Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and AntiVM Technologies Rodrigo Rubira Branco, Gabriel

Negreira Barbosa, Pedro Drimel Neto {rbranco,gbarbosa,pdrimel} *NOSPAM* ual!s"com #ual!s $ %ulnerabilit! & Mal'are Researc( )abs *%MR)+ %ersion ,"Abstract Mal'are is 'idel! ac.no'ledged as a gro'ing t(reat 'it( (undreds o/ t(ousands o/ ne' samples reported eac( 'ee." Anal!sis o/ t(ese mal'are samples (as to deal 'it( t(is signi/icant uantit! but also 'it( t(e de/ensi0e capabilities built into mal'are1 Mal'are aut(ors use a range o/ e0asion tec(ni ues to (arden t(eir creations against accurate anal!sis" 2(e e0asion tec(ni ues aim to disrupt attempts o/ disassembl!, debugging or anal!se in a 0irtuali3ed en0ironment" 2(is tal. catalogs t(e common e0asion tec(ni ues mal'are aut(ors emplo!, appl!ing o0er 4- di//erent static detections, combined 'it( a /e' d!namic ones /or completeness" 5e 0alidate our catalog b! running t(ese detections against a database o/ 6 million samples *t(e s!stem is constantl! running and t(e numbers 'ill be updated /or t(e presentation+, enabling us to present an anal!sis on t(e real state o/ e0asion tec(ni ues in use b! mal'are toda!" 2(e resulting data 'ill (elp securit! companies and researc(ers around t(e 'orld to /ocus t(eir attention on ma.ing t(eir tools and processes more e//icient to rapidl! a0oid t(e mal'are aut(ors7 countermeasures" 2(is /irst o/ its .ind, compre(ensi0e catalog o/ countermeasures 'as compiled b! t(e paper7s aut(ors b! researc(ing eac( o/ t(e .no'n tec(ni ues emplo!ed b! mal'are, and in t(e process ne' detections 'ere proposed and de0eloped" 2(e underl!ing mal'are sample database (as an open arc(itecture t(at allo's researc(ers not onl! to see t(e results o/ t(e anal!sis, but also to de0elop and plug8in ne' anal!sis capabilities" 2(e s!stem 'ill be made a0ailable in beta at Blac. 9at, 'it( t(e purpose o/ ser0ing as a basis /or inno0ati0e communit! researc(" basement /or decisions, but still t(e! are t(e ma:orit! o/ t(e cases" Besides t(e common sentences among researc(ers 2(is 'or.s anal!3ed millions o/ mal'ares /ocusing and industr! regarding t(e amount o/ ne' samples in t(eir protection mec(anisms" 5e di0ided t(e e0er! da! *near to t(e (undred t(ousand dail!+, still protection mec(anisms in 6 di//erent categories; t(e anal!sis e//orts /ocus on automating a speci/ic Anti8Debugging; 2ec(ni ues to tas. or automate t(e anal!sis o/ onl! one sample" compromise debuggers and<or t(e Researc(ers around t(e globe (a0e man! debugging process c(allenges to contribute in combating ne' Anti8Disassembl!; 2ec(ni ues to mal'are, since t(e! eit(er lac.s t(e access to t(e compromise disassemblers and<or t(e samples or access to t(e computing po'er to disassembling process process t(em *or bot(+" 2(is limits t(e amount o/ Ob/uscation; 2ec(ni ues to ma.e t(e contributions coming /rom t(e academia and /rom signatures creation more di//icult and t(e indi0idual contributors" disassembled code (arder to be anal!3ed b! 2(e situation created an industr! /ull o/ incomplete a pro/essional results and opinions" Anal!sis comprising :ust a Anti8%M; 2ec(ni ues to detect and<or /e' t(ousands o/ mal'are samples are not a ! "ntroduction

compromise 0irtual mac(ines

2ec(ni ues t(at are not being currentl! being detected in t(e mal'are samples are also e=plained; 'e are constantl! updating t(e s!stem" Gt 'as de0eloped a plugin t(at is a /rame'or. /or disassembl!8related anal!sis; 2(e paper is organi3ed as /ollo's" Section ,", Dacilitates t(e de0elopment o/ disassembl! discusses our met(odolog!, t(e automated anal!sis anal!sis code1 s!stem and some ot(er c(oices made /or t(is Speeds up t(e disassembl! process /or researc(" Section > pro0ides t(e results o/ our plugins1 anal!sis, '(ile t(e rest o/ t(e paper discusses t(e Halls8bac. t(e plugins /or speci/ic tec(nical details o/ t(e implementations instruction t!pes1 t(emsel0es" Section ? enumerates and details eac( Disassembl! once, anal!3e all1 o/ t(e anti8debugging tec(ni ues" Section 6 Hare must be ta.en to detect disassembl! discusses disassembl! concepts and anti8 attac.s t(emsel0es" disassembl! and ob/uscation tec(ni ues" Section 4 discusses anti8%M tec(ni ues" Section @ illustrates Dor t(is 'or., 'e disassembled and anal!3ed onl! ne' tec(ni ues and ad0ancements proposed b! t(is PF sections e=plicitl! mar.ed as e=ecutable or 'or." Section A comprises t(e do'nloading lin.s '(ere t(e entr! point is located" /or getting updated 0ersions o/ t(is paper and /or do'nloading t(e de0eloped e=amples to 0alidate 2(e anti8re0erse engineering tec(ni ues 'ere eac( o/ t(e detection anti8re0erse engineering detected in t(e mal'are samples t(roug( plugins" mec(anisms" Section B concludes and pro0ides Be/ore its deplo!, eac( plugin 'as tested against /uture directions" Section C (as some BB? PF /iles loo.ing /or bugs and /or t(e ualit! o/ ac.no'ledges" Dinall!, in Section ,-, t(e t(e detection co0erage itsel/" re/erences used in t(is 'or." ! ! Methodology #! $%ecutive Summary

5indo's %M1 Static plugins; plugins t(at run outside o/ t(e %M

Dor t(is researc(, 'e anal!3ed 6"-?-"C64 mal'are 2(e anal!sis per/ormed in t(is 'or. relied in a total samples in our lab" As depicted in H(art ,, ?6,ACI o/ A> cores and a ,--GB o/ RAM distributed in C 'ere pac.ed, and t(e top pac.er /amilies are s(o'n di//erent mac(ines" in H(art >" 5e anal!3ed a bit more t(an 6 million samples *6,-?-,C64+" Pac.ed samples 'ere not anal!3ed indi0iduall!; all pac.ed samples using t(e same pac.er (a0e been considered as one single uni ue sample" All our samples 'ere ?"CMB or less in si3e *per/ormance reasons+" 2(e onl! e=ception 'as t(e Dlame mal'are due to its importance" 5e used mostl! static tec(ni ues, but included a /e' d!namic ones /or completeness; some tec(ni ues cannot be detect using onl! a static approac(" 2(e automated mal'are anal!sis s!stem, called H(art , $ Pac.er Statistics Dissect EE PF, relies in plugins" Fac( application t(at reads a mal'are and produces an output is considered a plugin" 2(ere are; D!namic plugins; plugins t(at run inside a

UPX293300LZMAMarkusOberhumerLaszloMolnarJoh nReiser Anti-VM (IN) Instruction Counting PEB NtGlo al!lag PEB"s B#ingD# ugg#$ (St#alth IsD# ugg#rPr#s#nt) UPXProte torv!0"% Nothing 2 Armadillo Arma#illov!$! Instruction Counting H(art > $ 2op Pac.er Damilies Instruction Su stitution (push & r#t) Arma#illov!""v2"" )oo.ing /or anti8re0erse engineering tec(ni ues in Nothing t(e top pac.er /amilies, 'e (ad di//erent results /or PECompact 3 t(e same pac.er /amil! because o/ di//erent Anti-VM (ST') 0ersions" Being so, 'e detailed t(e tec(ni ues Anti-VM (SLDT) /ound in eac( 0ersion in 2able ," Anti-VM (IN) Push Pop Math 1 UPX PEB NtGlo al!lag UPXV200V290MarkusOberhumerLaszloMolnarJohnR PEB"s B#ingD# ugg#$ (St#alth eiser IsD# ugg#rPr#s#nt) Anti-VM (SLDT) So(tICE & Int#rrupt ) Anti-VM (IN) So(t*ar# Br#a+point D#t#ction Push Pop Math SS r#gist#r Instruction Counting BobSoftMiniDelphiBoBBobSoft 4 PEB NtGlo al!lag Anti-VM (ST') PEB"s B#ingD# ugg#$ (St#alth Anti-VM (SLDT) IsD# ugg#rPr#s#nt) Anti-VM (IN) UPXv20MarkusLaszloReiser Push Pop Math Anti-VM (SLDT) PEB"s B#ingD# ugg#$ (St#alth Anti-VM (IN) IsD# ugg#rPr#s#nt) Push Pop Math So(tICE & Int#rrupt ) Instruction Counting SS r#gist#r PEB"s B#ingD# ugg#$ (St#alth 5 ASPack IsD# ugg#rPr#s#nt) A%Pa kv2!2Ale"e&%olo#ovnikov' SS r#gist#r UPX290LZMAMarkusOberhumerLaszloMolnarJohnR A%Prote tV2X(LLAle"e&%olo#o Anti-VM (IN) eiser PEB"s B#ingD# ugg#$ (St#alth Anti-VM (IN) IsD# ugg#rPr#s#nt) Push Pop Math SS r#gist#r Instruction Counting A%Pa kv!0)03Ale"e&%olo#ovniko , PEB"s B#ingD# ugg#$ (St#alth Anti-VM (IN) IsD# ugg#rPr#s#nt) PEB"s B#ingD# ugg#$ (St#alth SS r#gist#r IsD# ugg#rPr#s#nt) UPX20030XMarkusOberhumerLaszloMolnarJohnReis A%Pa kv2!Ale"e&%olo#ovniko, er PEB"s B#ingD# ugg#$ (St#alth Anti-VM (IN) IsD# ugg#rPr#s#nt) Push Pop Math SS r#gist#r Instruction Counting ProtectShare!are"11eComp#er$CMS PEB"s B#ingD# ugg#$ (St#alth Anti-VM (SLDT) IsD# ugg#rPr#s#nt)

+ /

Anti-VM (IN) Instruction Counting PEB"s B#ingD# ugg#$ (St#alth IsD# ugg#rPr#s#nt) Instruction Su stitution (push & r#t) ASProtect13321&e'i#teredAle(e)Solodo$ni ko$*ASProtect$12 Anti-VM (ST') Anti-VM (SLDT) Anti-VM (IN) Push Pop Math PEB"s B#ingD# ugg#$ (St#alth IsD# ugg#rPr#s#nt) So(tICE & Int#rrupt ) So(t*ar# Br#a+point D#t#ction SS r#gist#r ,i#e-n#tallerSt.b Nothing Ma#kPE"20)1k1ero Anti-VM (SLDT) Anti-VM (IN) Push Pop Math PEB"s B#ingD# ugg#$ (St#alth IsD# ugg#rPr#s#nt) SS r#gist#r

H(art 6 $ Pac.er Damilies o/ Mal'are Samples 2argeting Bra3ilian Ban.s Drom t(is point on, and according to t(e proposed met(odolog! in '(ic( eac( pac.er 'as anal!3ed once, t(e /ollo'ing numbers are related to t(e not pac.ed samples" Additionall!, in t(e ne=t statistics, mal'are anal!sis algorit(ms t(at produce e0idences 'ere not considered" H(art 4 s(o's t(at BB,C@I o/ t(e samples (ad at least one anti8re0erse engineering tec(ni ue detected"

2able , $ Pac.ers Anti8Re0erse Fngineering 2(e top pac.er /amilies /or mal'are samples targeting bra3ilian ban.s 'ere also anal!3ed" As s(o'n in H(art ?, 'e /ound t(at 4-,6CI 'ere pac.ed, and t(e top pac.er /amilies are depicted in H(art 6"

H(art 4 $ Samples 'it( Anti8Re0erse Fngineering As s(o'n in H(art @, @,6>I o/ t(e anal!3ed samples (a0e implemented at least one protection mec(anism in eac( o/ t(e /our categories *named as /ull! armored samples in t(is 'or.+"

H(art ? $ Pac.er Statistics o/ Samples 2argeting Bra3ilian Ban.s

regarding t(e total samples in t(is categor! is also present in H(art B" 2(e same in/ormation are present in c(arts C, ,and ,,, but /or, respecti0el!, anti8disassembl!, ob/uscation and anti8%M categories" H(art B $ Anti8Debugging 2ec(ni ues

H(art @ $ Dull! Armored Samples Dor a sample to be considered as part o/ a categor!, at least one tec(ni ue o/ suc( a categor! (a0e to be detected" 2(e pre0alence o/ eac( considered anti8 re0ersing engineering categories in t(e anal!3ed samples are detailed in H(art A"

H(art C $ Anti8Disassembl! 2ec(ni ues

H(art A $ Anti8Re0erse Fngineering Hategories So, anti8%M and ob/uscation categories are considerabl! more pre0alent in t(e samples 'it(, respecti0el!, B,,6-I and @B,C4I" 2(e considered anti8debugging tec(ni ues in all o/ t(e statistics in t(is 'or. relied on t(e tec(ni ues depicted in H(art B" Additionall!, t(e percentage o/ eac( considered anti8debugging tec(ni ue

H(art ,- $ Ob/uscation 2ec(ni ues

H(art ,, $ Anti8%M 2ec(ni ues

&! Anti-Debugging Techni'ues

Adopted Static Detection;

Some anti8debugging tec(ni ues are described in *,+ t(e ne=t sections" 2ec(ni ues currentl! co0ered b! detection plugins GsDebuggerPresent is loo.ed /or in GA2" G/ /ound, 'ill (a0e an additional in/ormation; t(e algorit(m t(e tec(ni ue is considered as detected" used to detect suc( a tec(ni ue" *>+ &! ! ($) Nt*lobal+lag A MO% instruction *mo0, mo0s=, mo03=+ cop!ing NtGlobalDlag is a /ield o/ PFB at o//set -=@B J,K" PFB address */s;J-=?-K+ some'(ere *N+ is loo.ed 2(e presence o/ suc( 0alues is not a reliable /or and N is sa0ed /or /uture use; debugger detection tec(ni ue, but can be considered as an e0idence; mo0<mo0s=<mo03= N,/s;J-=?-K D)GL9FAPLFNAB)FL2AG)LH9FHM *-=,-+, D)GL9FAPLFNAB)FLDRFFLH9FHM *-=>-+ 2(en, later in t(e same /unction, anot(er MO% and D)GL9FAPL%A)GDA2FLPARAMF2FRS instruction *mo0, mo0s=, mo03=+ re/erencing t(e *-=6-+" 2(is mig(t be used to detect t(e presence o/ BeingDebugged /ield *JNO-=>K in some o/ t(e a debugger" operands+ is loo.ed /or; Adopted Static Detection; mo0<mo0s=<mo03= op,,op> P '(ere RJNO-=>KS is a substring o/ op, or op>

A MO% instruction *mo0, mo0s=, mo03=+ cop!ing PFB address */s;J-=?-K+ some'(ere *N+ is loo.ed RF2 'as used to consider t(e end o/ a /unction" /or and N is sa0ed /or /uture use; G/ t(is scenario (appens, t(is anti8debugging mo0<mo0s=<mo03= N,/s;J-=?-K tec(ni ue is considered as detected" 2(en, later in t(e same /unction, a HMP *cmp, &!&! ,hec-.emoteDebugger(resent cmp=c(g+ or a MO% *mo0, mo0s=, mo03=+ instruction re/erencing t(e NtGlobalDlag H(ec.RemoteDebuggerPresent*+ is a .ernel?> *JNO-=@BK in some o/ t(e operands+ is loo.ed /or; /unction t(at sets -=//////// in pbDebuggerPresent parameter i/ a debugger is present J,K" Gnternall!, it cmp<cmp=c(g<mo0<mo0s=<mo03= op,,op> P uses Nt#uer!Gn/ormationProcess*+ 'it( '(ere JNO-=@BK is a substring o/ op, or op> ProcessDebugPort as a ProcessGn/ormationHlass parameter" 2(is /unction can be used to detect t(e RF2 'as used to consider t(e end o/ a /unction" presence o/ a debugger" G/ t(is scenario (appens, t(is anti8debugging tec(ni ue is considered as detected" &!#! "sDebugger(resent GsDebuggerPresent*+ is a .ernel?> /unction t(at returns 2RQF i/ a debugger is present J,K" Gnternall!, it uses PFB7s BeingDebugged Dield" Suc( approac(es can be used to detect t(e presence *>+ o/ a debugger" Nt#uer!Gn/ormationProcess is loo.ed /or in GA2" G/ H(ec.RemoteDebuggerPresent is loo.ed /or in GA2" G/ /ound, t(e tec(ni ue is considered as detected" Adopted Static Detection; *,+

/ound, t(e tec(ni ue is considered as an e0idence detected" &!/! 0ea1 flags

*JNO-=,BK in some o/ t(e operands+ is loo.ed /or; U operands P '(ere RJNO-=,BKS is a substring o/ an! o/ t(e operands

Process de/ault (eap *retrie0ed t(roug( RF2 'as used to consider t(e end o/ a /unction" GetProcess9eap*+ or PFB+ (as t(e /ollo'ing t'o /ields o/ interest t(at are in/luenced b! PFB8 G/ t(is scenario (appens, t(is anti8debugging TNtGlobalDlags; Dlags, at o//set -=-c in t(e (eap, tec(ni ue is considered as detected" and DorceDlags at o//set -=,- in t(e (eap J,K" 2(e /ollo'ing 0alues /or eac( o/ t(e /ields are not a &!2! Nt3uery"nformation(rocess 4 reliable approac( to detect a debugger, but can be (rocessDebug(ort considered as an e0idence; Halling Nt#uer!Gn/ormationProcess*+ 'it( Dlags; 9FAPLGRO5AB)F *>+, ProcessDebugPort as a ProcessGn/ormationHlass 9FAPL2AG)LH9FHMGNGLFNAB)FD parameter 'ill set -=//////// in t(e *-=>-+, 9FAPLDRFFLH9FHMGNGLFNAB)FD ProcessGn/ormation parameter i/ a process is being debugged J,K" Gnternall!, suc( /unction ueries /or *-=6-+, a non83ero state o/ FPROHFSS8TDebugPort" 2(is 9FAPLSMGPL%A)GDA2GONLH9FHMS /unction can be used to detect a debugger" *-=,-------+ and 9FAPL%A)GDA2FLPARAMF2FRSLFNA Adopted Static Detection; B)FD *-=6-------+" DorceDlags; Nt#uer!Gn/ormationProcess is loo.ed /or in GA2" G/ 9FAPL2AG)LH9FHMGNGLFNAB)FD /ound, t(e tec(ni ue is considered as e0idence *-=>-+, 9FAPLDRFFLH9FHMGNGLFNAB)FD detected" *-=6-+ and 9FAPL%A)GDA2FLPARAMF2FRSLFNA &!5! Debug Ob6ects 4 (rocessDebugOb6ect0andle ,lass B)FD *-=6-------+" A debug ob:ect is created and a (andle is associated to it '(en a debugging session begins J,K" Nt#uer!Gn/ormationProcess*+ can be called 'it( *,+ ProcessDebugOb:ect9andle as a GetProcess9eap is loo.ed /or in GA2" G/ /ound, t(e ProcessGn/ormationHlass parameter to uer! /or t(e debug ob:ect (andle" 2(is can be used to detect t(e tec(ni ue is considered as an e0idence detected" presence o/ a debugger" *>+ Adopted Static Detection; An instruction re/erencing PFB */s;J-=?-K+ is loo.ed /or" G/ /ound, t(e /irst operand *N+ is sa0ed Nt#uer!Gn/ormationProcess is loo.ed /or in GA2" G/ /ound, t(e tec(ni ue is considered as an e0idence /or /uture use; detected" U N,U P2(e substring R/s;J-=?-KS is loo.ed /or in all t(e operands" G/ /ound, t(e /irst operand *N+ is &!7! Debug Ob6ects 4 (rocessDebug+lags ,lass sa0ed Nt#uer!Gn/ormationProcess*+ can be called 'it( ProcessDebugDlags as a ProcessGn/ormationHlass 2(en, later in t(e same /unction, an! ot(er parameter to set t(e in0erse o/ FPROHFSS8 instruction re/erencing t(e process de/ault (eap Adopted Static Detection;

TNoDebugGn(erit bit in ProcessGn/ormation parameter J,K" So, DA)SF is set '(en a debugger is present" 2(is can be used to detect a debugger" Adopted Static Detection; Nt#uer!Gn/ormationProcess is loo.ed /or in GA2" G/ /ound, t(e tec(ni ue is considered as e0idence detected" &!8! Nt3uerySystem"nformation 4 System9ernelDebugger"nformation Nt#uer!S!stemGn/ormation*+ /unction o/ ntdll can be used 'it( t(e undocumented S!stemMernelDebuggerGn/ormation as a S!stemGn/ormationHlass parameter to detect t(e presence o/ a debugger J,K" 2(e result, t(at is stored in t(e bu//er pointed b! S!stemGn/ormation parameter J>?K, (as > b!tes representing t'o /lags, eac( one 'it( B bits; MdDebuggerFnabled *least signi/icant b!e+ and MdDebuggerNotPresent *most signi/icant b!te+" MdDebuggerNotPresent is DA)SF i/ a debugger is present" Gt is possible to ob/uscate suc( a /unction call b! retrie0ing MdDebuggerNotPresent directl! /rom MQSFRLS9ARFDLDA2A, at o//set -=A//e->d6 /or >Gb user8space con/igurations" 2(e 0alue retrie0ed b! t(e Nt#uer!SustemGn/ormation*+ call does not come /rom t(is location" J>K 2(is can be used to t(e detect t(e presence o/ a .ernel8mode debugger J>>K"

o/ HSRSS"e=e" 2(is can be ac(ie0e t(roug( Hreate2ool(elp?>Snaps(ot*+O *Process?>Dirst*++OProcess?>Ne=t*+" Anot(er 'a! could be using Nt#uer!S!stemGn/ormation*+ 'it( S!stemProcessGn/ormation as a S!stemGn/ormationHlass parameter" Alternati0el!, 5indo's NP introduced t(e ntdll HsrGetProcessGd*+ '(ic( ma.es suc( a tas. easier and can also be used" >" Open HSRSS"e=e process 'it( /ull access" G/ t(e operation succeeds, t(an it is an e0idence o/ t(e presence o/ a debugger" 2(is tas. can be ac(ie0ed 'it( OpenProcess*+ using PROHFSSLA))LAHHFSS as a d'DesiredAccess parameter" Oll!Dbg and 5inDbg ac uires SeDebugPri0ilege pri0ilege" 2(is tec(ni ue mig(t be used to indirectl! detect t(e presence o/ some debuggers" Adopted Static Detection; 2(e string Rcsrss"e=eS is loo.ed /or in t(e binar! in a case8insensiti0e 'a!" G/ /ound, t(is tec(ni ue is considered as e0idence detected" &! ;! Alternative Des-to1

5indo's N28based plat/orms supports multiple des.tops, and it is possible to select a di//erent Adopted Static Detection; acti0e des.top, (iding t(e 'indo's o/ t(e pre0iousl! selected one 'it( no ob0ious 'a! to Nt#uer!S!stemGn/ormation is loo.ed /or in GA2" G/ s'itc( bac. to t(e old des.top J,K" 2(is can be /ound, t(e tec(ni ue is considered as e0idence done calling HreateDes.top*+ /ollo'ed b! detected" S'itc(Des.top*+" 2(e d'DesiresAccess parameter o/ HreateDes.top*+ can be; &!:! O1en(rocess 4 SeDebug(rivilege DFSM2OPLHRFA2F5GNDO5 E DFSM2OPL5RG2FOBVFH2S E 5it( SeDebugPri0ilege pri0ilege, a non8de/ault DFSM2OPLS5G2H9DFSM2OP" 2(is tec(ni ue pri0ilege J4K, a process can gain /ull control o0er can be used to ma.e t(e debugging process (arder t(e s!stem process HSRSS"e=e J,K" Additionall!, /or an anal!st" suc( a pri0ilege is passed to c(ild processes" So, i/ a debugger ac uires suc( a pri0ielge, t(e debugged Adopted Static Detection; binar! can (a0e /ull control o0er HSRSS"e=e also" J4K 2(is tec(ni ue (as > steps; HreateDes.topA<HreateDes.top5 are loo.ed /or in ," Fnumerate processes to get t(e process GD GA2" G/ /ound, and S'itc(Des.top is also present,

t(e tec(ni ue is considered as detected" &! ! Self-Debugging

&! &! 0ardware )rea-1oints

5(en an e=ception occurs, 5indo's passes to t(e e=ception (andler a conte=t structure '(ic( (a0e, RSel/8debugging is t(e act o/ running a cop! o/ a among ot(er in/ormation, t(e debug registers process, and attac( to it as a debugger"S J,K" Since content J,K" G/ t(ere is a debugger 'it( (ard'are onl! one debugger can be attac(ed to a process, brea.points being used and it passes t(e e=ception suc( process could not be debugger b! ordinar! to t(e debuggee, t(en t(e debug registers can be means *t(ere are b!passes+" Gt is possible to e=ecute anal!3ed loo.ing /or a debugger" 2(is can be used t(is tec(ni ue creating a cop! o/ t(e process to be to detect t(e presence o/ a debugger" debugged *HreateProcessA*+ 'it( DFBQGLPROHFSS as a d'HreationDlags Adopted Static Detection; parameter+, and (andling its debug e0ents *5aitDorDebugF0ent*+ and A MO% instruction *mo0, mo0s=, mo03=+ cop!ing HontinueDebugF0ent*++" 2(is tec(ni ue can be t(e FSP register to t(e SF9 */s;J-=-K+ is loo.ed /or; used to di//icult a debugger to be attac(ed to t(e process" mo0<mo0s=<mo03= op,,esp P 5(ere R/s;J-=-KS is a substring o/ op, Adopted Static Detection; 2(en, later in t(e same /unction, anot(er MO% HreateProcessA<HreateProcess5 are loo.ed /or in instruction *mo0, mo0s=, mo03=+ re/erencing t(e GA2" G/ /ound, and bot( 5aitDorDebugF0ent and HON2FN2 *JespO-=cK+ is loo.ed /or in t(e source HontinueDebugF0ent are also present, t(e operand and t(e destination one *N+ is sa0ed /or tec(ni ue is considered as e0idence detected" /uture use; &! #! .tl3uery(rocessDebug"nformation mo0<mo0s=<mo03= N,op> P '(ere RJespO-=cKS is a substring o/ op>

Rtl#uer!ProcessDebugGn/ormation*+ is used to load some process in/ormation in DebugBu//er 2(en, later in t(e same /unction, instructions HMP parameter including some (eap in/ormation *(eap *cmp, cmp=c(g+, MO% *mo0, mo0s=, mo03=+ or /lags is among t(em+ J>KJ?KJ6K" 2(is call can be OR, bot( 'it(, in t(e source operand, (a0ing an made 'it( PDGL9FAPS E PDGL9FAPLB)OHMS as o//set o/ a debug register relati0e to t(e sa0ed N a DebugGn/oHlassMas. parameter" Gnternall!, it *-=6, -=B, -=H -=,-+ is loo.ed /or; uses Rtl#uer!Process9eapGn/ormation*+, and t(is mo0<mos=<mo3= op,,op> /unction can be used to de0elop a 0ariation o/ t(is cmp<cmp=c(g op,,op> tec(ni ue" 2(e /ollo'ing (eap /lags 0alue indicates or op,,op> t(at a process is being debugged; GRO5AB)F E P All op> (a0ing RJNO-=6KS, RJNO-=BKS, 2AG)LH9FHMGNGLFNAB)FD E RJNO-=HKS or RJNO-=,-KS substrings" DRFFLH9FHMGNGLFNAB)FD E %A)GDA2FLPARAMF2FRSLFNAB)FD" 2(is RF2 'as used to consider t(e end o/ a /unction" tec(ni ue can be used to detect t(e presence o/ a debugger" G/ t(is scenario (appens, t(is anti8debugging tec(ni ue is considered as detected" Adopted Static Detection; &! /! Out1utDebugString Rtl#uer!ProcessDebugGn/ormation and Rtl#uer!Process9eapGn/ormation are loo.ed /or in 2(e .ernel?> OutputDebugString*+ (as di//erent GA2" G/ some ot t(em are /ound, tec(ni ue is be(a0ior depending on t(e presence, or not, o/ considered as e0idence detected" debugger J,K" One o/ t(em is t(at .ernel?>

Get)astFrror*+ returns - i/ t(e debugger is present" Adopted Static Detection; 2(is tec(ni ue can be used to detect t(e presence o/ a debugger" *,+ Adopted Static Detection; OutputDebugStringA<OutputDebugString5 are loo.ed /or in GA2" G/ /ound, and Get)astFrror is also present, t(e tec(ni ue is considered as detected" &! 2! )loc-"n1ut GetHurrentProcessGd and Hreate2ool(elp?>Snaps(ot are loo.ed /or in GA2" G/ bot( are /ound, t(is tec(ni ue is considered as e0idence detected" *>+

GetHurrentProcessGD and Nt#uer!S!stemGn/ormation are loo.ed /or in GA2" Bloc.Gnput*+ /unction RBloc.s .e!board and mouse G/ bot( are /ound, t(e tec(ni ue is considered as input e0ents /rom reac(ing applications"S J@K" 2(is e0idence detected" /unction can be used to di//icult t(e access o/ an anal!st to t(e debugger J,KJ4K" *?+ Adopted Static Detection; Bloc.Gnput is loo.ed /or in GA2" G/ /ound, t(e tec(ni ue is considered as e0idence detected" &! 5! (arent (rocess GetS(ell5indo', Get5indo'2(readProcessGd and Nt#uer!Gn/ormationProcess are loo.ed /or in GA2" G/ bot( are /ound, t(is tec(ni ue is considered as e0idence detected" &! 7! Device Names

2(e parent process o/ an application e=ecuted b! an Debuggers t(at uses .ernel8mode dri0ers ma! use user 'ill usuall! be RF=plorer"e=eS, and it can be named de0ices to communicate 'it( t(em J,K" So, considered as a debugger e0idence '(en suc( a i/ an open attempt in suc( de0ices succeeds, it does c(aracteristic does not (appen J,K" 2(e /ollo'ing not necessaril! means t(at a debugger is acti0e, but /unctions can be used /or t(is purpose; t(at it is present" 2(e implementation can use HreateDile*+ /unction 'it( OPFNLFNGS2GNG as a GetHurrentProcessGd*+ O d'HreationDisposition parameter" Some de0ice Hreate2ool(elp?>Snaps(ot*+O names; *Process?>Dirst*++OProcess?>Ne=t*+" So/tGHF; WW"WSGHF, WW"WSG5%GD, WW"WN2GHF GetHurrentProcessGd*+ O RegMon; WW"WDG)F%NG, WW"WRFGSXS Nt#uer!S!stemGn/ormation*+ 'it( S!stemProcessGn/ormation as a DileMon; WW"WDG)F%NG, WW"WDG)FM S!stemGn/ormationHlass parameter" WW"W2R5 A simpler met(od; get F=plorer"e=e process So/tGHF e=tender; WW"WGHFFN2 GD *GetS(ell5indo'*+ OGet5indo'2(readProcessGd*++ and get t(e2(is tec(ni ue mig(t be used to detect t(e presence parent process GD o/ a debugger" 2(e presence o/ a debugger does not *Nt#uer!Gn/ormationProcess*+ 'it( necessaril! means t(at t(e debugger is acti0e" ProcessBasicGn/ormation as a ProcessGn/ormationHlass parameter+" Adopted Static Detection; 2(is tec(ni ue mig(t be used to detect t(e presence De0ice name strings *RWW"WSGHFS, RWW"WSG5%GDS, o/ a debugger" RWW"WN2GHFS, RWW"WDG)F%NGS, RWW"WRFGSXSS, RWW"WDG)FMS, RWW"W2R5S, RWW"WGHFFN2S+ are loo.ed

/or in t(e binar! itsel/ in a case insensiti0e 'a!" G/ /ound, t(is tec(ni ue is considered as detected" Adopted Static Detection; &! 8! OllyDbg 4 Out1utDebugString Suspend2(read and NtSuspend2(read are loo.ed /or in GA2" G/ some o/ t(em /ound, t(is tec(ni ue is considered as e0idence detected"

Oll!Dbg is a debugger t(at (a0e a /ormat string 0ulnerabilit! 'it( t(e .ernel?> OutputDebugString*+ /unction, leading to a cras( or &!# ! Soft",$ 4 "nterru1t an arbitrar! code e=ecution J,KJ4K" 2(e current /inal 0ersion *,",-+ is still 0ulnerable" 2(is can be used Normall!, t(e DP) o/ interrupt , is set to -, to brea. a debugging process 'it( an a//ected meaning t(at a ring ? attempt to e=ecute int , 0ersion o/ Oll!Dbg" *R-=cd-,S+ results in a HPQ general protection /ault *int R-=-dS+ and in t(e end 5indo's raises an Adopted Static Detection; FNHFP2GONLAHHFSSL%GO)A2GON *-=c------4+ J,K" OutputDebugStringA<OutputDebugString5 are So/tGHF (oo.s GD2 entr! o/ interrupt , and sets t(e loo.ed /or in GA2" G/ /ound, t(is tec(ni ue is DP) to ?, allo'ing it to single8step /rom user8mode considered as e0idence detected" code" 2(e problem is t(at So/tGHF does not identi/! and (andle di//erentl! t(e situations t(at caused &! :! +ind<indow suc( an int ,, and al'a!s e=ecute t(e de/ault interrupt , (andler" Dind5indo'*+ /unction can be used to /ind opened So, a ring ? attempt to e=ecute int , results in t(e debuggers using bot( parameters, lpHlassName and 5indo's raising FNHFP2GONLSGNG)FLS2FP lp5indo'Name J,K" Some parameters t(at can be instead o/ FNHFP2GONLAHHFSSL%GO)A2GON used; *-=B------6+" 2(is c(aracteristic can be used to detect i/ t(e So/tGHF is running" lpHlassName; Oll!Dbg; RO))XDBGS1 5inDbg; R5inDbgDrameHlassS1 MS)R9; R2FS2DBGS, R..,S, RFe'4AS, RS(ado'S" Adopted Static Detection; lp5indo'Name; MS)R9; RGmport RFHonstructor 0,"@ DGNA) *H+ >--,8>--? GN2, instruction is loo.ed /or" 2(en, later in t(e same /unction, a HMP instruction 'it( -=B------6 Mac.2<uHDS" in an! o/ t(e operands is loo.ed /or; 2(is can be used to detect t(e presence o/ a Y debugger" int, Y Adopted Static Detection; cmp operands P '(ere an! o/ t(e operands are -=B------6 Dind5indo'A<Dind5indo'5 are loo.ed /or in """ GA2" G/ /ound, t(is tec(ni ue is considered as e0idence detected" RF2 'as used to consider t(e end o/ a /unction" &!#;! Sus1endThread G/ t(is scenario (appens, t(is anti8debugging tec(ni ue is considered as detected" Qser8mode debuggers li.e Oll!Dbg and 2urbo Debug can be disabled b! calling .ernel?> Suspend2(read*+ *or t(e ntdll NtSuspend2(read*++ in its t(reads J,KJ>K" 2o /ind t(e t(reads, process enumeration and named 'indo' searc(ing are t'o met(ods t(at can be used"

&!##! SS register

5(ile single8stepping t(roug( trap /lag, debuggers t!picall! tr! to clean suc( a /lag '(en it is pus(ed in t(e stac. J,KJ>KJAK" 5(en SS register is loaded *POP SS, /or e=ample+, t(e interrupts are disabled until t(e end o/ t(e ne=t instruction to a0oid in0alid stac. troubles in some cases JBK" Adopted Static Detection; So, a/ter t(e SS loading, t(e ne=t instruction 'ill be e=ecuted but t(e debugger 'ill not brea. on it" SetQn(andledF=ceptionDilter is loo.ed /or in GA2" 5it( t(e debugger una'are o/ t(e /lags pus(ing G/ /ound, t(is tec(ni ue is considered as e0idence *PQS9DD, /or e=ample+, t(e trap /lags 'ill not be detected" cleaned in t(e stac. and its presence indicates a single8stepping t(oug(t trap /lags debugging" &!#/! *uard (ages Adopted Static Detection;

e=ception" JCK 2(is be(a0ior can be used to detect t(e presence o/ a debugger b! de/ining a top8le0el e=ception /ilter t(roug( SetQn(andledF=ceptionDilter*+ and t(en /orcing an e=ception to occur" G/ t(e top8le0el e=ception /ilter gets e=ecuted, t(en t(e process is not being debugged"

An attempt to access an address 'it(in a guard page *page mar.ed 'it( PAGFLGQARD+ results in A POP instruction 'it( SS register as operand, or a a S2A2QSLGQARDLPAGFL%GO)A2GON MO% instruction *mo0, mo0s=, mo03=+ (a0ing SS *-=B------,+ being raised b! t(e s!stem J,KJ,-K" register as a destination operand are loo.ed /or; G/ a debugger is present, it mig(t (andle suc( an e=ception and allo' t(e access" 2(is be(a0ior pop ss mig(t be used to detect t(e presence o/ a debugger" An implementation o/ suc( a tec(ni ue, as s(o'n mo0<mo0s=<mo03= ss,U P Gt does not matter '(at in J,K, relies on 'riting -=H? *RF2 instruction+ in a is t(e second operand memor! area and mar.ing t(is page 'it( PAGFLGQARD" G/ t(e RF2 gets e=ecuted, t(e 2(en, t(e ne=t instruction is anal!3ed to c(ec. i/ debugger is detected1 ot(er'ise, a cra/ted e=ception t(e ne=t mnemonic starts 'it( t(e string Rpus(/S" (andler is e=ecuted meaning t(at t(e debugger 'as not detected" G/ t(is scenario (appens, t(is anti8debugging tec(ni ue is considered as detected" Adopted Static Detection; &!#&! =nhandled$%ce1tion+ilter %irtualAlloc<%irtualAllocF= and %irtualProtect<%irtualProtectF= are loo.ed /or in 5(en an e=ception is generated and t(ere 'as no GA2" G/ /ound, t(is tec(ni ue is considered as e=ception (andlers to processes it, a de/ault (andler e0idence detected" e=ists to do suc( a :ob J,KJ4KJAK" As part o/ t(e de/ault (andler procedures, .ernel?> &!#2! $%ecution Timing Qn(andledF=ceptionDilter*+ is called" Gn suc( a /unction, Nt#uer!Gn/ormationProcess*+ is called 5(en a debugger is present, t(e time elapsed 'it( ProcessDebugPort as a bet'een subse uent instructions e=ecution mig(t ProcessGn/ormationHlass parameter to detect i/ t(e be (ig(er t(an 'it(out it J,KJ>KJAK" 2(e idea is to process t(at raised t(e e=ception is being debugged" measure time elapsed bet'een some instructions G/ SetQn(andledF=ceptionDilter*+ 'as used and t(e e=ecution and based on suc( a 0alue, in/er t(e process is not being debugged, t(e top8le0el presence o/ a debugger" Some met(ods can be used e=ception /ilter set b! suc( a /unction 'ill be to implement t(is tec(ni ue *eac( met(od (as its e=ecuted" Ot(er'ise, i/ t(e process is being o'n c(aracteristics+; debugged, t(e debugger 'ill be noti/ied about t(e RD2SH instruction *it is a popular anti8

debugging tec(ni ue J,K J>K JAK J,,K but 2(readGn/ormationHlass parameter (as an t(ere are some issues to be a'are o/ JBK J,,K undocumented 0alue, 2(read9ideDromDebugger J,>K J,?K+ *-=,,+, '(ic( pre0ents debugging e0ents to be sent to t(e debugger J4K" 2(is can be used to di//icult t(e RDPMH instruction J>K JBK debugging" RDMSR instruction J>K JBK .ernel?> Get2ic.Hount*+ J,6K Adopted Static Detection; 'inmm timeGet2ime J,K J,4K .ernel?> Get)ocal2ime*+ J>K J,@K NtSetGn/ormation2(read is loo.ed /or in GA2" G/ .ernel?> GetS!stem2ime*+ J>K J,AK .ernel?> #uer!Per/ormanceHounter*+ J>K ound, t(is tec(ni ue is considered as e0idence detected" JAK J,BK" &!#8! NtSetDebug+ilterState

Adopted Static Detection;

2(e ntdll DbgSetDebugDilterState *or ntdll Get2ic.Hount, timeGet2ime, Get)ocal2ime, NtSetDebugDilterState+ call succeeds in t(e GetS!stem2ime and #uer!Per/ormanceHounter are presence o/ some debuggers J>K" 2(is is a side8 loo.ed /or in GA2" G/ some o/ t(em are /ound, t(is e//ect o/ t(e debugger7s be(a0iour; t(e process tec(ni ue is considered as e0idence detected" SeDebugPri0ilege pri0ilege" SeDebugPri0ilege is not a de/ault pri0ilege J4K, so t(is tec(ni ue mig(t &!#5! Software )rea-1oint Detection be used to indirectl! detect t(e presence o/ some debuggers" So/t'are brea.point is a single8b!te instruction *-=HH $ GN2 ?+ t(at stops t(e e=ecution o/ t(e Adopted Static Detection; debugged process and passes control to t(e debugger J4K" 2(e original b!te is sa0ed b! t(e DbgSetDebugDilterState and debugger be/ore setting t(e brea.point, t(is 'a! t(e NtSetDebugDilterState are loo.ed /or in GA2" G/ original instruction can be e=ecuted in t(e correct some o/ t(em are /ound, t(is tec(ni ue is time" J,CK considered as detected" Hode areas in memor! are scanned /or -=HH b!te t(at 'as not set b! t(e code itsel/" 2o ma.e suc( a &!#:! "nstruction ,ounting c(ec. not so ob0ious, it is possible to use some operation in t(e compared b!, suc( as J4K; An e=ception (andler is registered to deal 'it( t(e FNHFP2GONLSGNG)FLS2FP *-=B------6+ i/*b!te NOR -=44 ZZ -=CC+ t(en brea.point /ound e=ception J,K" 2(en, some (ard'are brea.points are set in speci/ic Note t(at -=HH NOR -=44 Z -=CC" instructions" Debug registers cannot be accessed directl! in user8mode J?>K, so a conte=t structure is Adopted Static Detection; needed and t(e /ollo'ing procedures can be used to get it; A HMP instruction *cmp, cmp=c(g+ 'it( -=HH in Halling .ernel?> Get2(readHonte=t*+" an! o/ its operands is loo.ed /or" G/ /ound, t(is anti8 Dorcing an e=ception to occur and (andling debugging tec(ni ue is considered as detected" it, because t(e conte=t structure is passed to t(e e=ception (andler" 2(is is more stealt( &!#7! Thread 0iding t(an t(e pre0ious procedure" According to MSDN J>-K J>,K, ntdll NtSetGn/ormation2(read*+ sets t(e priorit! o/ a t(read J,KJ4KJAK" 9o'e0er, its As instructions 'it( (ard'are brea.points are being reac(ed, t(e pre0iousl! registered e=ception (andler is supposed to deal 'it( t(e raised

e=ceptions" Suc( (andler 'ill simpl! count (o' man! times it 'as reac(ed and t(en can c(ange t(e FGP to point to a ne' instruction and resume t(e e=ecution" Some debuggers do not deal correctl! 'it( (ard'are brea.points t(at 'ere set b! t(em, and some o/ t(e raised FNHFP2GONLSGNG)FLS2FP mig(t not be (andled b! t(e pre0iousl! set e=ception (andler" A/ter all (ard'are brea.points got reac(ed and its e=ception (andlers /inis(ed, t(e total counter used b! t(em s(ould (a0e t(e number o/ (ard'are brea.points initiall! set" G/ t(e 0alue 'as di//erent, it indicates t(e presence o/ a debugger" &!&;! 0eader $ntry1oint

5aitDorSingleOb:ect /unctions are loo.ed /or in GA2" G/ some o/ t(em are /ound, t(is tec(ni ue is considered as e0idence detected" &!&#! 0oo- Detection Some (oo. tec(ni ues relies on o0er'riting t(e /irst instruction o/ t(e (oo.ed /unction b! a VMP instruction pointing to anot(er place" J6BK Regarding Microso/t Detours, some c(aracteristics e=ist t(at can be used as a signature, suc( as "detours section and t(e presence o/ detoured"dll" J6CK J4-K Detecting t(e presence o/ a (oo. mig(t detect some binar! anal!sis procedures"

Dile sections t(at do not include t(e attribute GMAGFLSHNLMFML5RG2F *'rite+ is read8onl! Adopted Static Detection; b! de/ault to a remote debugger J,K" Additionall!, t(ere is no section t(at describes t(e *,+ PF (eader, it 'ill be also considered as read8onl!1 t(ere is an e=ception '(en t(e PF8 A HMP instruction 'it( -=FC in some o/ its TSectionAlignment is less t(an 6.b, '(ic( causes operands is loo.ed /or" G/ /ound t(is tec(ni ue is it to be mar.ed internall! as bot( 'ritable and considered as e0idence detected" e=ecutable J,K" Being so, i/ t(e debugger does detect suc( situation *>+ and does not set a 'rite pri0ilege in suc( a section, t(e debugger mig(t allo' t(e application to run 2(e string R"detourS is loo.ed /or in t(e binar! 'it( /reel!" t(e e=ception o/ its sections" 2(e string Rdetoured"dllS is also loo.ed /or in t(e binar!, but Adopted Static Detection; 'it( t(e e=ception o/ t(e imports" G/ some o/ t(em 'ere /ound, t(e tec(ni ue is considered as 2(e entr!point section is anal!3ed to c(ec. i/ it (as detected" t(e GMAGFLSHNLMFML5RG2F attribute" G/ it does not (a0e, t(en t(is tec(ni ue is considered as Section &!&&! Dbg)rea-(oint Overwrite detected" 5(en a debugger attac(es to a process, an &!& ! Self-$%ecution e=ception is raised b! DbgBrea.Point*+ /unction in N2D)) *called at attac( time+ J>K" 9andling suc( 2(is tec(ni ue relies on a process to create anot(er an e=ception t(e debugger gains control o/ t(e process o/ itsel/ J,K" 2(is 'a!, t(e second process debugee" 'ill not be debugged" Qsuall! t(is tric. is used 'it( a mute= to pre0ent man! copies o/ t(e process B! mar.ing t(e page*s+ o/ DbgBrea.Point*+ as to be in e=ecution" FNFHQ2FLRFAD5RG2F and o0er'riting it 'it(, /or e=ample, a RF2 instruction, '(en a debugger Adopted Static Detection; attac(es to t(e process t(e t(read 'ill e=it immediatel!, t(us, not brea.ing in" HreateProcessA<HreateProcess5, HreateMute= and

/! Obfuscation and Anti-Disassembly Techni'ues Bot( ob/uscation and anti8disassembl! tec(ni ues relies on a disassembl!" Being so, t(e! 'ere put toget(er in t(e same section" Ob/uscation is a .ind o/ tec(ni ue to ma.e t(e disassembl! result (arder to be anal!3ed b! a pro/essional" Anti8disassembl! is a .ind o/ tec(ni ue to compromise disassemblers and<or t(e disassembling process" Section 6", discusses some disassembl! concepts" Section 6"> and Section 6"? describes, respecti0el!, some ob/uscation and anti8disassembl! tec(ni ues" /! ! Disassembly ,once1ts

Anti8disassembl! tec(ni ues are discussed in section 6"> and ob/uscation tec(ni ues in section 6"?" /!#! Anti-Disassembly Techni'ues Some anti8disassembl! tec(ni ues are described in t(e ne=t sections" 2ec(ni ues currentl! co0ered b! detection plugins 'ill (a0e an additional in/ormation; t(e algorit(m used to detect suc( a tec(ni ue" /!#! ! *arbage )ytes 2(is tec(ni ue relies on adding additional b!tes t(at 'ill ne0er be e=ecuted in run8time" J4K J?BK 2(is ma! brea. bot( linear s'eep and recursi0e tra0ersal approac(es"

Gt is possible to disassemble a binar! 'it( a static and a d!namic approac( J?CK" 2(e /ormer relies on A liner s'eep approac( could interpret suc( b!tes e=ecuting t(e program and trac.ing instruction as as being code8related b!tes, brea.ing t(e t(e! are being e=ecuted" 2(e latter relies on alignment" As a result, suc( garbage b!tes could be anal!3ing t(e program b!tes and /inding :oined 'it( 0alid b!tes /rom ne=t instructions instructions 'it(out e=ecuting it" generating 'rong instructions instead o/ t(e correct Static disassembling can be categori3ed in t'o ones" Dor e=ample; main classes; linear s'eep and recursi0e tra0ersal" )inear s'eep approac( starts /rom a gi0en b!te */or :mp "destination e=ample, t(e /irst b!te o/ t(e entr! point+ and /rom db -=@a 1 garbage b!te tec(ni ue t(is point on anal!3es b!te a/ter b!te until a "destination; prede/ined end */or e=ample, t(e end o/ t(e PF pop ea= section+" 2(e main dra'bac. o/ t(is approac( is t(at data placed in t(e middle o/ code instructions Suc( e=ample generates t(e /ollo'ing disassembl! ma! generate some noise, because t(e! 'ill be b! a ob:dump; interpreted as code" An e=ample o/ disassembler t(at uses linear s'eep approac( is ob:dump J>@K" eb -, :mp -=6-,--? Recursi0e tra0ersal is an approac( t(at /ollo's t(e @a 4B pus( -=4B program control /lo' instead o/ simpl! disassembling eac( b!te" Gt is not 0ulnerable to t(e Recursi0e tra0ersal algorit(ms mig(t also be simple /act o/ data e=isting in t(e middle o/ code compromised t(roug( garbage b!tes i/ a situation instructions, but it (as anot(er main dra'bac.; it is in '(ic( t(e same set o/ b!tes 'it( more t(an one not al'a!s possible to staticall! predict t(e e=act interpretation could be /orced" Gn t(is case, t(e lac. program control /lo'" Gt ma! result in some parts o/ alignment due to t(e interpretation o/ t(e not being disassembled and also t(e generation o/ garbage b!tes as a 0alid code b!tes mig(t lead t(e some noise" 2(e unreac(able areas can be disassembler to produce a 'rong disassembl!" Dor submitted to a linear s'eep processing, and suc( a e=ample, a Da.e Honditional Vump implementation 0ariation is called speculati0e disassembl!" An could be used /or t(at; e=ample o/ disassembler t(at uses recursi0e tra0ersal approac( is GDA J6-K" mo0 ea=,ea= :3 "destination

db -=@a 1 garbage b!te tec(ni ue "destination; 1 rest o/ t(e code pop ea=

Y Resulting ob:dump output; :mp -=6-,--? pus( -=4B

eb -, Suc( e=ample produces t(e /ollo'ing GDA output; @a 4B [ GDA output Adopted Static Detection; *,+ A PQS9 instruction immediatel! /ollo'ed b! a RF2 is loo.ed /or" G/ /ound, t(e tec(ni ue is considered as e0idence detected" *>+

Anot(er e=ample o/ implementation is t(e Gnstruction Substitution t(at uses a Pus( /ollo'ed b! RF2 to replace a con0entional VMP" Gt is also possible to use t(is tec(ni ue to compromise recursi0e tra0ersal algorit(ms b! using indirection" An indirect :ump, /or e=ample, is an approac( t(at can be used /or suc( a purpose" J?CK J6,K 2(e pre0ious e=ample 'as modi/ied to use an indirect :ump;

pus( D5ORD "destination A NOR instruction 'it( t'o e ual operands is :mp D5ORD JespK loo.ed /or" G/ /ound and is immediatel! /ollo'ed b! db -=@a 1 garbage b!te tec(ni ue a VN\ instruction, t(e tec(ni ue is considered as "destination; e0idence detected" 2(e same (appens /or S2H pop ea= instruction immediatel! /ollo'ed b! VNH or VAF and /or H)H instruction immediatel! /ollo'ed b! [[[[[ GDA output [[[[[[[[ VH or VB" Adopted Static Detection; /!#!#! (rogram ,ontrol +low ,hange A PQS9 instruction immediatel! /ollo'ed b! a 2(is tec(ni ue relies on unconditionall! /orcing a RF2 is loo.ed /or" G/ /ound, t(e tec(ni ue is program control /lo' c(ange to occur, lea0ing an considered as e0idence detected" area 'it( ot(er anti8disassemble tec(ni ue*s+ unreac(able in run8time" Disassemblers using linear /!#!&! +a-e ,onditional >um1s s'eep approac( 'ill disassemble suc( an area and t(e resulting assembl! code ma! be compromised" 2(is tec(ni ue, based on J4K and J?BK, relies on creating conditional :umps '(ic( conditions are An unconditional VMP is an e=ample t(at can be al'a!s t(e same" Dor e=ample; used to implement t(is tec(ni ue" J?BK Dor e=ample, t(e /ollo'ing VMP instruction :umps an *,+ unreac(able area populated 'it( Garbage B!te """ anti8disassembl! tec(ni ue, a0oiding its e=ecution" =or ea=,ea= But ob:dump 'ill disassemble suc( an area and t(e :3 "destination, 1 al'a!s true resulting output is compromised; Y :mp "destination db -=@a 1 garbage b!te tec(ni ue "destination; 1 rest o/ t(e code pop ea= *>+ """ =or :n3 Y

ea=,ea= "destination> 1 al'a!s /alse

/unction" A/ter t(e HA)) and be/ore t(e ne=t Gn t(e /irst e=ample, t(e V\ instructions 'ill be e=ecuted instruction, ot(er anti8disassembl! al'a!s true independentl! o/ t(e FAN content, t(e tec(ni ues, suc( as Garbage B!tes, can be used" instructions be/ore NOR and t(e instructions a/ter )inear s'eep is also a//ected because t(e! do not V\" 2(e same (appens /or t(e second e=ample, but interpret instructions and ma! also disassemble t(e t(e VN\ instruction 'ill be al'a!s /alse" ne=t instruction a/ter t(e call, getting 0ulnerable to Recursi0e tra0ersal approac( ma! disassemble ot(er anti8disassembl! tec(ni ues suc( as Garbage areas t(at 'ill ne0er be e=ecuted, and suc( B!tes" unreac(able areas can be populated 'it( ot(er anti8 2(e /ollo'ing e=ample, '(ic( also emplo!s disassembl! tec(ni ues, suc( as Garbage B!tes, Garbage B!tes tec(ni ue, ma! brea. /or bot(, t(at creates t'o di//erent interpretations /or t(e recursi0e tra0ersal and linear s'eep approac(es; same set o/ b!tes" Fac( disassembler (as its o'n 'a! to (andle suc( call "/unction a con/lict, but most o/ t(em, trust its /irst db -=@a 1 garbage b!te interpretation J?BK1 GDA seems to be an e=ample o/ "correctLreturn; t(is, because it /irst disassembles t(e /alse branc( 1 rest o/ t(e code J?BK" pop ea= Y 2(e /ollo'ing approac(es are e=amples t(at can be used to implement t(is tec(ni ue; "/unction; pus( D5ORD "correctLreturn =or =,= *NOR 'it( t'o e ual operands+ ret 2rue branc(; V\ Dalse branc(; VN\ 2(e /ollo'ing output is produced b! ob:dump; S2H instruction 2rue branc(; VH or VB 6-,---; eB -> -- -- -- call -=6-,--A Dalse branc(; VNH or VAF 6-,--4; @a 4B pus( -=4B H)H instruction 6-,--A; @B -@ ,- 6- -- pus( -=6-,--@ 2rue branc(; VNH or VAF 6-,--c; c? ret Dalse branc(; VH or VB Adopted Static Detection; 2(e /ollo'ing output is produced b! GDA;

[ GDA output A NOR instruction 'it( t'o e ual operands is loo.ed /or" G/ it is immediatel! /ollo'ed b! VN\ /!#!2! +low .edirection to the Middle of an instruction, t(e tec(ni ue is considered as detected" "nstruction 2(e same (appens /or S2H instruction immediatel! /ollo'ed b! VNH or VAF and /or H)H instruction 2(is tec(ni ue relies on redirecting t(e program immediatel! /ollo'ed b! VH or VB" /lo' to t(e middle o/ an instruction" J?BK 2(is /!#!/! ,all Tricmig(t compromise bot( linear s'eep and recursi0e tra0ersal algorit(ms"

2(is tec(ni ue relies on c(anging t(e de/ault An implementation e=ample could be (iding an /unction7s return address"J?CK J6,K Gn con:unction instruction in t(e middle o/ anot(er" So, t(e 'it( ot(er tec(ni ues suc( as Garbage B!tes, t(is disassembler 'ould s(o' an instruction t(at is not tric. ma! brea. all .ind o/ disassemblers" e=ecuted in run8time instead o/ t(e correct Recursi0e tra0ersal disassemblers ma! disassemble instruction t(at resides in t(e middle o/ its b!tes" t(e ne=t instruction a/ter t(e HA)), but t(e correct )inear s'eep approac(es could be b!passed ne=t instruction 'as actuall! c(anged b! t(e called because t(e instruction aligned to t(e rest o/ t(e

b!tes are t(e 'rong one" Recursi0e tra0ersal 1 rest o/ t(e code algorit(ms could be a//ected b! ma.ing t(e same =or ea=,ea= set o/ b!tes to (a0e more t(an one interpretation1 pop ea= t(is can be ac(ie0ed, /or e=ample, b! using t(e mo0 ea=,esp Da.e Honditional Vump tec(ni ue" pus( ec= 2(e /ollo'ing e=ample illustrates suc( a scenario 'it( a code t(at a//ects bot(, linear s'eep and Output o/ ob:dump; recursi0e tra0ersal approac(es; @@ bB eb -4 mo0 a=,-=4eb 1 Da.e Honditional Vump ?, c=or ea=,ea= =or ea=,ea= A6 /C :e -=6-,--, :3 O6 1 :ump to t(e ret eB ?, c- 4B BC call -=BCCBd-?e e- 4, loopne -=6-,-@1 -=c? Z ret mo0 ea=,-=c?abcde/ Output o/ GDA; Gn suc( an e=ample, t(e RF2 instruction does not [ GDA output directl! appear in t(e disassembl! outputs, but is e=ecuted in run8time, as s(o'n in t(e ob:dump and 2(is tec(ni ue could also be used to ma.e GDA outputs belo'" recursi0e tra0ersal algorit(ms to generate t'o di//erent interpretations /or t(e same set o/ b!tes Output o/ ob:dump; 'it(out using conditional :umps; :umping into itsel/ J?BK" Additionall!, because it brea.s t(e ?, c=or ea=,ea= alignment, linear s'eep algorit(ms ma! also be A6 -6 :e -=6-,--B a//ected" 2(e /ollo'ing e=ample, based on J?BK, bB e/ cd ab c? mo0 ea=,-=c?abcde/ illustrates suc( a scenario; Output o/ GDA; [ GDA output Anot(er implementation e=ample could be using t(is anti8disassembl! tec(ni ue to brea. t(e alignment and generate a set o/ 'rong instruction instead o/ simpl! (iding one in t(e middle o/ anot(er" 2(e /ollo'ing e=ample, t(at is based on J?BK, does t(is; mo0 =or a=,-=-4eb ea=,ea= 1 :mp 8, Z -=eb -=// 1 :umps to itsel/; -=// :mp 8, 1 -=// -=c- Z inc ea= db -=c1 -=6B Z dec ea= db -=6B Output o/ GDA; 1 :ump to R:mp 4S *-=eb -=e4+ 1 last b!tes o/ mo0 instruction is -=eb -=e4 [ GDA output 1 suc( R:mp 4S redirects t(e /lo' to t(e rest 1 o/ t(e code Output o/ ob:dump; :3 8@ 1 eb // :mp -=6-,--, db -=eB 1 garbage b!te cb!te -=c6B dec ea= 1 All b!tes o/ t(e e=ample; 1 -=eb -=// -=c- -=6B

/uture use; Adopted Static Detection; pop N *,+ A PQS9 instruction immediatel! /ollo'ed b! a RF2 is loo.ed /or" G/ /ound, t(e tec(ni ue is considered as e0idence detected" *>+ 2(en, t(e ne=t instruction is compared against AND, OR and NOR 'it( t(e destination operand being t(e sa0ed one *N+ and t(e ot(er one being an immediate; and<or<=or N,immediate

A NOR instruction 'it( t'o e ual operands is G/ t(is scenario (appens, t(e tec(ni ue is loo.ed /or" G/ /ound and is immediatel! /ollo'ed b! considered as detected" a VN\ instruction, t(e tec(ni ue is considered as e0idence detected" 2(e same (appens /or S2H /!&!#! NO( Se'uence instruction immediatel! /ollo'ed b! VNH or VAF and /or H)H instruction immediatel! /ollo'ed b! 2(is t!pe o/ dead8code insertion relies on adding a VH or VB" se uence o/ NOP instructions in t(e middle o/ t(e code J>4K" 2(is can ma.e t(e disassembl! anal!sis /!&! Obfuscation Techni'ues (arder b! reducing t(e legibilit! o/ t(e code and b!passing some signature8based algorit(ms" Some ob/uscation tec(ni ues are described in t(e ne=t sections" Adopted Static Detection; 2ec(ni ues currentl! co0ered b! detection plugins 'ill (a0e an additional in/ormation; t(e algorit(m A se uence o/ 4 NOPs is loo.ed /or in t(e same used to detect suc( a tec(ni ue" /unction" RF2 'as used to consider t(e end o/ a /unction" /!&! ! (ush (o1 Math G/ /ound, t(is tec(ni ue is considered as detected" 2(is tec(ni ue can be used to ob/uscate a 0alue and /!&!&! "nstruction Substitution relies in t(ree steps J>6K; 2(is tec(ni ue relies on c(anging a instruction, or a Pus( a .no'n immediate set o/ t(em, b! e ui0alent ones" J>4K J64K Gt can be Pop suc( an immediate into a register used to ma.e t(e anal!sis process b! a pro/essional Do some mat( on t(e register (arder and also to b!pass signatures" Some At t(e end, t(e register 'ill (a0e t(e desired 0alue, e=amples are; R=or ea=,ea= P :3S to replace a VMP but suc( a 0alue does not e=plicitl! appear in t(e Dor e=ample, R:mp "destinationS can be code itsel/" replaced b! R=or ea=,ea= P :3 "destinationS Adopted Static Detection; Rpus( P popS to replace a MO% A PQS9 instruction 'it( an immediate operand is Dor e=ample, Rmo0 ea=,-=,S can be loo.ed /or; replaced b! Rpus( -=, P pop ea=S RsubS to replace a NOR pus( immediate Dor e=ample, R=or ea=,ea=S can be replaced b! Rsub ea=,ea=S G/ /ound, t(e ne=t instruction is compared against a POP; i/ it is true, t(e destination *N+ is sa0ed /or Anot(er e=ample, t(at 'ill be discussed in more

details, is to replace a VMP b! Rpus( P retS" According to JBK, RF2 Rtrans/ers program control to a return address located on t(e top o/ t(e stac.S and, additionall!, it pops suc( an address to FGP" So, i/ t(e stac. gets manipulates to put in its top t(e desired address to trans/er t(e program control /lo' to, RF2 and its 0ariations, suc( as RF2N and RF2D, can be used as an ob/uscated VMP" 2(e most .no'n 'a! to implement suc( a tec(ni ue is t(e Pus( Ret; t(e address to redirect t(e /lo' to is pus(ed and t(en RF2 is called e//ecti0el! c(anging t(e /lo'; pus( ret "destination

S(u//le t(e instructions and ma.e t(em to be e=ecuted in t(e correct order b! using program control /lo' c(anges" 2(is can be ac(ie0ed, /or e=ample, b! using unconditional :umps and some Gnstruction Substitutions o/ it suc( as R=or ea=,ea= $ :3S being used instead o/ a VMP instruction" H(oose and reorder set o/ instructions t(at does not inter/ere in eac( ot(er results" So, suc( a s(u//ling process 'ill c(ange t(e order o/ instructions in t(e binar! and at t(e time does not c(ange t(e program results

As an e=ample, t(e /ollo'ing code is considered as t(e binar! be/ore t(e ob/uscation process; =or inc pus( """ ea=,ea= ea= eb=

Alt(oug( Pus( Ret is t(e most .no'n approac(, t(ere are ot(er 0ariations, /or e=ample; mo0 ret JespK,D5ORD "destination

RF2 is o/ten used to return /rom a procedure" Being so, i/ t(e alternati0e :ump 0ariation seems li.e a gi0en calling con0ention /unction prolog, it :mp "/irst 'ould be more stealt( and more di//icult to "second; automaticall! detect" Dor e=ample; pus( eb= :mp "continuation pus( "destination "/irst; pus( ebp =or ea=,ea= mo0 ebp,esp inc ea= lea0e :mp "second ret "continuation; Y Adopted Static Detection; 2(e /ollo'ing code is an e=ample o/ t(e original PQS9 instruction is loo.ed /or" G/ /ound and t(e binar! ob/uscated 'it( t(e reordering approac(; ne=t instruction is a RF2, t(en t(e tec(ni ue is considered as detected" pus( eb= /!&!/! ,ode Trans1osition 2(is tec(ni ue relies on s(u//ling instructions so t(at t(e order t(e! appear in t(e binar! gets di//erent /rom t(e order t(e! 'ere e=ecuted J>4K J64K" 2(e /ollo'ing t'o met(ods can be used /or suc( a purpose; 1 inc depends on =or 1 so suc( instruction order 'as not c(anged =or ea=,ea= inc ea=

2(e /ollo'ing code is an e=ample o/ t(e original binar! ob/uscated 'it( t(e program control /lo' c(anges approac(;

/!&!2! .egister .eassignment

"destination; Y

2(is tec(ni ue relies on c(anging t(e registers used b! a program or part o/ it J>4KJ64K" Gnstead o/ using a simple VMP instruction, an! Dor e=ample, t(e /ollo'ing code s(o's a program ot(er tec(ni ue t(at can be used to redirect t(e be/ore t(e ob/uscation; program control /lo', suc( as Da.e Honditional Vump and Hode Substitution, could be used" Dor =or ea=,ea= e=ample; inc eb= *,+ Da.e Honditional Vump e=ample A/ter a /ictitious ob/uscation '(ic( e=c(anges =or ea=,ea= FAN b! FBN and 0ice80ersa, t(e /ollo'ing code :n3 "/a.eLcode 'ill be generated; :mp "destination "/a.eLcode; =or eb=,eb= pus( -=,>?64@AB 1 /a.e code inc ea= inc ea= 1 /a.e code mo0 esp,ea= 1 /a.e code Alt(oug( t(is tec(ni ue does not ma.e an anal!sis 1 more /a.e code (ere muc( more complicated, it can be used to b!pass "destination; signatures" """ /!&!5! ,ode "ntegration *>+ Hode Substitution e=ample pus( "destination 2(is tec(ni ue relies on disassembling a target ret program /ile, inserting t(e code to be ob/uscated pus( -=,>?64@AB 1 /a.e code inside it J64KJ6@K" Gn order to do t(at, t(e target inc ea= 1 /a.e code program needs to be /i=ed" 2(is 'a!, t(e code to be mo0 esp,ea= 1 /a.e code ob/uscated is (idden in t(e middle o/ t(e ot(er 1 more /a.e code (ere program" "destination; """ /!&!7! +a-e ,ode "nsertion Adopted Static Detection; 2(is is a 0ariation o/ Garbage B!tes anti8 disassembl! tec(ni ue" 2(e idea is to insert *,+ instructions t(at 'ill ne0er be e=ecuted J?BK, ma.ing t(em to appear in t(e generated A PQS9 instruction immediatel! /ollo'ed b! a disassembl!" 2(is can, /or e=ample, con/use t(e RF2 is loo.ed /or" G/ /ound, t(e tec(ni ue is pro/essional t(at is anal!3ing t(e disassembl! 'it( considered as e0idence detected" lots o/ /a.e code and b!pass signature8based algorit(ms" *>+ 2(e implementation is e=actl! t(e same as Garbage B!tes tec(ni ue, but instead o/ adding garbage A NOR instruction 'it( t'o e ual operands is b!tes, 0alid instructions are added" loo.ed /or" G/ /ound and is immediatel! /ollo'ed b! a VN\ instruction, t(e tec(ni ue is considered as :mp "destination e0idence detected" 2(e same (appens /or S2H pus( -=,>?64@AB 1 /a.e code instruction immediatel! /ollo'ed b! VNH or VAF inc ea= 1 /a.e code and /or H)H instruction immediatel! /ollo'ed b! mo0 esp,ea= 1 /a.e code VH or VB" 1 more /a.e code (ere

/!&!8! ($)-?@dr Address .esolving

PFB is a structure t(at contains process in/ormation" Among its /ields, t(ere is t(e )dr, '(ic( points to a structure t(at contains in/ormation about t(e loaded modules /or t(e process" J?6K Gt is possible to retrie0e t(e PFB */s;J-=?-K+ and Adopted Static Detection; access its )dr /ield *-=-c+" So, t(e loaded modules can be accessed and /unction addresses resol0ed" *,+ J?6K J?4K J?@K A MO% instruction *mo0, mo0s=, mo03=+ cop!ing Adopted Static Detection; SF9 address */s;J-=-K+ some'(ere *N+ is loo.ed /or and N is sa0ed /or /uture use; A MO% instruction *mo0, mo0s=, mo03=+ cop!ing PFB address */s;J-=?-K+ some'(ere *N+ is loo.ed mo0<mo0s=<mo03= N,op> P 5(ere R/s;J-=-KS is /or and N is sa0ed /or /uture use; inside op> mo0<mo0s=<mo03= N,op> P 5(ere R/s;J-=?-KS is 2(en, later in t(e same /unction, a MO% *mo0, inside op> mo0s=, mo03=+ instruction re/erencing t(e PFB */s; J-=?-K+ in t(e second operand is loo.ed /or and, i/ 2(en, later in t(e same /unction, a MO% *mo0, /ound, t(e algorit(m is reseted" mo0s=, mo03=+ or a HMP *cmp, cmp=c(g+ Hontinuing 'it( t(e ne=t lines, a MO% instruction instructions re/erencing t(e )dr *JNO-=-cK in some *mo0, mo0s=, mo03=+ re/erencing t(e e=ception o/ t(e operands+ are loo.ed /or; (andler *JNO-=6K+ in t(e second operand is loo.ed /or and, i/ /ound, t(e /irst operand *X+ is sa0ed /or mo0<mo0s=<mo03=<cmp<cmp=c(g op,,op> P /uture used; '(ere JNO-=HK is a substring o/ op, or op> mo0<mo0s=<mo03= X,op> P '(ere RJNO-=6KS is a RF2 'as used to consider t(e end o/ a /unction" substring o/ op> G/ t(is scenario (appens, t(e tec(ni ue is considered as detected" /!&!:! Stealth "m1ort of the <indows A(" Regardless o/ t(e import table, ntdll"dll and .ernel?>"dll are automaticall! mapped into process address space J?AK" Gt means t(at it is possible to )ater in t(e same /unction, a MO% instruction access t(em e0en in an e=ecutable 'it( no imports" *mo0, mo0s=, mo03=+ 'it( t(e RPFW-W-S o//set Suc( D))s can be access t(roug( SF9, because its relati0e to X *JXO-=?cK+ in t(e second operand is /irst record normall! points to eit(er ntdll"dll or loo.ed /or; .ernel?>"dll" 2o get t(e D)) address, t(e SF9 could be 'al.ed mo0<mo0s=<mo03= U,op> P 5(ere JXO-=?cK is a until t(e /irst element, '(ic( -=6 o//set is t(e substring o/ op> (andler /ield" 2(en, it is possible to scan t(e memor! loo.ing /or 7M\7 and, once /ound, c(ec. i/ )ater in t(e same /unction, instructions AND, OR, it is in t(e correct place t(roug( -=?H o//set t(at is NOR, ADD or SQB HMP re/erencing t(e supposed to be RPFW-W-S; a (andle to t(e module GMAGFLDA2ALDGRFH2ORX o//set *-=AB+ in cmp<cmp=c(g op,,U P 5(ere X is a substring o/ op, )ater in t(e same /unction, a HMP instruction *cmp, cmp=c(g+ re/erencing X in t(e /irst operand is loo.ed /or;

(as been /ound" Drom t(is point on, t(e GMAGFLDA2ALDGRFH2ORX entr! o/ t(e D)) can be /ound using t(e -=AB o//set to get t(e R%A to t(e e=port director!, '(ic(, toget(er 'it( t(e pre0iousl! /ound (andle, results in t(e F=port Director! 2able address"

some o/ t(e operands is loo.ed /or and<or<=or<add<sub U P 5(ere R-=ABS is a substring in an! o/ t(e operands RF2 'as used to consider t(e end o/ a /unction" G/ t(is scenario (appens, t(e tec(ni ue is considered as detected" *>+

JBK J>AK J>BK J?-K SGD2; Stores t(e Global Descriptor 2able Register *GD2R+ content" JBK J>AK J>BK J?-K S2R; Stores t(e segment selector /rom t(e 2as. Register *2R+" JBK J>AK J>BK J?-K SMS5; Stores t(e mac(ine status 'ord into t(e destination operand " JBK J?-K J6>K

Adopted Static Detection;

Gnstructions SGD2, S)D2, SGD2 and S2R are loo.ed /or" G/ some o/ t(em are /ound, t(is G/ t(e GA2 is empt!, t(is tec(ni ue is considered as tec(ni ue is considered as detected" e0idence detected" 2!#! VM<are 4 "N "nstruction /!&! ;! +unction ,all Obfuscation G<O ports can be accessed t(roug( t(e pri0ileged )oad)ibrar! and GetProcAddress /unctions can be instructions GN and OQ2; in normal cases J?,K an used to call an! ot(er" B! onl! importing t(ese t'o attempt to run suc( instructions in user8mode 'ill /unctions is possible to ob/uscate /unction calls" generate an e=ception" J>BK J?,K %M5are J6?K uses GN instruction in a special port Adopted Static Detection; *%N+, t(at e=ists onl! inside its 0irtual mac(ines, as an inter/ace bet'een 0irtual mac(ines and G/ %M5are so/t'are itsel/" So, suc( operation 'ill )oad)ibrar!A<)oad)ibrar!5<)oad)ibrar!F=A<)o not generate an e=ception i/ e=ecuted in user8mode ad)ibrar!F=5 and GetProcAddress are bot( /ound inside a %M5are 0irtual mac(ine" J>BK J?,K in GA2, t(is tec(ni ue is considered as detected" 2(is can be used to detect i/ an application is running inside a %M5are 0irtual mac(ine" 2! Anti-Virtual Machine Adopted Static Detection; Some anti80irtual mac(ine tec(ni ues are described in t(e ne=t sections" GN instruction is loo.ed /or" G/ it is /ound, t(is 2ec(ni ues currentl! co0ered b! detection plugins tec(ni ue is considered as detected" 'ill (a0e an additional in/ormation; t(e algorit(m used to detect suc( a tec(ni ue" 2!&! Virtual(, 4 "nvalid "nstruction 2! ! ,(= "nstructions .esults ,om1arison 5(en an in0alid instruction is e=ecuted, an e=ception is raised and it can be (andled b! t(e Some HPQ instructions, due to t(eir speci/ic so/t'are using tr!<catc( mec(anism J?,K" nature, (a0e c(aracteristic results '(en e=ecuted %irtualPH J66K relies on in0alid instructions to inside 0irtual mac(ine solutions t(at can be used to inter/ace bet'een 0irtual mac(ines and %irtualPH in/er its presence" J>BK so/t'are itsel/" An e=ample is t(e in0alid 2(e /ollo'ing instructions are e=amples t(at can be instruction R-=-D -=?D -=-A -=-BS, '(ic( does used /or suc( a purpose; not generate an e=ception inside a %irtualPH 0irtual SGD2; Stores t(e Gnterrupt Descriptor 2able mac(ine" Register *GD2R+ content" JBK J>AK" J>BK J>CK 2(is can be used to detect i/ an application is J?-K running inside a %irtualPH 0irtual mac(ine" S)D2; Stores t(e segment selector /rom t(e )ocal Descriptor 2able Register *)D2R+"

Adopted Static Detection; Starting at a b!te t(at 'ere not recogni3e as 0alid b! t(e disassembler, t(e /ollo'ing /our b!te se uence are loo.ed /or; -=-D -=?D -=-A -=-B G/ t(is scenario (appens, t(e tec(ni ue is considered as detected" 5! New Techni'ues 2(e ne' tec(ni ues implemented b! t(is 'or. are described b! t(e ne=t sections" 5! ! Dynamic A11roach

2(is pattern generated no /alse8positi0es '(en tested against t(e BB? e=ecutables and correctl! detected SSFNX encr!ption in all t(e C cases" SSFNX 'as released in Ma!<>-,> and in more or less one mont( later a detection plugin 'as /inis(ed, tested and running in t(e Dissect EE PF s!stem" Adopted Static Detection; 2(e /ollo'ing pattern is loo.ed /or in t(e binar!;
66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF

G/ /ound, t(e tec(ni ue is considered as detected" 5!&! +lame Detection

2(e static tec(ni ues in t(e pre0ious section, '(ic( 2(e Dlame mal'are made t(e ne's due to its ric( relied on /unction calls or /unction calls 'it( speci/ic parameters, are not reliabl! detected using capabilities and to t(e /act t(at it remained undetected /or long time" Man! researc(ers uic.l! onl! t(e static approac(" noted t(e e=istence o/ embedded scripting language Being so, a d!namic approac( 'as de0elop t(at puts a so/t'are brea.point in t(e target /unctions" 'it(in t(e mal'are and pointed t(is as a ne' 5(en suc( /unctions are reac(ed, it is possible to en(ancement /or mal'ares" 5e 'rote a detection script to inspect all our samples /or t(e presence o/ more reliabl! detect t(e call and e=tract t(e embedded scripting language, suc( as )ua J6AK" parameters" 5!#! SS$AB Detection 7! .esources

2(e most updated 0ersion o/ t(is document can be SSFNX J??K is a tool de0eloped b! Vurriaan /ound at; (ttp;<<researc("dissect"pe" Bremer t(at, gi0en a binar!, ob/uscates it Additionall!, e=amples /or eac( o/ t(e attac.ing con0erting man! Rcon0entionalS assembl! instructions to an SSF8based 0ersion" Gn t(is 'or., tec(ni ues discussed in t(is paper are a0ailable at; (ttps;<<git(ub"com<rrbranco<blac.(at>-,> " it 'as considered as an ob/uscation tec(ni ue" 2(ere 'ere some troubles running SSFNX in t(e 8! ,onclusions and +uture Directions BB? e=ecutables used to test all plugins and tec(ni ues in t(is 'or. because suc( a tool is still in an earl! de0elopment stage" So, it 'as de0eloped 2(is researc( pro0ides a guidance on protecting tec(ni ues used b! mal'are, more speci/icall! t(e some simple binaries /or t(e speci/ic purpose o/ testing t(e SSF ob/uscation pro0ided b! SSFNX" anti8debugging, anti8disassembl!, ob/uscation and anti8%M ones" Gt also e=trapolates t(e current At t(e end, toget(er 'it( t(e t'o demo binaries standards in mal'are anal!sis pro0iding t(e results distributed 'it( SSFNX, t(ere 'ere C cases to against millions o/ samples" stud! t(e SSFNX ob/uscation" 2(e /ollo'ing 5e created e=amples /or eac( o/ t(e tec(ni ues pattern 'as identi/ied in all t(e C cases; discussed in t(is paper, /acilitating t(e de0elopment 66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 o/ t(e detection codes" Additionall!, suc( codes are 0F DB ?? ?? ?? ?? ?? 66 0F EF publicl! a0ailable" Dor 0alidation purposes, t(is 'or. e=plains (o' t(e

detections are being e=ecuted"

J,-K MSDN $ Hreating Guard Pages 8 (ttp;<<msdn"microso/t"com<en8 2(e researc( results can be e=panded and (ope/ull! us<librar!<'indo's<des.top<aa?@@46CI>B0Z0s"B4 'e 'ill publicl! release more in/ormation, suc( as; I>C"asp= *)ast Access; >4<Vune<>-,>+ More anti8re0erse engineering tec(ni ues J,,K Vos(LVac.son 8 An Anti8Re0erse Fngineering More statistics 'it( more anal!3ed samples Guide 8 (ttp;<<'''"codepro:ect"com<Articles<?-B,4<An8 Anti8Re0erse8Fngineering8Guide *)ast Access; :! Ac-nowledgement >4<Vune<>-,>+ Ronaldo Pin(eiro de )ima $ Voined our team a bit J,>K H(uc. 5albourn 8 Game 2iming and Multicore Processors 8 later in t(e researc( process, but ga0e ama3ing (ttp;<<msdn"microso/t"com<en8 contributions" us<librar!<'indo's<des.top<ee6,A@C?I>B0Z0s"B4 I>C"asp= *)ast Access; >4<Vune<>-,>+ Peter Derrie $ Great papers and J,?K Gntel 8 Qsing t(e RD2SH Gnstruction /or /eedbac.<discussions b! email" Per/ormance Monitoring 8 (ttp;<<'''"ccsl"carleton"ca<`:amuir<rdtscpm,"pd/ Vurriaan Bremer $ SSFNX" *)ast Access; >4<Vune<>-,>+ J,6K MSDN $ Get2ic.Hount /unction 8 Re0ersing)abs /or t(e 2itaniumHore (ttp;<<msdn"microso/t"com<en8 us<librar!<'indo's<des.top<msA>66-BI>B0Z0s"B4 ;! .eferences I>C"asp= *)ast Access; >4<Vune<>-,>+ J,4K MSDN 8 timeGet2ime /unction 8 J,K Peter Derrie $ Anti8Qnpac.er 2ric.s J>K Peter Derrie $ 2(e RQltimateS Anti8Debugging (ttp;<<msdn"microso/t"com<en8 us<librar!<'indo's<des.top<ddA4A@>CI>B0Z0s"B4 Re/erence I>C"asp= *)ast Access; >4<Vune<>-,>+ J?K Peter Derrie $ Anti8Qnpac.er 2ric.s $ Part J,@K MSDN 8 Get)ocal2ime /unction Fig(t 8 (ttp;<<msdn"microso/t"com<en8 J6K F0ilcodeca0e7s 5eblog 8 us<librar!<'indo's<des.top<msA>6??BI>B0Z0s"B4 Rtl#uer!Process9eapGn/ormation As Anti8Dbg 2ric. 8 (ttp;<<e0ilcodeca0e"'ordpress"com<>--C<-6 I>C"asp= *)astAccess; >4<Vune<>-,>+ J,AK MSDN 8 GetS!stem2ime /unction *)ast access; -6<Ma!<>-,>+ J4K Mar. %incent Xason $ 2(e Art O/ Qnpac.ing 8 (ttp;<<msdn"microso/t"com<en8 us<librar!<'indo's<des.top<msA>6?C-I>B0Z0s"B4 J@K MSDN 8 Bloc.Gnput /unction 8 I>C"asp= *)ast Access; >4<Vune<>-,>+ (ttp;<<msdn"microso/t"com<en8 us<librar!<'indo's<des.top<ms@6@>C-I>B0Z0s"B4 J,BK MSDN 8 #uer!Per/ormanceHounter /unction 8 (ttp;<<msdn"microso/t"com<en8 I>C"asp= *)ast Access; -4<Ma!<>-,>+ us<librar!<'indo's<des.top<ms@66C-6I>B0Z0s"B4 JAK Nicolas Dalliere $ 5indo's Anti8Debug I>C"asp= *)ast Access; >4<Vune<>-,>+ Re/erence 8 (ttp;<<'''"s!mantec"com<connect<articles<'indo' J,CK Vustin Seit3 8 Gra! 9at P!t(on $ P!t(on s8anti8debug8re/erence *)ast access; >6<Vune<>-,>+ Programming /or 9ac.ers and Re0erse Fngineers J>-K MSDN 8 NtSetGn/ormation2(read JBK Gntel 8 Gntel] @6 and GA8?> Arc(itectures 8 (ttp;<<msdn"microso/t"com<en8 So/t'are De0eloper^s Manual 8 %olume >B; us<librar!<'indo's<(ard'are<//44A@A4I>B0Z0s"B4 Gnstruction Set Re/erence, N8\ 8 (ttp;<<do'nload"intel"com<design<processor<manual I>C"asp= *)ast Access; >4<Vune<>-,>+ J>,K MSDN 8 \'SetGn/ormation2(read routine s<>4?@@A"pd/ *)ast Access; >6<Vune<>-,>+ JCK Matt Pietre. 8 A Hras( Hourse on t(e Dept(s o/ 8 (ttp;<<msdn"microso/t"com<en8 us<librar!<'indo's<(ard'are<//4@A,-,I>B0Z0s"B4 5in?>_ Structured F=ception 9andling 8 (ttp;<<'''"microso/t"com<ms:<-,CA<e=ception<e=c I>C"asp= *)ast Access; >4<Vune<>-,>+ J>>K Mar. Stamp $ Anti8Re0ersing 2ec(ni ues 8 eption"asp= *)ast Access; >6<Vune<>-,>+

(ttp;<<'''"cs"s:su"edu<`stamp<HS>B@<pptSRF<SR (ttp;<<blog"(armon!securit!"com<>--C<-@<retrie0ing FLanti8re0ersing"ppt *)ast Access; -6<Vul!<>-,>+ 8.ernel?>s8base8address"(tml *)ast Access; J>?K MSDN 8 Nt#uer!S!stemGn/ormation /unction ,><Vul!<>-,>+ 8 (ttp;<<msdn"microso/t"com<en8 J?AK Ale=e! )!as(.o 8 Stealt( Gmport o/ 5indo's us<librar!<'indo's<des.top<msA>64-CI>B0Z0s"B4 APG 8 I>C"asp= *)ast Access; -6<Vul!<>-,>+ (ttp;<<s!prog"blogspot"com"br<>-,,<,-<stealt(8 J>6K )aspe Raber, Vason Raber 8 Blac.9at >--B 8 import8o/8'indo's8api"(tml *)ast Access; Deob/uscator; An Automated Approac( to t(e ,><Vul!<>-,>+ Gdenti/ication and Remo0al o/ Hode Ob/uscation J?BK Nic. 9arbour $ Ad0anced So/t'are Armoring J>4K Mi(ai H(ristodorescu and Somes( V(a 8 and Pol!morp(ic Vung8Du Proceedings o/ t(e ,>t( QSFNGN Securit! J?CK H(ristop(er Mruegel, 5illiam Robertson, S!mposium 8 Static Anal!sis o/ F=ecutables to Dredri. %aleur and Gio0anni %igna $ Proceedings Detect Malicious Patterns o/ t(e ,?t( QSFNGN Securit! S!mposium 8 Static J>@K ob:dump 8 Disassembl! o/ Ob/uscated Binaries (ttp;<<'''"gnu"org<so/t'are<binutils< *)ast Access; J6-K GDA $ (ttp;<<'''"(e=8ra!s"com *)ast Access; ,><Vul!<>-,>+ ,><Vul!<>-,>+ J>AK Gntel 8 Gntel] @6 and GA8?> Arc(itectures J6,K Hullen )inn and Saum!a Debra! 8 So/t'are De0eloper^s Manual 8 %olume ?A; Ob/uscation o/ F=ecutable Hode to Gmpro0e S!stem Programming Guide, Part , 8 Resistance to Static Disassembl! (ttp;<<do'nload"intel"com<products<processor<manu J6>K Boris )au and %an:a S0a:cer 8 FGHAR >--B al<>4?@@B"pd/ *)ast Access; ,><Vul!<>-,>+ FN2FNDFD %FRSGON 8 Measuring 0irtual J>BK Ste/an Ba(lmann 8 Master 2(esis $ Detection mac(ine detection in mal'are using DSD tracer o/ %irtual Mac(ine A'are Mal'are J6?K %M5are $ (ttp;<<'''"0m'are"com *)ast J>CK Voanna Rut.o's.a 8 Red Pill Access; ,><Vul!<>-,>+ J?-K Vo(n Scott Robin, H!nt(ia F" Gr0ine $ Anal!sis J66K %irtualPH 8 o/ t(e Gntel Pentium^s Abilit! to Support a (ttp;<<'''"microso/t"com<'indo's<0irtual8pc< Secure %irtual Mac(ine Monitor *)ast Access; ,><Vul!<>-,>+ J?,K Flias Bac(aalan! 8 Detect i/ !our program is J64K Glsun Xou and Mangbin Xim $ >-,running inside a %irtual Mac(ine 8 Gnternational Hon/erence on Broadband, 5ireless (ttp;<<'''"codepro:ect"com<Articles<CB>?<Detect8 Homputing, Hommunication and Applications 8 i/8!our8program8is8running8inside8a8%irtual *)ast Mal'are Ob/uscation 2ec(ni ues; A Brie/ Sur0e! Access; ,><Vul!<>-,>+ J6@K Pbter S3cr and Peter Derrie $ %GRQS J?>K (al/dead $ P(rac. Maga3ine 8 %olume -=-c, BQ))F2GN HONDFRFNHF, SFP2FMBFR >--, Gssue -=6,, P(ile [-=-B o/ -=-/ 8 $ 9unting /or Metamorp(ic (ttp;<<'''"p(rac."org<issues"(tmlUissueZ@4&idZB J6AK 2(e Programming )anguage )ua 8 *)ast Access; ,><Vul!<>-,>+ (ttp;<<'''"lua"org *)ast Access; ,><Vul!<>-,>+ J??K Vurriaan Bremer 8 SSFNX 8 J6BK Ale=Abramo0 8 APG 9oo.ing 'it( MS (ttps;<<git(ub"com<:bremer<sse=! *)ast Access; Detours 8 ,><Vul!<>-,>+ (ttp;<<'''"codepro:ect"com<Articles<?-,6-<APG8 J?6K MSDN 8 PFB structure 9oo.ing8'it(8MS8Detours *)ast Access; (ttp;<<msdn"microso/t"com<en8 ,><Vul!<>-,>+ us<librar!<'indo's<des.top<aaB,?A-@I>B0Z0s"B4 J6CK Galen 9unt and Doug Brubac(er $ Microso/t I>C"asp= *)ast Access; ,><Vul!<>-,>+ Researc( 8 Detours; Binar! Gnterception o/ 5in?> J?4K MSDN 8 PFBL)DRLDA2A structure 8 Dunctions 8 (ttp;<<msdn"microso/t"com<en8 (ttp;<<researc("microso/t"com<pubs<@B4@B<(untusen us<librar!<'indo's<des.top<aaB,?A-BI>B0Z0s"B4 i=ntCC"pd/ *)ast Access; ,><Vul!<>-,>+ I>C"asp= *)ast Access; ,><Vul!<>-,>+ J4-K coderrr 8 J?@K 9armon! Securit! $ Blog 8 Retrie0ing (ttp;<<coderrr"'ordpress"com<>--B<-B<>A<(o'8to8 Mernel?>7s Base Address 8 get8rid8o/8microso/t8detours8detoureddll< *)ast

Access; ,><Vul!<>-,>+