Anti-debugging

From Unprotect Project
Jump to: navigation, search

Technique Description

Malware use also anti-debugging techniques to avoid that analysts debug and analyse dynamically the malicious code. Anti-debugging is common anti-analysis technique used by malware to detect when it is under the control of a debugger or to crash the debugger. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts.

Techniques

Below is a list of all the Anti-Debug techniques in Unprotect Project:

Anti-debugging Techniques
Techniques Description
Windows API IsDebuggerPresent This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
CheckRemoteDebuggerPresent This function is similar to the previous one, it will check if a remote process is currently debugging the current process.
NtQueryInformationProcess / ZwQueryInformationProcess This function retrieves information about a specified process. Malware are able to detect if the process is currently being debugged with the information retrieves by the function.
NtSetInformationThread / ZwSetInformationThread This function can hide a specific thread from a debugger (ThreadHideFromDebugger).
NtQueryObject This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.
OutputDebugString Sends a string to the debugger for display. If OutputDebugString is called and there is a debugger attached, the call to OutputDebugString should succeed, and the value in GetLastError should not be changed.
EventPairHandles An EventPair Object is an event constructed by two _KEVENT structures which are conventionally named High and Low. There is a relation between generic Event Objects and Debuggers cause they have to create a custom event called DebugEvent able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal process differs from a debugged process.
CsrGetProcessID This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled. However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able to open CRSS.exe process, it means that the process SeDebugPrivilege enabled in the access token, and thus, suggesting that the process is being debugged.
CloseHandle / NtClose When a process is debugged, calling NtClose with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
Checking Manually IsDebugged Flag While a process is running, the location of the PEB can be referenced by the location fs:[30h]. For anti-debugging, malware will use that location to check the BeingDebugged flag, which indicates whether the specified process is being debugged.
Heap Flag ProcessHeap is located at 0x18 in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. These are known as the ForceFlags and Flags fields.
NtGlobalFlag The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.
Timing Check RDTSC It will execute RDTSC twice and then calculate the difference between low order values and check it with CMP condition. If the difference lays below 0FFFh no debugger is found if it is above or equal then application is debugged.
GetTickCount This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
NtQueryPerformanceCounter When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.
Debugger Detection FindWindow The FindWindow() function can be used to search for windows by name or class (e.g: Ollydbg...).
FindProcess The FindProcess() function can be used to search for a specific process (e.g: ollydbg.exe...).
BadStringFormat This can be used to exploit weaknesses about debugger. OllyDbg had known bug of not correct handling of format strings and crashed with multiple %s input.
Disturb Debugger TLS Callback Most debuggers start at the program’s entry point as defined by the PE header. A TLS callback can be used to execute code before the entry point and therefore execute secretly in a debugger.
Unhandled Exception Filter An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an Application Error message box and causes the exception handler to be executed.
Performing code checksum Performing code checksum tries to identify if a part of the packer code had been modified which suggests that anti-debugging routines may had been disabled.
Interrupts Most exception-based detection relies on the fact that debuggers will trap the exception and not immediately pass it to the process being debugged for handling. The default setting on most debuggers is to trap exceptions and not pass them to the program. If the debugger doesn’t pass the exception to the process properly, that failure can be detected within the process exception-handling mechanism.
INT Scanning Software breakpoints are breakpoints which are set by modifying the code at the target address, replacing it with a byte value 0xCC (INT3 / Breakpoint Interrupt). Malware identify software breakpoints by scanning for the byte 0xCC in the protector code and/or an API code.

References

https://collaborate.mitre.org/maec/index.php/Subcapability:2
http://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
http://corkami.blogspot.co.uk/p/map.html
Practical Malware Analysis: http://amzn.to/2nXYIdP
Malware Rootkit & Botnet: http://amzn.to/2nXVI1b