Anti-Debugging
What is Anti-Debugging?
The malware uses these techniques to hide their operation or to slow down analysis as much as possible.
Anti-Debugging is a popular anti-analysis technique used by malware to recognize when it is under the control of a debugger or to prevent debuggers.
Windows Debugger Detection
Malware uses a variety of techniques to scan for indications of a debugger as follows:
Using the Windows API
The following Windows API functions can be used for anti-debugging:
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- NTQueryInformationProcess
- OutputDebugString
The easiest way to overcome a call to an anti-debugging API function is to manually modify the malware during execution to not call these functions or to modify the flag's post call to ensure that the proper path is taken.
The use of Windows API functions is the most obvious of the anti-debugging techniques.
Manually Checking Structures
- Checking for System Residue
- Checking NTGlobal Flag
- Checking the ProcessHeap Flag
- Checking the BeingDebugged Flag
Identifying Debugger Behavior
Debuggers can be used to set breakpoints or to single-step through a process in order to aid the malware analyst in reverse-engineering. Several debugging techniques are used by malware to detect this sort of debugger behavior
- INT Scanning
- checksum Checks
- timing checks
INT Scanning
- INT 3 is the software interrupt used by debuggers to temporary replace an instruction in running program and to call the debug exception handler, a basic mechanism to set a breakpoint.
- The opcode for INT 3 is 0xCC.
- Whenever you use a debugger to set a breakpoint, the malware modifies the code by inserting a "0xCC".