Now, uh, we saw, like is being debugged and we saw a find window, um, anti debugging trick and output de broke string
trick. And there are many more. There are There are lots of things like, if you see in the bottom right and cc direct cc scanning that scanning for the end three soft breakpoint instruction. Remember how I said that with a D bugger? If we hit f to ah,
it will replace that instruction
with the C C bite, which is thean three instruction that when the process is executing and it hits that instruction a hand over control to the RD bugger, which is in another process. Now some malware will look for that bite the x zero x c c bite in its own code.
yeah, it's just looking for D buggers and the way around that would be used a hardware break point instead of a software break point like zero x C C or and three.
There's lots of a P I function calls both documented and undocumented that, um, our authors will use,
and they'll look at various data structures and memory. They'll look at whether certain memory flags air set. They'll look at many, many things of the time, as I mentioned before.
But these this is not an exhaustive list. In fact, there are many, many more techniques and tricks that come out
not all the time, but, um,
it's not uncommon for a new technique to come out, and the thing about
these these tricks and techniques is they only slow down our analysts. They don't stop us, and it's a losing battle in terms of time. So if ah
malware authors spends,
you know three or four days figuring out a new anti debugging technique,
10 or 15 minutes. If we're decent, reverse engineer will take us 10 or 15 minutes to bypass at either patch it or whatever. There was a trend a while ago about more anti virtual machine techniques.
And there there are lots of cool things you can do with this, But that's kind of faded away because a lot of infrastructure or nowadays, and small companies or medium sized companies all virtual so if you hard code stuff into your rat or Trojan or malware
that just kills itself. When
detectives in a virtual machine, you can't infect, like 90% of the infrastructure of your target company. Because it's, you know, they virtualized they're active directory, service or server. They virtualized their files. Server of the virtualized FTP server There virtualized there,
you know, whatever else and s o a lot of malware will say, OK, I'll infect it. I'll even run. I'll even do a normal thing. But I am going to report back as soon as possible that I am running in a V m.
Um, but it's more common
to say, Oh, I'm anti
cuckoo sandbox or I'm anti Joe sandbox on anti fire. I am anti whatever else threat grid or,
blue coat or whatever. So I mentioned anti disassembly earlier, and here's a pretty basic example off that we saw before with, like, illusion baht, where, uh, pro didn't
the fact that it was just going to another section of memory. It figured out that that was code but didn't figure out how it was being called. But add a pro has a very advanced
this assembly algorithm. However, not all this simpler, Czar, I are all ladybug has a pretty good one. But there are some disassemble er's that?
Well, just look at one instruction. Say OK, this instruction is four bites length. Okay, what's the next one? Okay, this one's two bites and likes Okay, what's the next one? Oh, it's three bites of like Okay, what's the next one? And that's called a linear disassemble. Er
And so on the left, we can see some basic assembly that you can put into your C code or visual studio project. And
the first instruction is X or e x e x. And that just zeros out yaks as we've seen. And then we can say jump zero
so it will jump somewhere else. And then right after that,
uh, we can put a bite like zero x e a
where that doesn't actually disassemble to anything.
Or if it does, then ah, or if it
or if the disassembly gets confused and says, Okay, so it's part of a larger bite. Zero x e a
a B f f or whatever is still gonna break all the code beneath it because it's trying to say Okay,
you know this instructions this many bites on to the next one. This instructions one by it. This instructions to bites whatever. And your program could have jumped.
Ah, toe where the really good coat is And the dis assembler will just break
because it's not following that jump. However, um,
I had a pro, has a pretty good disassembly algorithm and will follow the jumps if it can.
And so some our authors, as a way to fool out of pro will do this, say O x ory x e x jump
a pro doesn't know that the final jump destination is a constant value.
Um, but I'd a pro's pretty good at at this stuff. It's been around and I a pro's been around for a while. It's the best in the industry, I think so. They've developed a lot of algorithms to get around that type of stuff. Over on the right,
another con trick, and that's dynamic cogeneration
colic packers. Um, where
one instruction like movie ex Ah, it's moving in there. A pointer. A label
is your ex's right there has the address of change me, and then the next instruction is move
zero x 90 which is a NOP no operation code and moves it into the location of the ex. NOP is one bite. And so let's say the first bite of
change me is pointing at Ah
could make no sense whatsoever could be just junk code until that first bite is knocked out. And then the rest of code will just make sense because the processor doesn't actually check to make sure that what it's doing makes sense. The processor just executes code. It just
executes the bites, whatever it gets. And so if it gets an invalid instruction and throws an exception, otherwise I'll just keep chugging through
so you can actually jump into another instruction. And that is a technique that some Packers arm our authors will use where
here's a bunch of move instructions. Now here's a jump instruction that jumps into one of the previous move instructions, and this breaks all dis assemblers
currently because they only look at something as okay, this has been except this is assembled despite has been accounted for. This has been assembled. These three bites have been accounted for and can't really comprehend the idea that despite could be this instruction and can also be part of this instruction
and some other ways. Some newer ways. That malware is
one family that I know off,
uh, is breaking this assemblers is it's like switching between 32 bit and 64 bit code,
which is really tricky, hard to do. And it's currently breaking all this assemblers.
um, back to debugging
ah, Ladybug. And we saw that
and we thought, Okay, what is it actually doing
and jumped into that function? We would see there's only three instructions for for instructions where it's only checking a little bit,
like literally. It's checking a bit and memory to see if it's one or a zero and then returns that bit.
would it be cool if we just patched that bit
there are plug ins for Ali like Ellie advanced? Um,
or whatever, where it basically goes through a bunch of these anti debug checks and neuters them.
So this is an anti anti debugging technique or were
where the code has some anti, where the malware has some anti d poking technique and we are
like, taking care of that. We are. You're hooking that function or we're getting We're modifying the results of that function or we're modifying the memory address, which that function checks or whatever we're doing,
we can lie to the application.
So I have. I've used this all the advanced plug in before. It's for only 1.1, I believe, or one dot x x so we'll work on
one dot whatever versions of Ali, uh, haven't really played with all the 2.0, all that much. And I haven't really played for played with their debugging capabilities or anti anti debugging capabilities.
mainly because I like toe. I like to know exactly what my tools are doing, and if I don't know what a plug in is doing that and I can't really account for it.
So I used the light usually like to run without any plug ins unless I absolutely have to.
you know what we did was patch the program. We can also pass the memory,
and we can also, um,
use ah, plug in like this.
what we did when we patched the execute Herbal
was we changed the source code. Well, we didn't change the source, but we changed
the machine code and
that can be accounted for. The malware could have some integrity checking algorithms. It could have anti dumping code. It could have a few different things that could happen.
And what I mean by that is
there's a simple CRC check. Uh, I think it's a code
Orco are cyclical. Redundancy Check is what's here C stands for.
And so I've seen some malware where it'll run some code and then do a check where it says Okay, so for the last 100 bites or something,
you know, kind of hash that into lookit output of a four bite hash and then check it against this value. If it's this value than great, keep going.
And if it's not, the mouth or nose has been tampered with and can,
uh, terminate or do whatever.
mole Mauer do this, but software commercial software does. To the worst. I've seen a Skype Skype has ah Thanh of anti reversing, anti D poking and anti patching,
things built into it. I think
I've seen in my wear where ill check its own code
two or three times. And Skype,
I think I've seen it do it 33 different times on Skype can be pretty tricky about what it does is very, very protected software more than anything else I've ever seen more than games, which is the biggest user of anti debugging stuff or anti
reversing our anti patching or anti modification whatever. And, of course, the
other technique we can use besides,
anti anti debugging techniques is we could just not use a debunker.
Ah, there are programs out there that will just inject a deal l into a process, and this monitor everything it does. There are things that try to instrument
ah, hook all the functions that might be called and they just monitor those or there
they're they're software out there that just will run them our and then dumped the memory And, you know, like posit if it's a virtual machine or just, um,
you know, stop it when it gets to a certain coach called Paige by throwing an exception or something like that. So just a quick recap uh,
and a little little brush up. So usually malware has a goal stopping automate analysis. So they have anti sandbox and IBM stuff and to slow down our analysts so they'll have anti debugging or anti virtual machine stuff.
Oh, our anti disassembly stuff.
Um, and with anti debugging, You know, we've seen some a p I calls, like is being debugged being called. We've seen some process and thread stuff.
I knew it or not when I said that is being debugged is only like, three or four instructions, and it checks a certain
part. The memory. It was checking a certain data structure called the P E B the process environmental block. And it was just checking for that one little bit in there. And
you know, in the user land. And the Mauer didn't even need to call that function. It could just executed those four instructions by itself, which is not something a lot of our analysts do
or is not something a lot of malware authors do.
as an analyst, you should be familiar with those, uh, those instructions,
particularly the F s register,
because it checks the P e b, the process environmental block and there are a lot of flags. There's a lot of bits and bytes in there that will indicate whether processes being debugged,
anti debugging door or hardware and register based ah,
ways of getting rid of the bugger. Um, like I was mentioning earlier hardware breakpoints certain registers that D buggers use. Um,
if you want to know more, I will. I will
give you more. Resource is here in the next slide. There's exception based. We didn't really cover that, but, um,
because de buggers want to instrument a program,
they will get what's called a first chance exception. So if your program does a divide by zero,
it will throw an exception.
It will, Ah, the processor will throw an exception. And
if you have, like a try, catch block in your code, your C code or c++ code or for c++ uses s ch structured exception handling and, um, other
programming languages have other kinds of things built in, but they're mainly based around exceptions, structured exceptions and, uh,
when an exception happens
the first chance exception goes to the D bugger, so
you know, right before
the malware will take care of a problem like Divide by zero, the D bugger will take over first,
and then we'll give you the ability to, like, look at memory, look at values in variables. It'll look at the call stack and look at all this other stuff because there's a D bugger. It's meant to get rid of bugs. Want to help you?
And if you just say, OK, continue.
change something in memory and say, Oh, there's a bug in this malware which happens all the time
House dealing with it today, actually,
continue. It won't call the exception handler
or the exception code
the Mauer could have a flag in there. It says, Okay, if this
flag didn't get checked. We know that the buggers that hashed and intercepting those exceptions so
there's a few different methods built around that idea.
and we talked about the modified code based anti debugging where it checks its own code, either for the cc bite or zero ECCC biter and three instruction, or it'll just do kind of like a hash check or a CRC check of the code
that is about to execute, or that it has executed and checks it against, like usually afore bite hash. And if it's different than what is expecting that it knows it's been modified and take whatever actions at once on. We also talked about timing based where
I mentioned that some malware will just call asleep function
I actually slept that long or, if it's being short circuited, um,
or an opt er hooked or whatever. But, um, older technique is actually
malware will execute a number of instructions
and see how fast it took to execute those instructions.
There are instructions and Exit E six that says, Oh, give me the real time clock rate or give me like whatever so you can actually determine how much time has passed between executing different instructions. And it used to be based off the idea that virtual machines
are usually jam packed onto
very high end powerful computers. But there's several rich machines going at once. That process is switching between them, so virtual machines actually take much longer to execute instructions than physical ones.
the timing based attack was or detection was meant to determine if you're in a virtual machine via how fast you were executing code. And there is lots of anti virtual machine
things that we we talked about, not just a P. I calls,
uh, program process names or memory Constance or
things in the A p I or instructions that you can or can't execute within a V M. But there are things like certain AP I calls or ports that are open to virtual machines only. So VM, where what we've been running or what I've been running,
opens up a special input output port. And that's how copy and paste works. And that's how
Dragon Drop works is. It communicates information through this port that doesn't exist in normal machines, so a popular anti are a popular virtual machine detection trick is to see if that port is available.
But as I mentioned earlier, ah, a lot of Mount were
doesn't seem to concern that this infection a virtual machine anymore because targets air usually on virtual machines as well.
We went over some anti disassembly techniques were like cogeneration, or assembly meant to specifically break algorithms of dis assemblers.
And if you want to Nome or I would suggest going online to Symantec's anti debug reference where they've collected from over the years. Mao. We're doing various things or anti debugging or anti reversing anti analysis whatever. Um, in the open r c e
forum, open our Sita or GE. They have a pretty impressive library and source code available for anti reversing our anti debugging
um, examples. If you're interested in anti virtual machine
techniques, P a fish or paranoid fish made by um
the code project dot com That article shows a lot of source code sea level assembly level source code of how to implement reverse engineering techniques.
Um, it's not aimed at malware authors. It's more aimed at
people who want to protect their their game from being Pirated or protect their intellectual property. The two papers at the bottom I highly suggest reading, and there are talks that go along with them and source code anti debugging and developers. View was really good scientific, but not,
uh, academic academical understood overview of malware, anti debugging and assembly anti V m wear technologies. That's really good.
the fact if IQ uh, the last one just mentioned is rodeo Bronco Gabriel Barbosa and Pedro Neto
and Tyler Shields is one who did
the developers viewpoint and practical Mountain or analysis has some good chapters devoted to it. And, uh,
and two years ago, about ah, I did a talk at Nova hackers, that schmuck on epilogue where I had collected all of the techniques that I had ever observed. I'd put them in one giant project and I had,
taking all this code, and I developed a game around it where you can execute this piece of malware and it will choose a random anti debugging trick. Random anti V M trick random, um,
technique of communication via IRC or http or random install persistence, mechanism view, registry, run via service or whatever else. And then it would hide on the system and then the mount, where analysts would have to go and look for it and then bypassed those
a tidy Bodine or anti V M tricks.
To get at on encrypted string
on the encryption was random as well, or you could specify all of them. So if you're interested in this uh,
these techniques these this technology is I am I would suggest implementing a lot of these things yourself. Um,
you know, don't go just writing malware and releasing it. But, um, it's good to be familiar with how these things work at a pragmatic level, so you can not only develop it yourself and reverse engineer it yourself. But understand
where the pivot points are,
you know, I made some anti V m code,
you know, based on paranoid fish.
but it doesn't actually work under this circumstance, Like one technique doesn't work if you're running multiple cores in your V m.
So it's good stuff to knows. It's, uh, good toe.
Be aware of this stuff. So
ah, again, my name is Sean Pierce. I've been the resident expert for malware Reverse engineering. If you have any questions,
Twitter is here on. I have mentioned my email before Cyber Bury a secure sean dot com. I hope you enjoyed this video. Siri's, um, I wish you good luck