Gameel Ali

Gameel Ali

Malware analysis & Reverse engineering

Anti-debugging 0x03

2 minute read

Introducation

Malicious software can detect that it is running in a debugger because all debuggers have been added to the operation, and it masks the malicious behaviour to avoid detection by malware analysts trying to debug it. In this section, I’ll go through some popular anti-debugging techniques for detecting the existence of a debugger.

NtGlobalFlag

Description

  • The Process Environment Block’s NtGlobalFlag has the value 0x68 offset on 32-bit Windows, the value of 0xBC on 64-bit windows and both of them are set to 0

  • The value of NtGlobalFlag does not change when a debugger is attached.The following flags would be set if the process was generated by a debugger

  • FLG_HEAP_ENABLE_TAIL_CHECK —> (0x10)
  • FLG_HEAP_ENABLE_FREE_CHECK —> (0x20)

  • FLG_HEAP_VALIDATE_PARAMETERS —> (0x40)

  • A combination of those flags may be used to detect the existence of a debugger.

    Example

Anti-reverse-anti-debug-peb-ntglobalflag

32Bit Process

mov eax, fs:[30h]
mov al, [eax+68h]
and al, 70h
cmp al, 70h
jz  being_debugged

64Bit Process

mov rax, gs:[60h]
mov al, [rax+BCh]
and al, 70h
cmp al, 70h
jz  being_debugged

WOW64 Process

mov eax, fs:[30h]
mov al, [eax+10BCh]
and al, 70h
cmp al, 70h
jz  being_debugged

C/C++ Code

#define FLG_HEAP_ENABLE_TAIL_CHECK   0x10
#define FLG_HEAP_ENABLE_FREE_CHECK   0x20
#define FLG_HEAP_VALIDATE_PARAMETERS 0x40
#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)

#ifndef _WIN64
PPEB pPeb = (PPEB)__readfsdword(0x30);
DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0x68);
#else
PPEB pPeb = (PPEB)__readgsqword(0x60);
DWORD dwNtGlobalFlag = *(PDWORD)((PBYTE)pPeb + 0xBC);
#endif // _WIN64
 
if (dwNtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED)
    goto being_debugged;

Bypass NtGlobalFlag

Stage(1)

  • When I debug this app I face NtGlobalFlag technique, let us bypass it.

ntGolbalflag

Stage(2)

  • the app loads the PEB struct into EAX —> mov eax, large fs:30h

  • I will follow the value of eax in dump to see the PED sturct

ntGolbalflag2

Stage(3)

  • I will see the value of combination of flags —> mov eax, [eax+68h]

  • we notice that the value is 0x70 and this means the process is being debugged

ntGolbalflag3

Stage(4)

  • To bypass this technique must change the value from 0x70 to 0x00

  • click right on value in dump, select modify and change the value to 0x00

ntGolbalflag4

Stage(5)

  • Nice, the app does not execute the call that terminates the process.

ntGolbalflag5

References

  • parctical malware analysis
  • Mastering malware analysis
  • https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag
  • https://wiki.x10sec.org/reverse/windows/anti-debug/ntglobalflag/
  • https://osandamalith.com/2016/04/23/debugger-detection-using-ntglobalflag/
  • https://www.astesj.com/publications/ASTESJ_0506142.pdf