1–> Malware authors use Anti-Reverse Engineering Techniques a lot to impede the reverse engineering process of the malware and malware analyst runs malware samples in debugger to analyze the functionality and behavoir.
2–> the malware sample plays a lot of tricks to recognizes the debuggers that are running with the help of Anti-reverse engineering techniques, when malware recognizes the dubuggers ,it hide the malicious functionality or it may terminate.
3–> I will presents several anti-debugging techniques that used on windows NT-base operationg systems.Anti-debugging techniques are ways for a program to detected if it runs under control of a debugger.they are used by commercial executable protector,packers and malicious software to prevent or is slow-down the process of reverse-engineering.
IsDebuggerPresent() is a function available in the kernel32.dll library. This function is often used in malware to complexify the reverse engineering because it will take different paths in the program’s flow when the malware is analyzed in a user-mode debugger such as x32dbg and the most widely used anti-debugging method in Windows
IsDebuggerPresent returns 1 if the process is being debugged or returns 0 if the process is not being debugged . This API simply reads the PEB!BeingDebugged byte-flag (located at offset 2 in the PEB structure Circumventing it is as easy as setting PEB!BeingDebugged to 0.
bypass IsDebuggerPresent with x32dbg
if you want your application never check it do this:
Alt + eor open view and select
Symbol Infomodules window.
ctrl + N.
IsDebuggerPresentand press enter.
run the program and wait your program break on this op-code.
f8until come back to your code.
looking up for something like
TEST EAX,EAXand after some thing like je jnz and etc, beware the output of IsDebuggerPresent is saved in
- if jump happen on this op-code change it to
nopand if doesn’t happen change it to
- save your program. if you don’t know how to save modifed code in
x32dbgjust search it.
Mastering Malware analysis
practical Malware analysis