![]() This process creates slowness and fluctuation that is different from the computer’s fixed processing speed threshold. Debugging tools take time and effort to process each instruction. The Read Time-Stamp Counter (RDTSC) is a common example of a timing defense. Advanced anti-debugging techniquesĭebugging specialists and analysts who encounter the following advanced anti-debugging techniques will find themselves and their tools challenged. Malware can also take advantage of PEB’s NtGlobalFlag flag at offset 0圆8 (which is called to check if it’s being debugged) by verifying if its value is equal to 0x70. ![]() FindWindowįindWindow is also used to find the debugger by providing window class (e.g., OLLYDBG). Calling the dispatcher with an invalid handle throws an invalid handle exception, STATUS_INVALID_HANDLE. CloseHandle/NtCloseĬloseHandle/NtClose is another anti-debugging malware uses. It checks for a specific flag in the Process Environment Block (PEB) for the field BeingDebugged, which will return zero if the process is not running into a debugger or nonzero if a debugger is attached.Īnother similar function is CheckRemoteDebuggerPresent, which checks if a remote process is debugging the current one. The most common technique malware uses is Windows API, as it provides several functions that can be used by malware to detect debuggers. Malware authors use many techniques to prevent and or slow the reverse engineer from debugging their code. Detecting debuggersĪnti-debugging is an anti-analysis technique that is used by malware to check if it is being debugged. This is an unconditional jump that the disassembler doesn’t recognize because it only disassembles one instruction at a time. Jump instruction with the same target is produced using a combination of jz with jnz. Control flow graph flatteningĬontrol flow graph flattening, or simply CFG flattening, flattens the control flow of each function by first breaking up the nesting of loops and if-statements and then hiding each of them in a case of a large switch statement wrapped inside the body of a loop. ![]() Junk/spaghetti code is used to confuse the reverse engineer and hide what the current code is trying to accomplish. Opcode/assembly code obfuscation makes disassembly of malware difficult by using tactics like executables with decrypted sections and code instructions that are hard to read or nonsensical. API obfuscationĪPI obfuscation changes the names of identifies (class names, method names, field names) to random names so that the reader of the code doesn’t know what the code is doing. Here are some common anti-disassembly techniques. It uses manually crafted code to cause disassembly analysis tools to produce an incorrect program listing. Malware authors use anti-disassembly techniques to delay, prevent and/or avoid the reverse-engineering of their code. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |