Malicious software can detect that it is running in a debugger because all debuggers have been added to the operation, and it masks the malicious behaviour to avoid detection by malware analysts trying to debug it. In this section, I’ll go through some popular anti-debugging techniques for detecting the existence of a debugger.
- The Process Environment Block’s NtGlobalFlag has the value 0x68 offset on 32-bit Windows, the value of 0xBC on 64-bit windows and both of them are set to 0
The value of NtGlobalFlag does not change when a debugger is attached.The following flags would be set if the process was generated by a debugger
- FLG_HEAP_ENABLE_TAIL_CHECK —> (0x10)
- FLG_HEAP_ENABLE_FREE_CHECK —> (0x20)
FLG_HEAP_VALIDATE_PARAMETERS —> (0x40)
- A combination of those flags may be used to detect the existence of a debugger.
mov eax, fs:[30h] mov al, [eax+68h] and al, 70h cmp al, 70h jz being_debugged
mov rax, gs:[60h] mov al, [rax+BCh] and al, 70h cmp al, 70h jz being_debugged
mov eax, fs:[30h] mov al, [eax+10BCh] and al, 70h cmp al, 70h jz being_debugged
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 #define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) #ifndef _WIN64 PPEB pPeb = (PPEB)__readfsdword(0x30); DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0x68); #else PPEB pPeb = (PPEB)__readgsqword(0x60); DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0xBC); #endif // _WIN64 if (dwNtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED) goto being_debugged;
- When I debug this app I face NtGlobalFlag technique, let us bypass it.
the app loads the PEB struct into EAX —>
mov eax, large fs:30h
I will follow the value of eax in dump to see the PED sturct
I will see the value of combination of flags —>
mov eax, [eax+68h]
we notice that the value is 0x70 and this means the process is being debugged
To bypass this technique must change the value from
click right on value in dump, select
modifyand change the value to
- Nice, the app does not execute the call that terminates the process.
- parctical malware analysis
- Mastering malware analysis