Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » Avoiding debugger detection
« Bottrackers
Signature detection and generation »

Avoiding debugger detection

It’s quite common to run into malicious programs (malware) that deploy various methods to detect debuggers. It’s good to be aware what can be thrown on your face when you’re analyzing or unpacking a malware. I’ll list a few here, and some ways to circumvent them.

Propably the most widely known and used method to detect debuggers is using the IsDebuggerPresent() API call in kernel32.dll

This is what it looks like:

AntiDebug - IsDebuggerPresent

It will locate a flag in the PEB (Process Environment Block) that tells whether there is a debugger attached or not. The result is returned in the eax-register, with value 1 being true, 0 being false.

There are several ways to circumvent this one: You can put a breakpoint in that API, and manually modify the return value to zero. Another way would be to manually locate the flag from the PEB, and zero it out. When dealing with unknown malware I usually do the latter, but instead of modifying the flag manually I inject a stub into the file that will, amongst other things, zero out the flag.

The stub, in assembly, looks like this:

mov eax, dword ptr [fs:18h]
mov eax, dword ptr [ds:eax+30]
movzx byte [eax+2], 0

The good things in modifying the flag directly instead of just breakpointing the API call are that this approach cannot be detected whereas breakpoints can be, and that this way works against those packers and malwares that have the check inlined into the code, in which case no API call is made.

Another quite often seen trick to detect debuggers is the NtGlobalFlags check:

mov eax, dword ptr [fs:30h]
add eax, 68h
mov eax, dword ptr [ds:eax]
cmp eax, 70h

If the value in the eax register equals 70h, a debugger is attached. There are no API calls for this check, so it’s recommended to bypass this in advance. If no debuggers are present, the value of the flag is null, so to evade the check do the following:

mov eax, dword ptr [fs:30h]
add eax, 68h
mov dword ptr [ds:eax], 0h

A third trick, deployed atleast by execryptor, is yet another flag in the PEB :) The code used for checking looks like this:

mov eax, dword ptr [fs:18h]
mov eax, dword ptr [eax+30h]
mov eax, dword ptr [eax+18h]
cmp dword ptr [ds:eax+10h] ,0h

If the value of that [ds:eax+10h] is not zero, then there is a debugger present. I reckon you’ll already know how to bypass this one :)

mov eax, dword ptr [fs:18h]
mov eax, dword ptr [eax+30h]
mov eax, dword ptr [eax+18h]
mov dword ptr [ds:eax+10h], 0h

The above methods are just few various ways of detecting debuggers and subverting the detection. There are a plethora of other tricks widely deployed also.

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Sunday, February 25th, 2007 at 9:00 am and is filed under Malware FreakShow, Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.