Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll begin with some anti-debugging techniques such as NtGlobalFlag, FindWindow(), OutputDebugString(), int 0XCC scanning. Anti-debugging techniques slows down a Malware Analysts. We'll discuss the anti-virtual machine techniques such as process name check, timing checks, registry checks, anti-cuckoo, virtual MAC addresses, LDR_Module, VMware special I/O instructions and many more. Next, we'll see some anti-disassembly examples. We'll also discuss anti-anti-debugging techniques like hook function calls, running without a debugger and logging API calls or dumping memory, and modifying/patching the malware code. We'll then quickly recap the defense categories discussed earlier. To enhance your skills and expertise in the topic, you can read or refer to the following resources:

Video Transcription

00:04
Now, uh, we saw, like is being debugged and we saw a find window, um, anti debugging trick and output de broke string
00:13
trick. And there are many more. There are There are lots of things like, if you see in the bottom right and cc direct cc scanning that scanning for the end three soft breakpoint instruction. Remember how I said that with a D bugger? If we hit f to ah,
00:31
it will replace that instruction
00:33
with the C C bite, which is thean three instruction that when the process is executing and it hits that instruction a hand over control to the RD bugger, which is in another process. Now some malware will look for that bite the x zero x c c bite in its own code.
00:52
And, um,
00:54
yeah, it's just looking for D buggers and the way around that would be used a hardware break point instead of a software break point like zero x C C or and three.
01:04
There's lots of a P I function calls both documented and undocumented that, um, our authors will use,
01:14
and they'll look at various data structures and memory. They'll look at whether certain memory flags air set. They'll look at many, many things of the time, as I mentioned before.
01:29
But these this is not an exhaustive list. In fact, there are many, many more techniques and tricks that come out
01:36
not all the time, but, um,
01:38
it's not uncommon for a new technique to come out, and the thing about
01:44
these these tricks and techniques is they only slow down our analysts. They don't stop us, and it's a losing battle in terms of time. So if ah
01:55
malware authors spends,
01:57
you know three or four days figuring out a new anti debugging technique,
02:02
it'll take us
02:04
10 or 15 minutes. If we're decent, reverse engineer will take us 10 or 15 minutes to bypass at either patch it or whatever. There was a trend a while ago about more anti virtual machine techniques.
02:16
And there there are lots of cool things you can do with this, But that's kind of faded away because a lot of infrastructure or nowadays, and small companies or medium sized companies all virtual so if you hard code stuff into your rat or Trojan or malware
02:36
that just kills itself. When
02:38
detectives in a virtual machine, you can't infect, like 90% of the infrastructure of your target company. Because it's, you know, they virtualized they're active directory, service or server. They virtualized their files. Server of the virtualized FTP server There virtualized there,
02:58
you know, whatever else and s o a lot of malware will say, OK, I'll infect it. I'll even run. I'll even do a normal thing. But I am going to report back as soon as possible that I am running in a V m.
03:12
Um, but it's more common
03:15
to say, Oh, I'm anti
03:16
cuckoo sandbox or I'm anti Joe sandbox on anti fire. I am anti whatever else threat grid or,
03:24
um,
03:27
blue coat or whatever. So I mentioned anti disassembly earlier, and here's a pretty basic example off that we saw before with, like, illusion baht, where, uh, pro didn't
03:42
pick up
03:44
the fact that it was just going to another section of memory. It figured out that that was code but didn't figure out how it was being called. But add a pro has a very advanced
03:55
this assembly algorithm. However, not all this simpler, Czar, I are all ladybug has a pretty good one. But there are some disassemble er's that?
04:06
Well, just look at one instruction. Say OK, this instruction is four bites length. Okay, what's the next one? Okay, this one's two bites and likes Okay, what's the next one? Oh, it's three bites of like Okay, what's the next one? And that's called a linear disassemble. Er
04:21
And so on the left, we can see some basic assembly that you can put into your C code or visual studio project. And
04:30
the first instruction is X or e x e x. And that just zeros out yaks as we've seen. And then we can say jump zero
04:41
so it will jump somewhere else. And then right after that,
04:46
uh, we can put a bite like zero x e a
04:49
where that doesn't actually disassemble to anything.
04:53
Or if it does, then ah, or if it
04:58
or if the disassembly gets confused and says, Okay, so it's part of a larger bite. Zero x e a
05:06
a B f f or whatever is still gonna break all the code beneath it because it's trying to say Okay,
05:15
you know this instructions this many bites on to the next one. This instructions one by it. This instructions to bites whatever. And your program could have jumped.
05:24
Ah, toe where the really good coat is And the dis assembler will just break
05:30
because it's not following that jump. However, um,
05:35
I had a pro, has a pretty good disassembly algorithm and will follow the jumps if it can.
05:44
And so some our authors, as a way to fool out of pro will do this, say O x ory x e x jump
05:54
you know
05:55
e t X plus e x.
05:58
So
05:59
a pro doesn't know that the final jump destination is a constant value.
06:03
Um, but I'd a pro's pretty good at at this stuff. It's been around and I a pro's been around for a while. It's the best in the industry, I think so. They've developed a lot of algorithms to get around that type of stuff. Over on the right,
06:18
we can see
06:20
another con trick, and that's dynamic cogeneration
06:24
colic packers. Um, where
06:28
one instruction like movie ex Ah, it's moving in there. A pointer. A label
06:34
called Change Me,
06:36
um,
06:39
is your ex's right there has the address of change me, and then the next instruction is move
06:46
zero x 90 which is a NOP no operation code and moves it into the location of the ex. NOP is one bite. And so let's say the first bite of
07:00
what
07:00
change me is pointing at Ah
07:03
could make no sense whatsoever could be just junk code until that first bite is knocked out. And then the rest of code will just make sense because the processor doesn't actually check to make sure that what it's doing makes sense. The processor just executes code. It just
07:23
executes the bites, whatever it gets. And so if it gets an invalid instruction and throws an exception, otherwise I'll just keep chugging through
07:31
so you can actually jump into another instruction. And that is a technique that some Packers arm our authors will use where
07:41
they say, Okay, no,
07:44
here's a bunch of move instructions. Now here's a jump instruction that jumps into one of the previous move instructions, and this breaks all dis assemblers
07:54
currently because they only look at something as okay, this has been except this is assembled despite has been accounted for. This has been assembled. These three bites have been accounted for and can't really comprehend the idea that despite could be this instruction and can also be part of this instruction
08:13
and some other ways. Some newer ways. That malware is
08:18
one family that I know off,
08:20
uh, is breaking this assemblers is it's like switching between 32 bit and 64 bit code,
08:28
which is really tricky, hard to do. And it's currently breaking all this assemblers.
08:33
So,
08:35
um, back to debugging
08:37
real quick.
08:37
Uh,
08:39
if we
08:41
we're running
08:43
ah, Ladybug. And we saw that
08:46
that Cole
08:46
is being debugged
08:48
and we thought, Okay, what is it actually doing
08:52
and jumped into that function? We would see there's only three instructions for for instructions where it's only checking a little bit,
09:01
like literally. It's checking a bit and memory to see if it's one or a zero and then returns that bit.
09:07
So
09:09
would it be cool if we just patched that bit
09:11
to be zero?
09:13
And
09:15
there are plug ins for Ali like Ellie advanced? Um,
09:20
I think
09:20
all the 80 or Ali
09:22
um,
09:24
anti d booker
09:26
or whatever, where it basically goes through a bunch of these anti debug checks and neuters them.
09:33
So this is an anti anti debugging technique or were
09:37
where the code has some anti, where the malware has some anti d poking technique and we are
09:45
like, taking care of that. We are. You're hooking that function or we're getting We're modifying the results of that function or we're modifying the memory address, which that function checks or whatever we're doing,
10:00
we can ah,
10:03
we can lie to the application.
10:05
So I have. I've used this all the advanced plug in before. It's for only 1.1, I believe, or one dot x x so we'll work on
10:16
one dot whatever versions of Ali, uh, haven't really played with all the 2.0, all that much. And I haven't really played for played with their debugging capabilities or anti anti debugging capabilities.
10:28
Um,
10:30
mainly because I like toe. I like to know exactly what my tools are doing, and if I don't know what a plug in is doing that and I can't really account for it.
10:39
So I used the light usually like to run without any plug ins unless I absolutely have to.
10:45
So, uh,
10:46
you know what we did was patch the program. We can also pass the memory,
10:50
and we can also, um,
10:54
use ah, plug in like this.
10:58
However,
10:58
what we did when we patched the execute Herbal
11:03
was we changed the source code. Well, we didn't change the source, but we changed
11:07
the machine code and
11:09
that can be accounted for. The malware could have some integrity checking algorithms. It could have anti dumping code. It could have a few different things that could happen.
11:22
And what I mean by that is
11:24
there's a simple CRC check. Uh, I think it's a code
11:30
correction.
11:33
Orco are cyclical. Redundancy Check is what's here C stands for.
11:37
And so I've seen some malware where it'll run some code and then do a check where it says Okay, so for the last 100 bites or something,
11:46
you know, kind of hash that into lookit output of a four bite hash and then check it against this value. If it's this value than great, keep going.
11:56
And if it's not, the mouth or nose has been tampered with and can,
12:01
uh, terminate or do whatever.
12:05
And not only
12:07
mole Mauer do this, but software commercial software does. To the worst. I've seen a Skype Skype has ah Thanh of anti reversing, anti D poking and anti patching,
12:20
um,
12:22
things built into it. I think
12:26
I've seen in my wear where ill check its own code
12:28
two or three times. And Skype,
12:31
I think I've seen it do it 33 different times on Skype can be pretty tricky about what it does is very, very protected software more than anything else I've ever seen more than games, which is the biggest user of anti debugging stuff or anti
12:50
reversing our anti patching or anti modification whatever. And, of course, the
12:56
other technique we can use besides,
12:58
um,
13:00
anti anti debugging techniques is we could just not use a debunker.
13:05
Ah, there are programs out there that will just inject a deal l into a process, and this monitor everything it does. There are things that try to instrument
13:16
ah, hook all the functions that might be called and they just monitor those or there
13:24
they're they're software out there that just will run them our and then dumped the memory And, you know, like posit if it's a virtual machine or just, um,
13:35
you know, stop it when it gets to a certain coach called Paige by throwing an exception or something like that. So just a quick recap uh,
13:45
and a little little brush up. So usually malware has a goal stopping automate analysis. So they have anti sandbox and IBM stuff and to slow down our analysts so they'll have anti debugging or anti virtual machine stuff.
14:00
Oh, our anti disassembly stuff.
14:01
Um, and with anti debugging, You know, we've seen some a p I calls, like is being debugged being called. We've seen some process and thread stuff.
14:13
Um,
14:13
whether you
14:16
I knew it or not when I said that is being debugged is only like, three or four instructions, and it checks a certain
14:22
part. The memory. It was checking a certain data structure called the P E B the process environmental block. And it was just checking for that one little bit in there. And
14:33
it was just,
14:35
you know, in the user land. And the Mauer didn't even need to call that function. It could just executed those four instructions by itself, which is not something a lot of our analysts do
14:46
or is not something a lot of malware authors do.
14:48
But, um,
14:50
as an analyst, you should be familiar with those, uh, those instructions,
14:56
particularly the F s register,
14:58
because it checks the P e b, the process environmental block and there are a lot of flags. There's a lot of bits and bytes in there that will indicate whether processes being debugged,
15:09
um,
15:11
anti debugging door or hardware and register based ah,
15:16
ways of getting rid of the bugger. Um, like I was mentioning earlier hardware breakpoints certain registers that D buggers use. Um,
15:30
if you want to know more, I will. I will
15:33
give you more. Resource is here in the next slide. There's exception based. We didn't really cover that, but, um,
15:39
because de buggers want to instrument a program,
15:43
they will get what's called a first chance exception. So if your program does a divide by zero,
15:52
it will throw an exception.
15:54
It will, Ah, the processor will throw an exception. And
16:00
if you have, like a try, catch block in your code, your C code or c++ code or for c++ uses s ch structured exception handling and, um, other
16:14
programming languages have other kinds of things built in, but they're mainly based around exceptions, structured exceptions and, uh,
16:23
when an exception happens
16:26
within a process,
16:30
the first chance exception goes to the D bugger, so
16:33
you know, right before
16:36
the malware will take care of a problem like Divide by zero, the D bugger will take over first,
16:42
and then we'll give you the ability to, like, look at memory, look at values in variables. It'll look at the call stack and look at all this other stuff because there's a D bugger. It's meant to get rid of bugs. Want to help you?
16:56
And if you just say, OK, continue.
17:00
Like if you
17:00
change something in memory and say, Oh, there's a bug in this malware which happens all the time
17:06
House dealing with it today, actually,
17:07
um,
17:10
then
17:11
continue. It won't call the exception handler
17:15
or the exception code
17:17
in the malware,
17:18
so
17:19
the Mauer could have a flag in there. It says, Okay, if this
17:23
flag didn't get checked. We know that the buggers that hashed and intercepting those exceptions so
17:30
there's a few different methods built around that idea.
17:33
Um,
17:36
and we talked about the modified code based anti debugging where it checks its own code, either for the cc bite or zero ECCC biter and three instruction, or it'll just do kind of like a hash check or a CRC check of the code
17:52
that is about to execute, or that it has executed and checks it against, like usually afore bite hash. And if it's different than what is expecting that it knows it's been modified and take whatever actions at once on. We also talked about timing based where
18:10
I mentioned that some malware will just call asleep function
18:14
and we'll see if
18:17
I actually slept that long or, if it's being short circuited, um,
18:22
or an opt er hooked or whatever. But, um, older technique is actually
18:29
where the
18:30
malware will execute a number of instructions
18:33
and see how fast it took to execute those instructions.
18:37
There are instructions and Exit E six that says, Oh, give me the real time clock rate or give me like whatever so you can actually determine how much time has passed between executing different instructions. And it used to be based off the idea that virtual machines
18:56
are usually jam packed onto
18:59
very high end powerful computers. But there's several rich machines going at once. That process is switching between them, so virtual machines actually take much longer to execute instructions than physical ones.
19:12
So
19:14
the timing based attack was or detection was meant to determine if you're in a virtual machine via how fast you were executing code. And there is lots of anti virtual machine
19:27
things that we we talked about, not just a P. I calls,
19:33
uh, well, not just,
19:34
uh, program process names or memory Constance or
19:41
things in the A p I or instructions that you can or can't execute within a V M. But there are things like certain AP I calls or ports that are open to virtual machines only. So VM, where what we've been running or what I've been running,
19:56
opens up a special input output port. And that's how copy and paste works. And that's how
20:02
Dragon Drop works is. It communicates information through this port that doesn't exist in normal machines, so a popular anti are a popular virtual machine detection trick is to see if that port is available.
20:17
But as I mentioned earlier, ah, a lot of Mount were
20:19
doesn't seem to concern that this infection a virtual machine anymore because targets air usually on virtual machines as well.
20:29
We went over some anti disassembly techniques were like cogeneration, or assembly meant to specifically break algorithms of dis assemblers.
20:41
And if you want to Nome or I would suggest going online to Symantec's anti debug reference where they've collected from over the years. Mao. We're doing various things or anti debugging or anti reversing anti analysis whatever. Um, in the open r c e
21:00
um,
21:02
forum, open our Sita or GE. They have a pretty impressive library and source code available for anti reversing our anti debugging
21:11
um, examples. If you're interested in anti virtual machine
21:15
techniques, P a fish or paranoid fish made by um
21:22
upper to Ortega
21:23
is pretty good.
21:25
Um,
21:29
the code project dot com That article shows a lot of source code sea level assembly level source code of how to implement reverse engineering techniques.
21:41
Um, it's not aimed at malware authors. It's more aimed at
21:45
people who want to protect their their game from being Pirated or protect their intellectual property. The two papers at the bottom I highly suggest reading, and there are talks that go along with them and source code anti debugging and developers. View was really good scientific, but not,
22:04
uh, academic academical understood overview of malware, anti debugging and assembly anti V m wear technologies. That's really good.
22:14
Um,
22:15
the fact if IQ uh, the last one just mentioned is rodeo Bronco Gabriel Barbosa and Pedro Neto
22:23
and Tyler Shields is one who did
22:27
the developers viewpoint and practical Mountain or analysis has some good chapters devoted to it. And, uh,
22:37
and two years ago, about ah, I did a talk at Nova hackers, that schmuck on epilogue where I had collected all of the techniques that I had ever observed. I'd put them in one giant project and I had,
22:52
um,
22:55
taking all this code, and I developed a game around it where you can execute this piece of malware and it will choose a random anti debugging trick. Random anti V M trick random, um,
23:07
technique of communication via IRC or http or random install persistence, mechanism view, registry, run via service or whatever else. And then it would hide on the system and then the mount, where analysts would have to go and look for it and then bypassed those
23:27
a tidy Bodine or anti V M tricks.
23:30
To get at on encrypted string
23:34
on the encryption was random as well, or you could specify all of them. So if you're interested in this uh,
23:42
these techniques these this technology is I am I would suggest implementing a lot of these things yourself. Um,
23:51
you know, don't go just writing malware and releasing it. But, um, it's good to be familiar with how these things work at a pragmatic level, so you can not only develop it yourself and reverse engineer it yourself. But understand
24:04
where the pivot points are,
24:07
Like, say, uh oh,
24:08
you know, I made some anti V m code,
24:11
you know, based on paranoid fish.
24:15
Um,
24:15
but it doesn't actually work under this circumstance, Like one technique doesn't work if you're running multiple cores in your V m.
24:26
So it's good stuff to knows. It's, uh, good toe.
24:32
Be aware of this stuff. So
24:33
ah, again, my name is Sean Pierce. I've been the resident expert for malware Reverse engineering. If you have any questions,
24:41
my
24:42
Twitter is here on. I have mentioned my email before Cyber Bury a secure sean dot com. I hope you enjoyed this video. Siri's, um, I wish you good luck

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor