On antidebug code detection
Sometimes when you run into an unknown piece of malware it’s useful to try to gather as much intel as possible before you start to analyze it. Since there’s a plethora of various methods in use out there, something needs to be automated.
Here’s a screenshot of a little tool I made for scanning signatures on popular anti-debug methods:
The screenshot is taken when scanning an older variant of a reptile bot. Basically the signatures are made in similar fashion to packer signatures. The database can be upgraded quite easily, and it helps nicely to know what you’ll be facing. Though note must be taken that a lack of detection is not lack of presence :)
March 16th, 2007 at 1:52 pm
[…] Read more… Tags: intel, malware, plethora Posted on Friday, March 16th, 2007 at 6:50 pm and under category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « New IE7 Bug May Aid Phishers Homeland Security team to focus on U.S. terrorists » […]
April 10th, 2007 at 1:46 pm
Hi,
Would it be possible to share these tools that you write? ADDetector.exe looks very interesting.
Thanks much,
Vinoo
April 10th, 2007 at 4:42 pm
Hi,
All the tools mentioned here are available upon request for security/AV researches. I want to limit the exposure as much as I can. So, if you fit the description above and can prove it, give me a ping and I’ll send you the tool.
–Toni