Anti-debugging

From Unprotect Project
Revision as of 11:51, 8 November 2016 by Admin (talk | contribs) (Techniques)

Jump to: navigation, search

Technique Description

Malware use also anti-debugging techniques to avoid that analysts debug and analyse dynamically the malicious code. Anti-debugging is common anti-analysis technique used by malware to detect when it is under the control of a debugger or to crash the debugger. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts.

Techniques

Below is a list of all the Anti-Debug techniques in Unprotect Project:

Anti-debugging Techniques
Techniques Description
Windows API IsDebuggerPresent This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
CheckRemoteDebuggerPresent This function is similar to the previous one, it will check if a remote process is currently debugging the current process.
NtQueryInformationProcess / ZwQueryInformationProcess This function retrieves information about a specified process. Malware are able to detect if the process is currently being debugged with the information retrieves by the function.
NtSetInformationThread / ZwSetInformationThread
NtQueryObject
OutputDebugString
NtSetInformationThread
EventPairHandles
CsrGetProcessID
CloseHandle / NtClose
Checking Manually IsDebugged Flag
Heap Flag
NtGlobalFlag
Timing Check RDTSC
GetTickCount
NtQueryPerformanceCounter
Debugger Detection FindWindow
FindProcess
BadStringFormat
Disturb Debugger TLS Callback
Unhandled Exception Filter
Performing code checksum
Interrupts
INT Scanning

References