Difference between revisions of "Anti-debugging"

From Unprotect Project
Jump to: navigation, search
Line 39: Line 39:
|CloseHandle / NtClose
|CloseHandle / NtClose
|When a process is debugged, calling NtClose with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
!rowspan="3"|Checking Manually
!rowspan="3"|Checking Manually

Revision as of 15:18, 8 November 2016

Technique Description

Malware use also anti-debugging techniques to avoid that analysts debug and analyse dynamically the malicious code. Anti-debugging is common anti-analysis technique used by malware to detect when it is under the control of a debugger or to crash the debugger. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts.


Below is a list of all the Anti-Debug techniques in Unprotect Project:

Anti-debugging Techniques
Techniques Description
Windows API IsDebuggerPresent This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
CheckRemoteDebuggerPresent This function is similar to the previous one, it will check if a remote process is currently debugging the current process.
NtQueryInformationProcess / ZwQueryInformationProcess This function retrieves information about a specified process. Malware are able to detect if the process is currently being debugged with the information retrieves by the function.
NtSetInformationThread / ZwSetInformationThread This function can hide a specific thread from a debugger.
NtQueryObject This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.
OutputDebugString Sends a string to the debugger for display. If OutputDebugString is called and there is a debugger attached, the call to OutputDebugString should succeed, and the value in GetLastError should not be changed.
EventPairHandles An EventPair Object is an Event constructed by two _KEVENT structures which are conventionally named High and Low. There is a relation between generic Event Objects and Debuggers cause they have to create a custom Event called DebugEvent able to handle exceptions. Due to the presence of Events owned by the Debugger, every information relative to the Events of a normal process differs from a debugged process.
CsrGetProcessID This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled. However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able to open CRSS.exe process, it means that the process SeDebugPrivilege enabled in the access token, and thus, suggesting that the process is being debugged.
CloseHandle / NtClose When a process is debugged, calling NtClose with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
Checking Manually IsDebugged Flag
Heap Flag
Timing Check RDTSC
Debugger Detection FindWindow
Disturb Debugger TLS Callback
Unhandled Exception Filter
Performing code checksum
INT Scanning