Chapter 17 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press

Anti-debugging

Used by malware authors to interfere with malware analysts. Lots of techniques exist, and new ones seem to come along all the time.

The Windows API provides several functions to determine if a debugger is being used
Set breakpoints at calls to IsDebuggerPresent, and step around setting results as desired
How does IsDebuggerPresent work? Search the Process Environment Block (PEB) for the field isDebugged
What other goodies are in the PEB? And what sets the isDebugged field to TRUE?
CheckRemoteDebugger takes a process handle as a parameter, else similar to IsDebuggerPresent
NtQueryInformationProcess with ProcessDebugPort as a parameter
OutputDebugString sends a string to a debugger for display. Why would such a function exist? For debugging!

Malware might do what these functions do, that is, look at system data structures such as the PEB
- where can we find such information? from Microsoft!
- note that location fs:[30h] points to a process's PEB
Several ways to check the status of the BeingDebugged status byte
OllyDbg has plug-ins for this purpose, e.g. hidedebug. Also windbg -hd whatever.exe
Check the (undocumented?) ProcessHeap Flag
Check the (undocumented?) NTGlobalFlag
Check for System Residue, such as Registry keys, e.g.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\AeDebug
Default is Dr. Watson? What?
Use FindWindow to find windows named OLLYDBG

INT 3 is the software interrupt used to set breakpoints. The opcode is 0xCC, and it is seen in malware.
(I once saw malware that had a ton of these, maybe an attempt to crash the debugger?)
Furthermore, malware can look for this opcode in its own code, and knows it's being debugged
Code checksums, another way to find modified instructions, such as 0xCC where some other opcode was there before
Code that does this kind of check can be found and modifed, with the debugger of course

Malware can record a timestamp, and check again later. If a lot of time has passed, there's a user in the loop!
Take a timestamp before and after raising an exception. If a lot of time has passed, there's a user in the loop!
The rdtsc instruction returns the number of ticks since last reboot
- do you suppose every disassembler knows about that one?
QueryPerformanceCounter and GetTickCount functions keep track of time in a similar fashion
Two successive calls to such functions are evidence of an attempt at debugger detection
- and hence a weak malware indicator
Find the comparison, and the jump, and force the desired path of execution - using the debugger

TLS is a Windows storage class that allows for thread-specific initialization
A TLS Callback implements such thread-specific variables
Can execute before the program's entry point , and therefore before any breakpoints might be encountered- sneaky!
The TLS section in the PE header is used, and Windows executes these functions before branching to the OEP
PEview can see TLS sections, which are otherwise uncommon
IDA Pro CTRL-E command displays all entry points, including TLS callbacks
OllyDbg can be configured to break before running TLS callback routines - which sounds like a good default!

Structured Exception Handling is covered in Chapter 16
An SEH can be used to do unconventional jumps
But a process can throw an exception, and set itself up to handle it
If the debugger catches the exception, the malware "knows" a debugger is present
Inserting INT 3 instructions can cause spurious "breaks", as can INT 0x2D
The undocumented icebp instruction (0xF1) messes with single-stepping
- How many other undocumented opcodes are there? How can we find out?

Mess with the PE Header: Olly follows the PE spec too closely, so a program may load and run, but will crash Olly!
OllyDbg 2.0 is not subject to this, supposedly
I don't know if win64dbg, or Immunity, are subject to this
Are there utilities to mess with PE headers in such a way? Quite likely
Setting size of RawData to a large value will crash older versions of Olly
PE Explorer can help with this

several popular anti-debug techniques exist
none seem too formidable, but take notes (and snapshots) since it's a hassle to start over
malware authors are always coming up with new tricks!