception
(andler is e=ecuted meaning t(at t(e debugger 'as
not detected"
%irtualAlloc<%irtualAllocF= and
%irtualProtect<%irtualProtectF= are loo.ed /or in
GA2" G/ /ound, t(is tec(niue is considered as
e0idence detected"
&!#2! $%ecution Timing
5(en a debugger is present, t(e time elapsed
bet'een subseuent instructions e=ecution mig(t
be (ig(er t(an 'it(out it J,KJ>KJAK" 2(e idea is to
measure time elapsed bet'een some instructions
e=ecution and based on suc( a 0alue, in/er t(e
presence o/ a debugger" Some met(ods can be used
to implement t(is tec(niue *eac( met(od (as its
o'n c(aracteristics+;
RD2SH instruction *it is a popular anti8
debugging tec(niue J,K J>K JAK J,,K but
t(ere are some issues to be a'are o/ JBK J,,K
J,>K J,?K+
RDPMH instruction J>K JBK
RDMSR instruction J>K JBK
.ernel?> Get2ic.Hount*+ J,6K
'inmm timeGet2ime J,K J,4K
.ernel?> Get)ocal2ime*+ J>K J,@K
.ernel?> GetS!stem2ime*+ J>K J,AK
.ernel?> #uer!Per/ormanceHounter*+ J>K
JAK J,BK"
Get2ic.Hount, timeGet2ime, Get)ocal2ime,
GetS!stem2ime and #uer!Per/ormanceHounter are
loo.ed /or in GA2" G/ some o/ t(em are /ound, t(is
&!#5! Software )rea-1oint Detection
So/t'are brea.point is a single8b!te instruction
*-=HH $ GN2 ?+ t(at stops t(e e=ecution o/ t(e
debugged process and passes control to t(e
debugger J4K" 2(e original b!te is sa0ed b! t(e
debugger be/ore setting t(e brea.point, t(is 'a! t(e
original instruction can be e=ecuted in t(e correct
time" J,CK
Hode areas in memor! are scanned /or -=HH b!te
t(at 'as not set b! t(e code itsel/" 2o ma.e suc( a
c(ec. not so ob0ious, it is possible to use some
operation in t(e compared b!, suc( as J4K;
i/*b!te NOR -=44 ZZ -=CC+ t(en brea.point /ound
Note t(at -=HH NOR -=44 Z -=CC"
A HMP instruction *cmp, cmp=c(g+ 'it( -=HH in
an! o/ its operands is loo.ed /or" G/ /ound, t(is anti8
debugging tec(niue is considered as detected"
&!#7! Thread 0iding
According to MSDN J>-K J>,K, ntdll
NtSetGn/ormation2(read*+ sets t(e priorit! o/ a
t(read J,KJ4KJAK" 9o'e0er, its
2(readGn/ormationHlass parameter (as an
undocumented 0alue, 2(read9ideDromDebugger
*-=,,+, '(ic( pre0ents debugging e0ents to be sent
to t(e debugger J4K" 2(is can be used to di//icult t(e
debugging"
NtSetGn/ormation2(read is loo.ed /or in GA2" G/
ound, t(is tec(niue is considered as e0idence
detected"
&!#8! NtSetDebug+ilterState
2(e ntdll DbgSetDebugDilterState *or ntdll
NtSetDebugDilterState+ call succeeds in t(e
presence o/ some debuggers J>K" 2(is is a side8
e//ect o/ t(e debugger7s be(a0iour; t(e process
SeDebugPri0ilege pri0ilege" SeDebugPri0ilege is
not a de/ault pri0ilege J4K, so t(is tec(niue mig(t
be used to indirectl! detect t(e presence o/ some
debuggers"
DbgSetDebugDilterState and
NtSetDebugDilterState are loo.ed /or in GA2" G/
some o/ t(em are /ound, t(is tec(niue is
considered as detected"
&!#:! "nstruction ,ounting
An e=ception (andler is registered to deal 'it( t(e
FNHFP2GONLSGNG)FLS2FP *-=B------6+
e=ception J,K"
2(en, some (ard'are brea.points are set in speci/ic
instructions" Debug registers cannot be accessed
directl! in user8mode J?>K, so a conte=t structure is
needed and t(e /ollo'ing procedures can be used to
get it;
Halling .ernel?> Get2(readHonte=t*+"
Dorcing an e=ception to occur and (andling
it, because t(e conte=t structure is passed to
t(e e=ception (andler" 2(is is more stealt(
t(an t(e pre0ious procedure"
As instructions 'it( (ard'are brea.points are
being reac(ed, t(e pre0iousl! registered e=ception
(andler is supposed to deal 'it( t(e raised
e=ceptions" Suc( (andler 'ill simpl! count (o'
man! times it 'as reac(ed and t(en can c(ange t(e
FGP to point to a ne' instruction and resume t(e
e=ecution"
Some debuggers do not deal correctl! 'it(
(ard'are brea.points t(at 'ere set b! t(em, and
some o/ t(e raised FNHFP2GONLSGNG)FLS2FP
mig(t not be (andled b! t(e pre0iousl! set
e=ception (andler"
A/ter all (ard'are brea.points got reac(ed and its
e=ception (andlers /inis(ed, t(e total counter used
b! t(em s(ould (a0e t(e number o/ (ard'are
brea.points initiall! set" G/ t(e 0alue 'as di//erent,
it indicates t(e presence o/ a debugger"
&!&;! 0eader $ntry1oint
Dile sections t(at do not include t(e attribute
GMAGFLSHNLMFML5RG2F *'rite+ is read8onl!
b! de/ault to a remote debugger J,K"
Additionall!, t(ere is no section t(at describes t(e
PF (eader, it 'ill be also considered as read8onl!1
t(ere is an e=ception '(en t(e PF8
TSectionAlignment is less t(an 6.b, '(ic( causes
it to be mar.ed internall! as bot( 'ritable and
e=ecutable J,K"
Being so, i/ t(e debugger does detect suc( situation
and does not set a 'rite pri0ilege in suc( a section,
t(e debugger mig(t allo' t(e application to run
/reel!"
2(e entr!point section is anal!3ed to c(ec. i/ it (as
t(e GMAGFLSHNLMFML5RG2F attribute" G/ it
does not (a0e, t(en t(is tec(niue is considered as
detected"
&!&! Self-$%ecution
2(is tec(niue relies on a process to create anot(er
process o/ itsel/ J,K" 2(is 'a!, t(e second process
'ill not be debugged" Qsuall! t(is tric. is used
'it( a mute= to pre0ent man! copies o/ t(e process
to be in e=ecution"
HreateProcessA<HreateProcess5, HreateMute= and
5aitDorSingleOb:ect /unctions are loo.ed /or in
GA2" G/ some o/ t(em are /ound, t(is tec(niue is
&!&#! 0oo- Detection
Some (oo. tec(niues relies on o0er'riting t(e
/irst instruction o/ t(e (oo.ed /unction b! a VMP
instruction pointing to anot(er place" J6BK
Regarding Microso/t Detours, some c(aracteristics
e=ist t(at can be used as a signature, suc( as
"detours section and t(e presence o/ detoured"dll"
J6CK J4-K
Detecting t(e presence o/ a (oo. mig(t detect some
binar! anal!sis procedures"
*,+
A HMP instruction 'it( -=FC in some o/ its
operands is loo.ed /or" G/ /ound t(is tec(niue is
*>+
2(e string R"detourS is loo.ed /or in t(e binar! 'it(
t(e e=ception o/ its sections" 2(e string
Rdetoured"dllS is also loo.ed /or in t(e binar!, but
'it( t(e e=ception o/ t(e imports" G/ some o/ t(em
'ere /ound, t(e tec(niue is considered as
detected"
Section &!&&! Dbg)rea-(oint Overwrite
5(en a debugger attac(es to a process, an
e=ception is raised b! DbgBrea.Point*+ /unction in
N2D)) *called at attac( time+ J>K" 9andling suc(
an e=ception t(e debugger gains control o/ t(e
debugee"
B! mar.ing t(e page*s+ o/ DbgBrea.Point*+ as
FNFHQ2FLRFAD5RG2F and o0er'riting it 'it(,
/or e=ample, a RF2 instruction, '(en a debugger
attac(es to t(e process t(e t(read 'ill e=it
immediatel!, t(us, not brea.ing in"
/! Obfuscation and Anti-Disassembly
Techni'ues
Bot( ob/uscation and anti8disassembl! tec(niues
relies on a disassembl!" Being so, t(e! 'ere put
toget(er in t(e same section"
Ob/uscation is a .ind o/ tec(niue to ma.e t(e
disassembl! result (arder to be anal!3ed b! a
pro/essional"
Anti8disassembl! is a .ind o/ tec(niue to
compromise disassemblers and<or t(e
disassembling process"
Section 6", discusses some disassembl! concepts"
Section 6"> and Section 6"? describes, respecti0el!,
some ob/uscation and anti8disassembl! tec(niues"
/!! Disassembly ,once1ts
Gt is possible to disassemble a binar! 'it( a static
and a d!namic approac( J?CK" 2(e /ormer relies on
e=ecuting t(e program and trac.ing instruction as
t(e! are being e=ecuted" 2(e latter relies on
anal!3ing t(e program b!tes and /inding
instructions 'it(out e=ecuting it"
Static disassembling can be categori3ed in t'o
main classes; linear s'eep and recursi0e tra0ersal"
)inear s'eep approac( starts /rom a gi0en b!te */or
e=ample, t(e /irst b!te o/ t(e entr! point+ and /rom
t(is point on anal!3es b!te a/ter b!te until a
prede/ined end */or e=ample, t(e end o/ t(e PF
section+" 2(e main dra'bac. o/ t(is approac( is
t(at data placed in t(e middle o/ code instructions
ma! generate some noise, because t(e! 'ill be
interpreted as code" An e=ample o/ disassembler
t(at uses linear s'eep approac( is ob:dump J>@K"
Recursi0e tra0ersal is an approac( t(at /ollo's t(e
program control /lo' instead o/ simpl!
disassembling eac( b!te" Gt is not 0ulnerable to t(e
simple /act o/ data e=isting in t(e middle o/ code
instructions, but it (as anot(er main dra'bac.; it is
not al'a!s possible to staticall! predict t(e e=act
program control /lo'" Gt ma! result in some parts
not being disassembled and also t(e generation o/
some noise" 2(e unreac(able areas can be
submitted to a linear s'eep processing, and suc( a
0ariation is called speculati0e disassembl!" An
e=ample o/ disassembler t(at uses recursi0e
tra0ersal approac( is GDA J6-K"
Anti8disassembl! tec(niues are discussed in
section 6"> and ob/uscation tec(niues in section
6"?"
/!#! Anti-Disassembly Techni'ues
Some anti8disassembl! tec(niues are described in
t(e ne=t sections"
/!#!! *arbage )ytes
2(is tec(niue relies on adding additional b!tes
t(at 'ill ne0er be e=ecuted in run8time" J4K J?BK
2(is ma! brea. bot( linear s'eep and recursi0e
tra0ersal approac(es"
A liner s'eep approac( could interpret suc( b!tes
as being code8related b!tes, brea.ing t(e
alignment" As a result, suc( garbage b!tes could be
:oined 'it( 0alid b!tes /rom ne=t instructions
generating 'rong instructions instead o/ t(e correct
ones" Dor e=ample;
:mp "destination
db -=@a 1 garbage b!te tec(niue
"destination;
pop ea=
Suc( e=ample generates t(e /ollo'ing disassembl!
b! a ob:dump;
eb -, :mp -=6-,--?
@a 4B pus( -=4B
Recursi0e tra0ersal algorit(ms mig(t also be
compromised t(roug( garbage b!tes i/ a situation
in '(ic( t(e same set o/ b!tes 'it( more t(an one
interpretation could be /orced" Gn t(is case, t(e lac.
o/ alignment due to t(e interpretation o/ t(e
garbage b!tes as a 0alid code b!tes mig(t lead t(e
disassembler to produce a 'rong disassembl!" Dor
e=ample, a Da.e Honditional Vump implementation
could be used /or t(at;
mo0 ea=,ea=
:3 "destination
"destination;
1 rest o/ t(e code
pop ea=
Suc( e=ample produces t(e /ollo'ing GDA output;
[ GDA output
*,+
A PQS9 instruction immediatel! /ollo'ed b! a
RF2 is loo.ed /or" G/ /ound, t(e tec(niue is
*>+
A NOR instruction 'it( t'o eual operands is
loo.ed /or" G/ /ound and is immediatel! /ollo'ed b!
a VN\ instruction, t(e tec(niue is considered as
e0idence detected" 2(e same (appens /or S2H
instruction immediatel! /ollo'ed b! VNH or VAF
and /or H)H instruction immediatel! /ollo'ed b!
VH or VB"
/!#!#! (rogram ,ontrol +low ,hange
2(is tec(niue relies on unconditionall! /orcing a
program control /lo' c(ange to occur, lea0ing an
area 'it( ot(er anti8disassemble tec(niue*s+
unreac(able in run8time" Disassemblers using linear
s'eep approac( 'ill disassemble suc( an area and
t(e resulting assembl! code ma! be compromised"
An unconditional VMP is an e=ample t(at can be
used to implement t(is tec(niue" J?BK Dor
e=ample, t(e /ollo'ing VMP instruction :umps an
unreac(able area populated 'it( Garbage B!te
anti8disassembl! tec(niue, a0oiding its e=ecution"
But ob:dump 'ill disassemble suc( an area and t(e
resulting output is compromised;
:mp "destination
"destination;
1 rest o/ t(e code
pop ea=
Y
Resulting ob:dump output;
eb -, :mp -=6-,--?
@a 4B pus( -=4B
Anot(er e=ample o/ implementation is t(e
Gnstruction Substitution t(at uses a Pus( /ollo'ed
b! RF2 to replace a con0entional VMP"
Gt is also possible to use t(is tec(niue to
compromise recursi0e tra0ersal algorit(ms b! using
indirection" An indirect :ump, /or e=ample, is an
approac( t(at can be used /or suc( a purpose" J?CK
J6,K 2(e pre0ious e=ample 'as modi/ied to use an
indirect :ump;
pus( D5ORD "destination
:mp D5ORD JespK
"destination;
pop ea=
[[[[[ GDA output [[[[[[[[
/!#!&! +a-e ,onditional >um1s
2(is tec(niue, based on J4K and J?BK, relies on
creating conditional :umps '(ic( conditions are
al'a!s t(e same" Dor e=ample;
*,+
"""
=or ea=,ea=
:3 "destination, 1 al'a!s true
Y
*>+
"""
=or ea=,ea=
:n3 "destination> 1 al'a!s /alse
Y
Gn t(e /irst e=ample, t(e V\ instructions 'ill be
al'a!s true independentl! o/ t(e FAN content, t(e
instructions be/ore NOR and t(e instructions a/ter
V\" 2(e same (appens /or t(e second e=ample, but
t(e VN\ instruction 'ill be al'a!s /alse"
Recursi0e tra0ersal approac( ma! disassemble
areas t(at 'ill ne0er be e=ecuted, and suc(
unreac(able areas can be populated 'it( ot(er anti8
disassembl! tec(niues, suc( as Garbage B!tes,
t(at creates t'o di//erent interpretations /or t(e
same set o/ b!tes"
Fac( disassembler (as its o'n 'a! to (andle suc(
a con/lict, but most o/ t(em, trust its /irst
interpretation J?BK1 GDA seems to be an e=ample o/
t(is, because it /irst disassembles t(e /alse branc(
J?BK"
2(e /ollo'ing approac(es are e=amples t(at can be
used to implement t(is tec(niue;
=or =,= *NOR 'it( t'o eual operands+
2rue branc(; V\
Dalse branc(; VN\
S2H instruction
2rue branc(; VH or VB
Dalse branc(; VNH or VAF
H)H instruction
2rue branc(; VNH or VAF
Dalse branc(; VH or VB
loo.ed /or" G/ it is immediatel! /ollo'ed b! VN\
instruction, t(e tec(niue is considered as detected"
2(e same (appens /or S2H instruction immediatel!
/ollo'ed b! VNH or VAF and /or H)H instruction
immediatel! /ollo'ed b! VH or VB"
/!#!/! ,all Tric-
2(is tec(niue relies on c(anging t(e de/ault
/unction7s return address"J?CK J6,K Gn con:unction
'it( ot(er tec(niues suc( as Garbage B!tes, t(is
tric. ma! brea. all .ind o/ disassemblers"
Recursi0e tra0ersal disassemblers ma! disassemble
t(e ne=t instruction a/ter t(e HA)), but t(e correct
ne=t instruction 'as actuall! c(anged b! t(e called
/unction" A/ter t(e HA)) and be/ore t(e ne=t
e=ecuted instruction, ot(er anti8disassembl!
tec(niues, suc( as Garbage B!tes, can be used"
)inear s'eep is also a//ected because t(e! do not
interpret instructions and ma! also disassemble t(e
ne=t instruction a/ter t(e call, getting 0ulnerable to
ot(er anti8disassembl! tec(niues suc( as Garbage
B!tes"
2(e /ollo'ing e=ample, '(ic( also emplo!s
Garbage B!tes tec(niue, ma! brea. /or bot(,
recursi0e tra0ersal and linear s'eep approac(es;
call "/unction
db -=@a 1 garbage b!te
"correctLreturn;
1 rest o/ t(e code
pop ea=
Y
"/unction;
pus( D5ORD "correctLreturn
ret
2(e /ollo'ing output is produced b! ob:dump;
6-,---; eB -> -- -- -- call -=6-,--A
6-,--4; @a 4B pus( -=4B
6-,--A; @B -@ ,- 6- -- pus( -=6-,--@
6-,--c; c? ret
2(e /ollo'ing output is produced b! GDA;
[ GDA output
/!#!2! +low .edirection to the Middle of an
"nstruction
2(is tec(niue relies on redirecting t(e program
/lo' to t(e middle o/ an instruction" J?BK 2(is
mig(t compromise bot( linear s'eep and recursi0e
tra0ersal algorit(ms"
An implementation e=ample could be (iding an
instruction in t(e middle o/ anot(er" So, t(e
disassembler 'ould s(o' an instruction t(at is not
e=ecuted in run8time instead o/ t(e correct
instruction t(at resides in t(e middle o/ its b!tes"
)inear s'eep approac(es could be b!passed
because t(e instruction aligned to t(e rest o/ t(e
b!tes are t(e 'rong one" Recursi0e tra0ersal
algorit(ms could be a//ected b! ma.ing t(e same
set o/ b!tes to (a0e more t(an one interpretation1
t(is can be ac(ie0ed, /or e=ample, b! using t(e
Da.e Honditional Vump tec(niue"
2(e /ollo'ing e=ample illustrates suc( a scenario
'it( a code t(at a//ects bot(, linear s'eep and
recursi0e tra0ersal approac(es;
1 Da.e Honditional Vump
=or ea=,ea=
:3 O6 1 :ump to t(e ret
1 -=c? Z ret
mo0 ea=,-=c?abcde/
Gn suc( an e=ample, t(e RF2 instruction does not
directl! appear in t(e disassembl! outputs, but is
e=ecuted in run8time, as s(o'n in t(e ob:dump and
GDA outputs belo'"
Output o/ ob:dump;
?, c- =or ea=,ea=
A6 -6 :e -=6-,--B
bB e/ cd ab c? mo0 ea=,-=c?abcde/
Output o/ GDA;
[ GDA output
Anot(er implementation e=ample could be using
t(is anti8disassembl! tec(niue to brea. t(e
alignment and generate a set o/ 'rong instruction
instead o/ simpl! (iding one in t(e middle o/
anot(er" 2(e /ollo'ing e=ample, t(at is based on
J?BK, does t(is;
mo0 a=,-=-4eb
=or ea=,ea=
1 :ump to R:mp 4S *-=eb -=e4+
1 last b!tes o/ mo0 instruction is -=eb -=e4
1 suc( R:mp 4S redirects t(e /lo' to t(e rest
1 o/ t(e code
:3 8@ 1
db -=eB 1 garbage b!te
1 rest o/ t(e code
=or ea=,ea=
pop ea=
mo0 ea=,esp
pus( ec=
Output o/ ob:dump;
@@ bB eb -4 mo0 a=,-=4eb
?, c- =or ea=,ea=
A6 /C :e -=6-,--,
eB ?, c- 4B BC call -=BCCBd-?e
e- 4, loopne -=6-,-@-
Output o/ GDA;
[ GDA output
2(is tec(niue could also be used to ma.e
recursi0e tra0ersal algorit(ms to generate t'o
di//erent interpretations /or t(e same set o/ b!tes
'it(out using conditional :umps; :umping into
itsel/ J?BK" Additionall!, because it brea.s t(e
alignment, linear s'eep algorit(ms ma! also be
a//ected" 2(e /ollo'ing e=ample, based on J?BK,
illustrates suc( a scenario;
1 All b!tes o/ t(e e=ample;
1 -=eb -=// -=c- -=6B
1 :mp 8, Z -=eb -=//
1 :umps to itsel/; -=//
:mp 8,
1 -=// -=c- Z inc ea=
db -=c-
1 -=6B Z dec ea=
db -=6B
Output o/ GDA;
[ GDA output
Output o/ ob:dump;
eb // :mp -=6-,--,
c- b!te -=c-
6B dec ea=
*,+
*>+
VH or VB"
/!&! Obfuscation Techni'ues
Some ob/uscation tec(niues are described in t(e
ne=t sections"
/!&!! (ush (o1 Math
2(is tec(niue can be used to ob/uscate a 0alue and
relies in t(ree steps J>6K;
Pus( a .no'n immediate
Pop suc( an immediate into a register
Do some mat( on t(e register
At t(e end, t(e register 'ill (a0e t(e desired 0alue,
but suc( a 0alue does not e=plicitl! appear in t(e
code itsel/"
A PQS9 instruction 'it( an immediate operand is
loo.ed /or;
pus( immediate
G/ /ound, t(e ne=t instruction is compared against a
POP; i/ it is true, t(e destination *N+ is sa0ed /or
/uture use;
pop N
2(en, t(e ne=t instruction is compared against
AND, OR and NOR 'it( t(e destination operand
being t(e sa0ed one *N+ and t(e ot(er one being an
immediate;
and<or<=or N,immediate
G/ t(is scenario (appens, t(e tec(niue is
/!&!#! NO( Se'uence
2(is t!pe o/ dead8code insertion relies on adding a
seuence o/ NOP instructions in t(e middle o/ t(e
code J>4K" 2(is can ma.e t(e disassembl! anal!sis
(arder b! reducing t(e legibilit! o/ t(e code and
b!passing some signature8based algorit(ms"
A seuence o/ 4 NOPs is loo.ed /or in t(e same
/unction" RF2 'as used to consider t(e end o/ a
/unction"
G/ /ound, t(is tec(niue is considered as detected"
/!&!&! "nstruction Substitution
2(is tec(niue relies on c(anging a instruction, or a
set o/ t(em, b! eui0alent ones" J>4K J64K Gt can be
used to ma.e t(e anal!sis process b! a pro/essional
(arder and also to b!pass signatures" Some
e=amples are;
R=or ea=,ea= P :3S to replace a VMP
Dor e=ample, R:mp "destinationS can be
replaced b! R=or ea=,ea= P :3
"destinationS
Rpus( P popS to replace a MO%
Dor e=ample, Rmo0 ea=,-=,S can be
replaced b! Rpus( -=, P pop ea=S
RsubS to replace a NOR
Dor e=ample, R=or ea=,ea=S can be
replaced b! Rsub ea=,ea=S
Anot(er e=ample, t(at 'ill be discussed in more
details, is to replace a VMP b! Rpus( P retS"
According to JBK, RF2 Rtrans/ers program control
to a return address located on t(e top o/ t(e stac.S
and, additionall!, it pops suc( an address to FGP"
So, i/ t(e stac. gets manipulates to put in its top t(e
desired address to trans/er t(e program control /lo'
to, RF2 and its 0ariations, suc( as RF2N and
RF2D, can be used as an ob/uscated VMP"
2(e most .no'n 'a! to implement suc( a
tec(niue is t(e Pus( Ret; t(e address to redirect
t(e /lo' to is pus(ed and t(en RF2 is called
e//ecti0el! c(anging t(e /lo';
pus( "destination
ret
Alt(oug( Pus( Ret is t(e most .no'n approac(,
t(ere are ot(er 0ariations, /or e=ample;
mo0 JespK,D5ORD "destination
ret
RF2 is o/ten used to return /rom a procedure"
Being so, i/ t(e alternati0e :ump 0ariation seems
li.e a gi0en calling con0ention /unction prolog, it
'ould be more stealt( and more di//icult to
automaticall! detect" Dor e=ample;
pus( "destination
pus( ebp
mo0 ebp,esp
lea0e
ret
PQS9 instruction is loo.ed /or" G/ /ound and t(e
ne=t instruction is a RF2, t(en t(e tec(niue is
/!&!/! ,ode Trans1osition
2(is tec(niue relies on s(u//ling instructions so
t(at t(e order t(e! appear in t(e binar! gets
di//erent /rom t(e order t(e! 'ere e=ecuted J>4K
J64K"
2(e /ollo'ing t'o met(ods can be used /or suc( a
purpose;
S(u//le t(e instructions and ma.e t(em to
be e=ecuted in t(e correct order b! using
program control /lo' c(anges" 2(is can be
ac(ie0ed, /or e=ample, b! using
unconditional :umps and some Gnstruction
Substitutions o/ it suc( as R=or ea=,ea= $ :3S
being used instead o/ a VMP instruction"
H(oose and reorder set o/ instructions t(at
does not inter/ere in eac( ot(er results" So,
suc( a s(u//ling process 'ill c(ange t(e
order o/ instructions in t(e binar! and at t(e
time does not c(ange t(e program results
As an e=ample, t(e /ollo'ing code is considered as
t(e binar! be/ore t(e ob/uscation process;
=or ea=,ea=
inc ea=
pus( eb=
"""
2(e /ollo'ing code is an e=ample o/ t(e original
binar! ob/uscated 'it( t(e program control /lo'
c(anges approac(;
:mp "/irst
"second;
pus( eb=
:mp "continuation
"/irst;
=or ea=,ea=
inc ea=
:mp "second
"continuation;
Y
2(e /ollo'ing code is an e=ample o/ t(e original
binar! ob/uscated 'it( t(e reordering approac(;
pus( eb=
1 inc depends on =or
1 so suc( instruction order 'as not c(anged
=or ea=,ea=
inc ea=
/!&!2! .egister .eassignment
2(is tec(niue relies on c(anging t(e registers used
b! a program or part o/ it J>4KJ64K"
Dor e=ample, t(e /ollo'ing code s(o's a program
be/ore t(e ob/uscation;
=or ea=,ea=
inc eb=
A/ter a /ictitious ob/uscation '(ic( e=c(anges
FAN b! FBN and 0ice80ersa, t(e /ollo'ing code
'ill be generated;
=or eb=,eb=
inc ea=
Alt(oug( t(is tec(niue does not ma.e an anal!sis
muc( more complicated, it can be used to b!pass
signatures"
/!&!5! ,ode "ntegration
2(is tec(niue relies on disassembling a target
program /ile, inserting t(e code to be ob/uscated
inside it J64KJ6@K" Gn order to do t(at, t(e target
program needs to be /i=ed" 2(is 'a!, t(e code to be
ob/uscated is (idden in t(e middle o/ t(e ot(er
program"
/!&!7! +a-e ,ode "nsertion
2(is is a 0ariation o/ Garbage B!tes anti8
disassembl! tec(niue" 2(e idea is to insert
instructions t(at 'ill ne0er be e=ecuted J?BK,
ma.ing t(em to appear in t(e generated
disassembl!" 2(is can, /or e=ample, con/use t(e
pro/essional t(at is anal!3ing t(e disassembl! 'it(
lots o/ /a.e code and b!pass signature8based
algorit(ms"
2(e implementation is e=actl! t(e same as Garbage
B!tes tec(niue, but instead o/ adding garbage
b!tes, 0alid instructions are added"
:mp "destination
pus( -=,>?64@AB 1 /a.e code
inc ea= 1 /a.e code
mo0 esp,ea= 1 /a.e code
1 more /a.e code (ere
"destination;
Y
Gnstead o/ using a simple VMP instruction, an!
ot(er tec(niue t(at can be used to redirect t(e
program control /lo', suc( as Da.e Honditional
Vump and Hode Substitution, could be used" Dor
e=ample;
*,+ Da.e Honditional Vump e=ample
=or ea=,ea=
:n3 "/a.eLcode
:mp "destination
"/a.eLcode;
inc ea= 1 /a.e code
"destination;
"""
*>+ Hode Substitution e=ample
pus( "destination
ret
inc ea= 1 /a.e code
"destination;
"""
*,+
*>+
VH or VB"
/!&!8! ($)-?@dr Address .esolving
PFB is a structure t(at contains process
in/ormation" Among its /ields, t(ere is t(e )dr,
'(ic( points to a structure t(at contains
in/ormation about t(e loaded modules /or t(e
process" J?6K
Gt is possible to retrie0e t(e PFB */s;J-=?-K+ and
access its )dr /ield *-=-c+" So, t(e loaded modules
can be accessed and /unction addresses resol0ed"
J?6K J?4K J?@K
mo0<mo0s=<mo03= N,op> P 5(ere R/s;J-=?-KS is
inside op>
2(en, later in t(e same /unction, a MO% *mo0,
mo0s=, mo03=+ or a HMP *cmp, cmp=c(g+
instructions re/erencing t(e )dr *JNO-=-cK in some
o/ t(e operands+ are loo.ed /or;
mo0<mo0s=<mo03=<cmp<cmp=c(g op,,op> P
'(ere JNO-=HK is a substring o/ op, or op>
/!&!:! Stealth "m1ort of the <indows A("
Regardless o/ t(e import table, ntdll"dll and
.ernel?>"dll are automaticall! mapped into process
address space J?AK" Gt means t(at it is possible to
access t(em e0en in an e=ecutable 'it( no imports"
Suc( D))s can be access t(roug( SF9, because its
/irst record normall! points to eit(er ntdll"dll or
.ernel?>"dll"
2o get t(e D)) address, t(e SF9 could be 'al.ed
until t(e /irst element, '(ic( -=6 o//set is t(e
(andler /ield" 2(en, it is possible to scan t(e
memor! loo.ing /or 7M\7 and, once /ound, c(ec. i/
it is in t(e correct place t(roug( -=?H o//set t(at is
supposed to be RPFW-W-S; a (andle to t(e module
(as been /ound" Drom t(is point on, t(e
GMAGFLDA2ALDGRFH2ORX entr! o/ t(e D))
can be /ound using t(e -=AB o//set to get t(e R%A
to t(e e=port director!, '(ic(, toget(er 'it( t(e
pre0iousl! /ound (andle, results in t(e F=port
Director! 2able address"
*,+
SF9 address */s;J-=-K+ some'(ere *N+ is loo.ed
mo0<mo0s=<mo03= N,op> P 5(ere R/s;J-=-KS is
inside op>
2(en, later in t(e same /unction, a MO% *mo0,
mo0s=, mo03=+ instruction re/erencing t(e PFB */s;
J-=?-K+ in t(e second operand is loo.ed /or and, i/
/ound, t(e algorit(m is reseted"
Hontinuing 'it( t(e ne=t lines, a MO% instruction
*mo0, mo0s=, mo03=+ re/erencing t(e e=ception
(andler *JNO-=6K+ in t(e second operand is loo.ed
/or and, i/ /ound, t(e /irst operand *X+ is sa0ed /or
/uture used;
mo0<mo0s=<mo03= X,op> P '(ere RJNO-=6KS is a
substring o/ op>
)ater in t(e same /unction, a HMP instruction
*cmp, cmp=c(g+ re/erencing X in t(e /irst operand
is loo.ed /or;
cmp<cmp=c(g op,,U P 5(ere X is a substring o/
op,
)ater in t(e same /unction, a MO% instruction
*mo0, mo0s=, mo03=+ 'it( t(e RPFW-W-S o//set
relati0e to X *JXO-=?cK+ in t(e second operand is
loo.ed /or;
mo0<mo0s=<mo03= U,op> P 5(ere JXO-=?cK is a
substring o/ op>
)ater in t(e same /unction, instructions AND, OR,
NOR, ADD or SQB HMP re/erencing t(e
GMAGFLDA2ALDGRFH2ORX o//set *-=AB+ in
some o/ t(e operands is loo.ed /or
and<or<=or<add<sub U P 5(ere R-=ABS is a
substring in an! o/ t(e operands
*>+
G/ t(e GA2 is empt!, t(is tec(niue is considered as
e0idence detected"
/!&!;! +unction ,all Obfuscation
)oad)ibrar! and GetProcAddress /unctions can be
used to call an! ot(er" B! onl! importing t(ese t'o
/unctions is possible to ob/uscate /unction calls"
G/
)oad)ibrar!A<)oad)ibrar!5<)oad)ibrar!F=A<)o
ad)ibrar!F=5 and GetProcAddress are bot( /ound
in GA2, t(is tec(niue is considered as detected"
2! Anti-Virtual Machine
Some anti80irtual mac(ine tec(niues are described
in t(e ne=t sections"
2!! ,(= "nstructions .esults ,om1arison
Some HPQ instructions, due to t(eir speci/ic
nature, (a0e c(aracteristic results '(en e=ecuted
inside 0irtual mac(ine solutions t(at can be used to
in/er its presence" J>BK
2(e /ollo'ing instructions are e=amples t(at can be
used /or suc( a purpose;
SGD2; Stores t(e Gnterrupt Descriptor 2able
Register *GD2R+ content" JBK J>AK" J>BK J>CK
J?-K
S)D2; Stores t(e segment selector /rom t(e
)ocal Descriptor 2able Register *)D2R+"
JBK J>AK J>BK J?-K
SGD2; Stores t(e Global Descriptor 2able
Register *GD2R+ content" JBK J>AK J>BK J?-K
S2R; Stores t(e segment selector /rom t(e
2as. Register *2R+" JBK J>AK J>BK J?-K
SMS5; Stores t(e mac(ine status 'ord into
t(e destination operand " JBK J?-K J6>K
Gnstructions SGD2, S)D2, SGD2 and S2R are
loo.ed /or" G/ some o/ t(em are /ound, t(is
2!#! VM<are 4 "N "nstruction
G<O ports can be accessed t(roug( t(e pri0ileged
instructions GN and OQ2; in normal cases J?,K an
attempt to run suc( instructions in user8mode 'ill
generate an e=ception" J>BK J?,K
%M5are J6?K uses GN instruction in a special port
*%N+, t(at e=ists onl! inside its 0irtual mac(ines, as
an inter/ace bet'een 0irtual mac(ines and
%M5are so/t'are itsel/" So, suc( operation 'ill
not generate an e=ception i/ e=ecuted in user8mode
inside a %M5are 0irtual mac(ine" J>BK J?,K
2(is can be used to detect i/ an application is
running inside a %M5are 0irtual mac(ine"
GN instruction is loo.ed /or" G/ it is /ound, t(is
2!&! Virtual(, 4 "nvalid "nstruction
5(en an in0alid instruction is e=ecuted, an
e=ception is raised and it can be (andled b! t(e
so/t'are using tr!<catc( mec(anism J?,K"
%irtualPH J66K relies on in0alid instructions to
inter/ace bet'een 0irtual mac(ines and %irtualPH
so/t'are itsel/" An e=ample is t(e in0alid
instruction R-=-D -=?D -=-A -=-BS, '(ic( does
not generate an e=ception inside a %irtualPH 0irtual
mac(ine"
2(is can be used to detect i/ an application is
running inside a %irtualPH 0irtual mac(ine"
Starting at a b!te t(at 'ere not recogni3e as 0alid
b! t(e disassembler, t(e /ollo'ing /our b!te
seuence are loo.ed /or;
-=-D -=?D -=-A -=-B
5! New Techni'ues
2(e ne' tec(niues implemented b! t(is 'or. are
described b! t(e ne=t sections"
5!! Dynamic A11roach
2(e static tec(niues in t(e pre0ious section, '(ic(
relied on /unction calls or /unction calls 'it(
speci/ic parameters, are not reliabl! detected using
onl! t(e static approac("
Being so, a d!namic approac( 'as de0elop t(at
puts a so/t'are brea.point in t(e target /unctions"
5(en suc( /unctions are reac(ed, it is possible to
more reliabl! detect t(e call and e=tract t(e
parameters"
5!#! SS$AB Detection
SSFNX J??K is a tool de0eloped b! Vurriaan
Bremer t(at, gi0en a binar!, ob/uscates it
con0erting man! Rcon0entionalS assembl!
instructions to an SSF8based 0ersion" Gn t(is 'or.,
it 'as considered as an ob/uscation tec(niue"
2(ere 'ere some troubles running SSFNX in t(e
BB? e=ecutables used to test all plugins and
tec(niues in t(is 'or. because suc( a tool is still
in an earl! de0elopment stage" So, it 'as de0eloped
some simple binaries /or t(e speci/ic purpose o/
testing t(e SSF ob/uscation pro0ided b! SSFNX"
At t(e end, toget(er 'it( t(e t'o demo binaries
distributed 'it( SSFNX, t(ere 'ere C cases to
stud! t(e SSFNX ob/uscation" 2(e /ollo'ing
pattern 'as identi/ied in all t(e C cases;
66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66
0F DB ?? ?? ?? ?? ?? 66 0F EF
2(is pattern generated no /alse8positi0es '(en
tested against t(e BB? e=ecutables and correctl!
detected SSFNX encr!ption in all t(e C cases"
SSFNX 'as released in Ma!<>-,> and in more or
less one mont( later a detection plugin 'as
/inis(ed, tested and running in t(e Dissect EE PF
s!stem"
2(e /ollo'ing pattern is loo.ed /or in t(e binar!;
66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66
0F DB ?? ?? ?? ?? ?? 66 0F EF
G/ /ound, t(e tec(niue is considered as detected"
5!&! +lame Detection
2(e Dlame mal'are made t(e ne's due to its ric(
capabilities and to t(e /act t(at it remained
undetected /or long time" Man! researc(ers uic.l!
noted t(e e=istence o/ embedded scripting language
'it(in t(e mal'are and pointed t(is as a ne'
en(ancement /or mal'ares" 5e 'rote a detection
script to inspect all our samples /or t(e presence o/
embedded scripting language, suc( as )ua J6AK"
7! .esources
2(e most updated 0ersion o/ t(is document can be
/ound at; (ttp;<<researc("dissect"pe"
Additionall!, e=amples /or eac( o/ t(e attac.ing
tec(niues discussed in t(is paper are a0ailable at;
(t tps;<<git(ub"com<rrbranco<blac.(at>-,> "
8! ,onclusions and +uture Directions
2(is researc( pro0ides a guidance on protecting
tec(niues used b! mal'are, more speci/icall! t(e
anti8debugging, anti8disassembl!, ob/uscation and
anti8%M ones" Gt also e=trapolates t(e current
standards in mal'are anal!sis pro0iding t(e results
against millions o/ samples"
5e created e=amples /or eac( o/ t(e tec(niues
discussed in t(is paper, /acilitating t(e de0elopment
o/ t(e detection codes" Additionall!, suc( codes are
publicl! a0ailable"
Dor 0alidation purposes, t(is 'or. e=plains (o' t(e
detections are being e=ecuted"
2(e researc( results can be e=panded and (ope/ull!
'e 'ill publicl! release more in/ormation, suc( as;
More anti8re0erse engineering tec(niues
More statistics 'it( more anal!3ed samples
:! Ac-nowledgement
Ronaldo Pin(eiro de )ima $ Voined our team a bit
later in t(e researc( process, but ga0e ama3ing
contributions"
Peter Derrie $ Great papers and
/eedbac.<discussions b! email"
Vurriaan Bremer $ SSFNX"
Re0ersing)abs /or t(e 2itaniumHore
;! .eferences
J,K Peter Derrie $ Anti8Qnpac.er 2ric.s
J>K Peter Derrie $ 2(e RQltimateS Anti8Debugging
Re/erence
J?K Peter Derrie $ Anti8Qnpac.er 2ric.s $ Part
Fig(t
J6K F0ilcodeca0e7s 5eblog 8
Rtl#uer!Process9eapGn/ormation As Anti8Dbg
2ric. 8 (ttp;<<e0ilcodeca0e"'ordpress"com<>--C<-6
*)ast access; -6<Ma!<>-,>+
J4K Mar. %incent Xason $ 2(e Art O/ Qnpac.ing
J@K MSDN 8 Bloc.Gnput /unction 8
(ttp;<<msdn"microso/t"com<en8
us<librar!<'indo's<des.top<ms@6@>C-I>B0Z0s"B4
I>C"asp= *)ast Access; -4<Ma!<>-,>+
JAK Nicolas Dalliere $ 5indo's Anti8Debug
Re/erence 8
(ttp;<<'''"s!mantec"com<connect<articles<'indo'
s8anti8debug8re/erence *)ast access; >6<Vune<>-,>+
JBK Gntel 8 Gntel] @6 and GA8?> Arc(itectures
So/t'are De0eloper^s Manual 8 %olume >B;
Gnstruction Set Re/erence, N8\ 8
(ttp;<<do'nload"intel"com<design<processor<manual
s<>4?@@A"pd/ *)ast Access; >6<Vune<>-,>+
JCK Matt Pietre. 8 A Hras( Hourse on t(e Dept(s o/
5in?>_ Structured F=ception 9andling 8
(ttp;<<'''"microso/t"com<ms:<-,CA<e=ception<e=c
eption"asp= *)ast Access; >6<Vune<>-,>+
J,-K MSDN $ Hreating Guard Pages 8
us<librar!<'indo's<des.top<aa?@@46CI>B0Z0s"B4
I>C"asp= *)ast Access; >4<Vune<>-,>+
J,,K Vos(LVac.son 8 An Anti8Re0erse Fngineering
Guide 8
(ttp;<<'''"codepro:ect"com<Articles<?-B,4<An8
Anti8Re0erse8Fngineering8Guide *)ast Access;
>4<Vune<>-,>+
J,>K H(uc. 5albourn 8 Game 2iming and
Multicore Processors 8
us<librar!<'indo's<des.top<ee6,A@C?I>B0Z0s"B4
J,?K Gntel 8 Qsing t(e RD2SH Gnstruction /or
Per/ormance Monitoring 8
(ttp;<<'''"ccsl"carleton"ca<`:amuir<rdtscpm,"pd/
*)ast Access; >4<Vune<>-,>+
J,6K MSDN $ Get2ic.Hount /unction 8
us<librar!<'indo's<des.top<msA>66-BI>B0Z0s"B4
J,4K MSDN 8 timeGet2ime /unction 8
us<librar!<'indo's<des.top<ddA4A@>CI>B0Z0s"B4
J,@K MSDN 8 Get)ocal2ime /unction
8 (ttp;<<msdn"microso/t"com<en8
us<librar!<'indo's<des.top<msA>6??BI>B0Z0s"B4
I>C"asp= *)astAccess; >4<Vune<>-,>+
J,AK MSDN 8 GetS!stem2ime /unction
us<librar!<'indo's<des.top<msA>6?C-I>B0Z0s"B4
J,BK MSDN 8 #uer!Per/ormanceHounter /unction
us<librar!<'indo's<des.top<ms@66C-6I>B0Z0s"B4
J,CK Vustin Seit3 8 Gra! 9at P!t(on $ P!t(on
Programming /or 9ac.ers and Re0erse Fngineers
J>-K MSDN 8 NtSetGn/ormation2(read
us<librar!<'indo's<(ard'are<//44A@A4I>B0Z0s"B4
J>,K MSDN 8 \'SetGn/ormation2(read routine
us<librar!<'indo's<(ard'are<//4@A,-,I>B0Z0s"B4
J>>K Mar. Stamp $ Anti8Re0ersing 2ec(niues 8
(ttp;<<'''"cs"s:su"edu<`stamp<HS>B@<pptSRF<SR
FLanti8re0ersing"ppt *)ast Access; -6<Vul!<>-,>+
J>?K MSDN 8 Nt#uer!S!stemGn/ormation /unction
us<librar!<'indo's<des.top<msA>64-CI>B0Z0s"B4
I>C"asp= *)ast Access; -6<Vul!<>-,>+
J>6K )aspe Raber, Vason Raber 8 Blac.9at >--B 8
Deob/uscator; An Automated Approac( to t(e
Gdenti/ication and Remo0al o/ Hode Ob/uscation
J>4K Mi(ai H(ristodorescu and Somes( V(a 8
Proceedings o/ t(e ,>t( QSFNGN Securit!
S!mposium 8 Static Anal!sis o/ F=ecutables to
Detect Malicious Patterns
J>@K ob:dump 8
(ttp;<<'''"gnu"org<so/t'are<binutils< *)ast Access;
,><Vul!<>-,>+
J>AK Gntel 8 Gntel] @6 and GA8?> Arc(itectures
So/t'are De0eloper^s Manual 8 %olume ?A;
S!stem Programming Guide, Part , 8
(ttp;<<do'nload"intel"com<products<processor<manu
al<>4?@@B"pd/ *)ast Access; ,><Vul!<>-,>+
J>BK Ste/an Ba(lmann 8 Master 2(esis $ Detection
o/ %irtual Mac(ine A'are Mal'are
J>CK Voanna Rut.o's.a 8 Red Pill
J?-K Vo(n Scott Robin, H!nt(ia F" Gr0ine $ Anal!sis
o/ t(e Gntel Pentium^s Abilit! to Support a
Secure %irtual Mac(ine Monitor
J?,K Flias Bac(aalan! 8 Detect i/ !our program is
running inside a %irtual Mac(ine 8
(ttp;<<'''"codepro:ect"com<Articles<CB>?<Detect8
i/8!our8program8is8running8inside8a8%irtual *)ast
Access; ,><Vul!<>-,>+
J?>K (al/dead $ P(rac. Maga3ine 8 %olume -=-c,
Gssue -=6,, P(ile [-=-B o/ -=-/ 8
(ttp;<<'''"p(rac."org<issues"(tmlUissueZ@4&idZB
*)ast Access; ,><Vul!<>-,>+
J??K Vurriaan Bremer 8 SSFNX 8
(ttps;<<git(ub"com<:bremer<sse=! *)ast Access;
,><Vul!<>-,>+
J?6K MSDN 8 PFB structure
( ttp;<<msdn"microso/t"com<en8
us<librar!<'indo's<des.top<aaB,?A-@I>B0Z0s"B4
I>C"asp= *)ast Access; ,><Vul!<>-,>+
J?4K MSDN 8 PFBL)DRLDA2A structure 8
us<librar!<'indo's<des.top<aaB,?A-BI>B0Z0s"B4
I>C"asp= *)ast Access; ,><Vul!<>-,>+
J?@K 9armon! Securit! $ Blog 8 Retrie0ing
Mernel?>7s Base Address 8
(ttp;<<blog"(armon!securit!"com<>--C<-@<retrie0ing
8.ernel?>s8base8address"(tml *)ast Access;
,><Vul!<>-,>+
J?AK Ale=e! )!as(.o 8 Stealt( Gmport o/ 5indo's
APG 8
(ttp;<<s!prog"blogspot"com"br<>-,,<,-<stealt(8
import8o/8'indo's8api"(tml *)ast Access;
,><Vul!<>-,>+
J?BK Nic. 9arbour $ Ad0anced So/t'are Armoring
and Pol!morp(ic Vung8Du
J?CK H(ristop(er Mruegel, 5illiam Robertson,
Dredri. %aleur and Gio0anni %igna $ Proceedings
o/ t(e ,?t( QSFNGN Securit! S!mposium 8 Static
Disassembl! o/ Ob/uscated Binaries
J6-K GDA $ (ttp;<<'''"(e=8ra!s"com *)ast Access;
,><Vul!<>-,>+
J6,K Hullen )inn and Saum!a Debra! 8
Ob/uscation o/ F=ecutable Hode to Gmpro0e
Resistance to Static Disassembl!
J6>K Boris )au and %an:a S0a:cer 8 FGHAR >--B
FN2FNDFD %FRSGON 8 Measuring 0irtual
mac(ine detection in mal'are using DSD tracer
J6?K %M5are $ (ttp;<<'''"0m'are"com *)ast
J66K %irtualPH 8
(ttp;<<'''"microso/t"com<'indo's<0irtual8pc<
*)ast Access; ,><Vul!<>-,>+
J64K Glsun Xou and Mangbin Xim $ >-,-
Gnternational Hon/erence on Broadband, 5ireless
Homputing, Hommunication and Applications 8
Mal'are Ob/uscation 2ec(niues; A Brie/ Sur0e!
J6@K Pbter S3cr and Peter Derrie $ %GRQS
BQ))F2GN HONDFRFNHF, SFP2FMBFR >--,
$ 9unting /or Metamorp(ic
J6AK 2(e Programming )anguage )ua 8
(ttp;<<'''"lua"org *)ast Access; ,><Vul!<>-,>+
J6BK Ale=Abramo0 8 APG 9oo.ing 'it( MS
Detours 8
(ttp;<<'''"codepro:ect"com<Articles<?-,6-<APG8
9oo.ing8'it(8MS8Detours *)ast Access;
,><Vul!<>-,>+
J6CK Galen 9unt and Doug Brubac(er $ Microso/t
Researc( 8 Detours; Binar! Gnterception o/ 5in?>
Dunctions 8
(ttp;<<researc("microso/t"com<pubs<@B4@B<(untusen
i=ntCC"pd/ *)ast Access; ,><Vul!<>-,>+
J4-K coderrr 8
(ttp;<<coderrr"'ordpress"com<>--B<-B<>A<(o'8to8
get8rid8o/8microso/t8detours8detoureddll< *)ast

Scientific But Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti - VM Technologies

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Scientific But Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti - VM Technologies

Caricato da

Copyright:

Formati disponibili

Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-

Potrebbero piacerti anche