Jump to content
Nytro

Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-

VM Technologies

Rodrigo Rubira Branco, Gabriel Negreira Barbosa, Pedro Drimel Neto

{rbranco,gbarbosa,pdrimel} *NOSPAM* qualys.com

Qualys – Vulnerability & Malware Research Labs (VMRL)

Version 1.0

1 UPX
UPXV200V290MarkusOberhumerLaszloMolnarJohnR
eiser
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
Instruction Counting
PEB NtGlobalFlag
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
UPXv20MarkusLaszloReiser
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
Instruction Counting
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SS register
UPX290LZMAMarkusOberhumerLaszloMolnarJohnR
eiser
Anti-VM (IN)
Push Pop Math
Instruction Counting
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SS register
UPX20030XMarkusOberhumerLaszloMolnarJohnReis
er
Anti-VM (IN)
Push Pop Math
Instruction Counting
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
UPX293300LZMAMarkusOberhumerLaszloMolnarJoh
nReiser
Anti-VM (IN)
Instruction Counting
PEB NtGlobalFlag
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
UPXProtectorv10x2
Nothing
2 Armadillo
Armadillov171
Instruction Counting
Instruction Substitution (push – ret)
Armadillov1xxv2xx
Nothing
3 PECompact
Anti-VM (STR)
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
PEB NtGlobalFlag
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SoftICE – Interrupt 1
Software Breakpoint Detection
SS register
4 BobSoftMiniDelphiBoBBobSoft
Anti-VM (STR)
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SoftICE – Interrupt 1
SS register
5 ASPack
ASPackv212AlexeySolodovnikov
ASProtectV2XDLLAlexeySolodo
Anti-VM (IN)
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SS register
ASPackv10803AlexeySolodovnikov
Anti-VM (IN)
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
ASPackv21AlexeySolodovnikov
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SS register
6 ProtectSharewareV11eCompservCMS
Anti-VM (SLDT)
Anti-VM (IN)
Instruction Counting
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
Instruction Substitution (push – ret)
7
ASProtect13321RegisteredAlexeySolodovni
kov ASProtectv12
Anti-VM (STR)
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SoftICE – Interrupt 1
Software Breakpoint Detection
SS register
8 WiseInstallerStub
Nothing
9 MaskPEV20yzkzero
Anti-VM (SLDT)
Anti-VM (IN)
Push Pop Math
PEB's BeingDebugged (Stealth
IsDebuggerPresent)
SS register

Table 1 – Packers Anti-Reverse Engineering

Abstract

Malware is widely acknowledged as a growing threat with hundreds of thousands of new samples

reported each week. Analysis of these malware samples has to deal with this significant quantity but

also with the defensive capabilities built into malware; Malware authors use a range of evasion

techniques to harden their creations against accurate analysis. The evasion techniques aim to disrupt

attempts of disassembly, debugging or analyse in a virtualized environment.

This talk catalogs the common evasion techniques malware authors employ, applying over 50 different

static detections, combined with a few dynamic ones for completeness. We validate our catalog by

running these detections against a database of 4 million samples (the system is constantly running and

the numbers will be updated for the presentation), enabling us to present an analysis on the real state of

evasion techniques in use by malware today. The resulting data will help security companies and

researchers around the world to focus their attention on making their tools and processes more efficient

to rapidly avoid the malware authors' countermeasures.

This first of its kind, comprehensive catalog of countermeasures was compiled by the paper's authors

by researching each of the known techniques employed by malware, and in the process new detections

were proposed and developed. The underlying malware sample database has an open architecture that

allows researchers not only to see the results of the analysis, but also to develop and plug-in new

analysis capabilities. The system will be made available in beta at Black Hat, with the purpose of

serving as a basis for innovative community research.

Download:

http://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_Slides.pdf

Tutorialul este in scopuri educative :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...