Malware Analysis

Professional

Anti-Reversing Tricks: Part 2

S e c t i o n 0 2 | M o d u l e 1 1
© Caendra Inc. 2020
All Rights Reserved
Table of Contents

MODULE 11 | ANTI-REVERSING TRICKS: PART 2

11.1 Introduction
11.2 Process Debugger Detection
11.3 Parent Process Detection
11.4 Module Debugger Detection
11.5 Code Execution Time Detection
11.6 Conclusion

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.2

Getting Started

Tools:
• Olly Debugger v1.10

Target:
• RE_Lab_11.zip

www.ollydbg.de MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.3

 11.1

Introduction

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.4

11.1 Introduction

In this module we will continue our discussion about a few

of the more common Anti-RE tricks. This time, the tricks we
have chosen target specific process information such as
the name of the main executable module, the name of the
processes’ parent, names of modules loaded, etc…

Furthermore, we’ll also refer to an effective way that an

application can detect if it is under analysis or not, which is
based on the elapsed time to execute a specific code block.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.5
11.1 Introduction

Layout:
i) Anti-RE trick Category
a) Category-related trick example
b) Another related example
c) etc.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.6

 11.2

Process Debugger
Detection

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.7

11.2 Process Debugger Detection

This trick is used to verify that no known debugger,

disassembler or reversing tool is running at the same time
with our application, by retrieving a list of all running
processes and evaluating their names.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.8

11.2 Process Debugger Detection

Usually the following the 3 Windows APIs are involved:

CreateToolhelp32Snapshot :
• Obtains a snapshot of all running processes, by using the
TH32CS_SNAPPROCESS flag.

Process32First:
• Obtains information about the first process in the
snapshot by filling the PROCESSENTRY32 structure.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.9
11.2 Process Debugger Detection

Figure 11.1 PROCESSENTRY32 structure

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.10

11.2 Process Debugger Detection

Process32Next:
This is used to go through the process list after the
snapshot was taken.

Again, it will use the PROCESSENTRY32 structure for each

process during enumeration.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.11

 11.3

Parent Process
Detection

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.12

11.3 Parent Process Detection

A process can detect if it’s being debugged by checking the

name of its parent process. Usually the check is done and
expecting “explorer.exe” which is commonly the parent
process of a process started by the user.

The same technique is used as in the previous case, but

this time we target the parent process of the process we
are interested in.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.13
11.3 Parent Process Detection

The usual method involves obtaining the PID (process

identifier) of our process, enumerating through the
processes snapshot list, locating our process and retrieving
the PPID (parent process identifier), and finally going once
more through the processes snapshot list to see which
process the PID belongs to.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.14

11.3 Parent Process Detection

A piece of malware could, for example, only accept as a

legitimate parent process the one named “explorer.exe” and
otherwise behave in some other way or simply remain
silent, doing nothing suspicious while under observation.

TIP: More checks can be done, such as checking the parent

process of “explorer.exe” to verify that it is the real one, or
checking if there are more than one process with the
“explorer.exe” name, which means that someone has
renamed something else as “explorer.exe”, etc.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.15
 11.4

Module Debugger
Detection

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.16

11.4 Module Debugger Detection

This has the same goal as above (identifying a reversing

tool), but in this case it does so by retrieving a list of all
running processes and then a list of all the loaded modules
of every process, such as dynamic link libraries (DLLs),
which are commonly used as plugins to add extra
functionality to many reversing tools.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.17

11.4 Module Debugger Detection

Usually the following the 3 Windows APIs are involved:

CreateToolhelp32Snapshot:
• Obtains a snapshot of all loaded modules of a specific
process, by using the TH32CS_SNAPMODULE flag.

Module32First:
• Obtains information about the first module in the
snapshot by filling in the MODULEENTRY32 structure.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.18
11.4 Module Debugger Detection

Figure 11.2 MODULEENTRY32 structure

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.19

11.4 Module Debugger Detection

Module32Next:
This is used to go through the loaded modules as listed
after the snapshot was taken.

Again, it will use the MODULEENTRY32 structure for each

module during enumeration.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.20

 11.5

Code Execution
Time Detection

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.21

11.5 Code Execution Time Detection

This is an efficient and easily implemented anti-reversing

technique.

Its purpose is to evaluate the time elapsed for the execution

of the instructions in a specific block of code.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.22

11.5.1 RDTSC: Read Time-Stamp Counter

We initially discussed this instruction and the related MSR

involved in the first module (Module 1, 1.4.6).

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.23

11.5.1 RDTSC: Read Time-Stamp Counter

EXAMPLE:
RDTSC ;read the Time-Stamp Counter
mov ebx, eax ;store the low-order 32 bits to ebx
push ecx ;perform a series of instructions that actually do nothing
pop ecx
add ecx,ecx
sub ecx,ecx
push esi
pop esi
add edi,edi
sub edi,edi
RDTSC ;read the Time-Stamp Counter again
sub eax,ebx ;subtract from the new value the previous one
cmp eax, 0x3e8 ;compare the difference with a constant of our choice
jg __debuggerfound ; if eax > 0x3e8 (1000 ms) debugger found

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.24

11.5.2 GetTickCount API

Through this API we can retrieve the number of

milliseconds that have elapsed since the system was
started for up to 49,7 days.

Again, we can use it to check the time elapsed for the

execution of a specific block of instructions.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.25

11.5.2 GetTickCount API

EXAMPLE:
call GetTickCount
mov ebx, eax ;store result in ebx
push ecx ;perform a series of instructions that actually do nothing
pop ecx
add ecx,ecx
sub ecx,ecx
push esi
pop esi
add edi,edi
sub edi,edi
call GetTickCount ;call GetTickCount again
sub eax,ebx ;subtract from the new value the previous one
cmp eax, 0x3e8 ;compare the difference with a constant of our choice
jg __debuggerfound ; if eax > 0x3e8 (1000 ms) debugger found

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.26

11.5.2 GetTickCount API

TIP: Other Windows APIs related to time information

retrieval can be used to achieve the same goals. Some
examples are the timeGetTime and
QueryPerformanceCounter APIs.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.27

 11.6

Conclusion

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.28

11.6 Conclusion

As we move on with more tricks you might start feeling a

little bit confused. This is quite normal, especially if you
have no experience with this subject. However, there is
nothing to worry about since through the associated hands-
on challenge we will examine them together in practice.

So, now you can spend some time with the associated
video in order to see these tricks in practice and then one
last module dedicated to Anti-RE tricks.
MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.29
VIDEO
Check out the video on Anti-
Reversing Tricks: Part 2!

To ACCESS your video, go

to the course in your
members area and click the
resources drop-down in the
appropriate module line.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.30

LAB
Put what you’ve learned to
practice with the
RE_Lab_11.zip!

To ACCESS your lab, go to

the course in your
members area and click
the resources drop-down
in the appropriate module
line, your file will then
download.

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.31

References

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.32

 References
Here’s a list of all references linked or used in this course.
Olly Debugger v1.10
http://www.ollydbg.de/

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.33

 Videos & Labs
Here’s a list of all videos and labs in this module. To ACCESS, go to the
course in your members area and click the resources drop-down in the
appropriate module line.

Anti-Reversing Tricks: Part 2

RE_Lab_11.zip

MAPv1: Section 02, Module 11 - Caendra Inc. © 2020 | p.34