Anti-debugging and Anti-VM techniques and anti-emulation
D12d0x34X August 01, 2013
These days malware is becoming more advanced. Malware Analysts use lots of debugging software and applications to analyze malware and spyware. Malware authors use some techniques to detect the presence of automatic analysis systems such as debuggers and Virtual Machines. In this article we will explore some of these commonly used techniques and practices to evade malware debugging software and sandboxes.
Tools required:
Immunity debugger
C/C++ compiler (msvc or GCC)
Virtual Machine (Vmware of Vbox)
Introduction to Debuggers.
A Debugger is a piece of software used to analyze and instrument executable files. In order to analyze and intercept machine code debuggers use system calls and API commonly provided by the operating system. To intercept a single block of code, debuggers use a single stepping operation which can be turned on by setting the TRAP Flag in EFLAGS register. Debuggers use many types of breakpoints in order to stop at a particular memory address. The following are the type of breakpoints debuggers use.
1.Software Breakpoint.
2.Hardware breakpoint.
3.Memory breakpoints.
4.Conditional Breakpoints.
Software Breakpoints are the type of breakpoints where a debugger replaces the original instruction with an INT 0xcc instruction, which raises a software breakpoint interrupt routine and is returned back to the debugger to handle it. In an immunity debugger you can view your software breakpoint by pressing ALT + b
Breakpoints:
Hardware breakpoints use four of the debug register provided by the process in-order to incept at a particular breakpoint. These registers include DR0, DR1, DR2, DR3
We then flip the appropriate bits in the DR7 register to enable the breakpoint and set its type and length.
After the hardware breakpoint has been set and is reached the OS raises an INT 1 interrupt the single stepping event.
Debuggers then set up appropriate handlers to catch those exceptions.
Memory Breakpoint:
In memory the breakpoint we use guard pages to set up a handler and if that page is accessed an exception handler is called.
Debuggers support many types of memory breakpoints
1.memory breakpoint on BYTE access.
2.memory breakpoint on WORD access.
3.memory breakpoint on DWORD access.
Conditional breakpoints:
Conditional breakpoints are managed by the debugger, and they are presented to users only if certain conditions are met.
For example you can set up conditional breakpoints in an immunity debugger which has the following syntax:
CONDITION = [ESP] = 0x0077ff89
Which will only be caught if the value pointed at the top of the stack is 0x0077ff89.
Memory breakpoints are only useful when you want to monitor calls to specific API with only certain parameters.
Debugging API on Windows
Windows by default provides an API for debugging which is utilized by debuggers to debug applications. The API provided by windows is known as windows debugging API.
The following is a sample code to debug an application using windows debugging API.
Anti-debugging techniques.
Now in order to frustrate the malware analyst, malware can be detected in the presence of debuggers and show up in unexpected events. In order to detect the presence of a debugger, malware can either read some values or it can use API present to detect if the malware is being debugged or not.
One of the simple debugger detection tricks includes using the winAPI function known as KERNEL32.IsDebuggerPresent.
Detecting a debugger using PEB:
When the process is created using CreateProcess API, and if the creation flag is set as DEBUG_ONLY_THIS_PROCESS then a special field is set in the PEB data structure in the memory
Detection using HEAP flags:
When a program is run under a debugger, and is created using the debug process creation flags. The heap flags are changed. These Flags exit at a different location depending upon the version of the operating system.
On Windows NT based systems these flags exist at 0x0c offset from heap base.
ON Windows Vista based systems and later they exist at location 0x40 offset from the heap base.
These two flags initialized are 'Force flags' and 'flags'.
ProcessHeap Base Points towards a _HEAP structure are defined as:
Reference :
Following the C program can be used to detect the presence of a debugger using heap flags
Virtual Machine Detection or Emulation Detection.
Malware samples are usually analyzed by analysts in an isolated environment such as Virtual Machine. In order to thwart the analysis of samples inside a virtual machine malware include anti-vm protection or they simply exit when malware is run in an isolated environment.
The following techniques can be used to detect if a sample is running inside a VM.
Timing Based.
Artifacts based.
Timing based detection
"The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of cycles since reset". (Wikipedia)
If the code is being emulated then, there will be change in the time stamp between.
The Result in stored in EDX:EAX format
Now the time difference in a real host machine would be usually less than 100, but if the code is emulated the difference will be huge.
The above program uses time stamp instruction to detect the presence of Virtual Machine.
Artifact Based Detection.
Malwares leverage on the presence of Virtual Machine configuration based on file, network or device artifacts. Malwares usually check the presence of these artifacts to detect the presence of a debugger or Virtual Environment.
The best case would be registry artifacts, Vmware creates registry keys for Virtual Disk Controller, which can be located in registry using the following key.
HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum\0
as "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1 .0\4&XXX&XXX"
Source:
D12d0x34X August 01, 2013
These days malware is becoming more advanced. Malware Analysts use lots of debugging software and applications to analyze malware and spyware. Malware authors use some techniques to detect the presence of automatic analysis systems such as debuggers and Virtual Machines. In this article we will explore some of these commonly used techniques and practices to evade malware debugging software and sandboxes.
Tools required:
Immunity debugger
C/C++ compiler (msvc or GCC)
Virtual Machine (Vmware of Vbox)
Introduction to Debuggers.
A Debugger is a piece of software used to analyze and instrument executable files. In order to analyze and intercept machine code debuggers use system calls and API commonly provided by the operating system. To intercept a single block of code, debuggers use a single stepping operation which can be turned on by setting the TRAP Flag in EFLAGS register. Debuggers use many types of breakpoints in order to stop at a particular memory address. The following are the type of breakpoints debuggers use.
1.Software Breakpoint.
2.Hardware breakpoint.
3.Memory breakpoints.
4.Conditional Breakpoints.
Software Breakpoints are the type of breakpoints where a debugger replaces the original instruction with an INT 0xcc instruction, which raises a software breakpoint interrupt routine and is returned back to the debugger to handle it. In an immunity debugger you can view your software breakpoint by pressing ALT + b
Breakpoints:
Hardware breakpoints use four of the debug register provided by the process in-order to incept at a particular breakpoint. These registers include DR0, DR1, DR2, DR3
We then flip the appropriate bits in the DR7 register to enable the breakpoint and set its type and length.
After the hardware breakpoint has been set and is reached the OS raises an INT 1 interrupt the single stepping event.
Debuggers then set up appropriate handlers to catch those exceptions.
Memory Breakpoint:
In memory the breakpoint we use guard pages to set up a handler and if that page is accessed an exception handler is called.
Debuggers support many types of memory breakpoints
1.memory breakpoint on BYTE access.
2.memory breakpoint on WORD access.
3.memory breakpoint on DWORD access.
Conditional breakpoints:
Conditional breakpoints are managed by the debugger, and they are presented to users only if certain conditions are met.
For example you can set up conditional breakpoints in an immunity debugger which has the following syntax:
CONDITION = [ESP] = 0x0077ff89
Which will only be caught if the value pointed at the top of the stack is 0x0077ff89.
Memory breakpoints are only useful when you want to monitor calls to specific API with only certain parameters.
Debugging API on Windows
Windows by default provides an API for debugging which is utilized by debuggers to debug applications. The API provided by windows is known as windows debugging API.
The following is a sample code to debug an application using windows debugging API.
Anti-debugging techniques.
Now in order to frustrate the malware analyst, malware can be detected in the presence of debuggers and show up in unexpected events. In order to detect the presence of a debugger, malware can either read some values or it can use API present to detect if the malware is being debugged or not.
One of the simple debugger detection tricks includes using the winAPI function known as KERNEL32.IsDebuggerPresent.
Detecting a debugger using PEB:
When the process is created using CreateProcess API, and if the creation flag is set as DEBUG_ONLY_THIS_PROCESS then a special field is set in the PEB data structure in the memory
Detection using HEAP flags:
When a program is run under a debugger, and is created using the debug process creation flags. The heap flags are changed. These Flags exit at a different location depending upon the version of the operating system.
On Windows NT based systems these flags exist at 0x0c offset from heap base.
ON Windows Vista based systems and later they exist at location 0x40 offset from the heap base.
These two flags initialized are 'Force flags' and 'flags'.
ProcessHeap Base Points towards a _HEAP structure are defined as:
Reference :
Following the C program can be used to detect the presence of a debugger using heap flags
Virtual Machine Detection or Emulation Detection.
Malware samples are usually analyzed by analysts in an isolated environment such as Virtual Machine. In order to thwart the analysis of samples inside a virtual machine malware include anti-vm protection or they simply exit when malware is run in an isolated environment.
The following techniques can be used to detect if a sample is running inside a VM.
Timing Based.
Artifacts based.
Timing based detection
"The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of cycles since reset". (Wikipedia)
If the code is being emulated then, there will be change in the time stamp between.
The Result in stored in EDX:EAX format
Now the time difference in a real host machine would be usually less than 100, but if the code is emulated the difference will be huge.
The above program uses time stamp instruction to detect the presence of Virtual Machine.
Artifact Based Detection.
Malwares leverage on the presence of Virtual Machine configuration based on file, network or device artifacts. Malwares usually check the presence of these artifacts to detect the presence of a debugger or Virtual Environment.
The best case would be registry artifacts, Vmware creates registry keys for Virtual Disk Controller, which can be located in registry using the following key.
HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum\0
as "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1 .0\4&XXX&XXX"
Source:
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding