Professional Documents
Culture Documents
Malware Analysis Professional: Anti-Reversing Tricks: Part 2
Malware Analysis Professional: Anti-Reversing Tricks: Part 2
Malware Analysis Professional: Anti-Reversing Tricks: Part 2
Professional
Tools:
• Olly Debugger v1.10
Target:
• RE_Lab_11.zip
Introduction
Layout:
i) Anti-RE trick Category
a) Category-related trick example
b) Another related example
c) etc.
Process Debugger
Detection
CreateToolhelp32Snapshot :
• Obtains a snapshot of all running processes, by using the
TH32CS_SNAPPROCESS flag.
Process32First:
• Obtains information about the first process in the
snapshot by filling the PROCESSENTRY32 structure.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.9
11.2 Process Debugger Detection
Process32Next:
This is used to go through the process list after the
snapshot was taken.
Parent Process
Detection
Module Debugger
Detection
CreateToolhelp32Snapshot:
• Obtains a snapshot of all loaded modules of a specific
process, by using the TH32CS_SNAPMODULE flag.
Module32First:
• Obtains information about the first module in the
snapshot by filling in the MODULEENTRY32 structure.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.18
11.4 Module Debugger Detection
Module32Next:
This is used to go through the loaded modules as listed
after the snapshot was taken.
Code Execution
Time Detection
EXAMPLE:
RDTSC ;read the Time-Stamp Counter
mov ebx, eax ;store the low-order 32 bits to ebx
push ecx ;perform a series of instructions that actually do nothing
pop ecx
add ecx,ecx
sub ecx,ecx
push esi
pop esi
add edi,edi
sub edi,edi
RDTSC ;read the Time-Stamp Counter again
sub eax,ebx ;subtract from the new value the previous one
cmp eax, 0x3e8 ;compare the difference with a constant of our choice
jg __debuggerfound ; if eax > 0x3e8 (1000 ms) debugger found
EXAMPLE:
call GetTickCount
mov ebx, eax ;store result in ebx
push ecx ;perform a series of instructions that actually do nothing
pop ecx
add ecx,ecx
sub ecx,ecx
push esi
pop esi
add edi,edi
sub edi,edi
call GetTickCount ;call GetTickCount again
sub eax,ebx ;subtract from the new value the previous one
cmp eax, 0x3e8 ;compare the difference with a constant of our choice
jg __debuggerfound ; if eax > 0x3e8 (1000 ms) debugger found
Conclusion
So, now you can spend some time with the associated
video in order to see these tricks in practice and then one
last module dedicated to Anti-RE tricks.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.29
VIDEO
Check out the video on Anti-
Reversing Tricks: Part 2!
RE_Lab_11.zip