debugger obstruction

From ema
Jump to navigation Jump to search
EMA ID: ema-1024
Description: Make debugger session difficult (BlockInput, slow down, etc.). This is a general category of anti-analysis and may refer to any number of techniques.


  • Check Host Fingerprint: Compares a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution will stop, making debugging or sandbox analysis more difficult.
  • Malloc Use: Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, uses malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.
  • Pipeline Misdirection: Taking advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.
  • Loop Escapes: Using SEH or other methods to break out of a loop instead of a conditional jump.
  • Exception Misdirection: Using exception handling (SEH) to cause flow of program to non-obvious paths.
  • Break Point Clearing: Intentionally clearing software or hardware breakpoints.
  • Parallel Threads: Use several parallel threads to make analysis harder.
  • TIB Aware: Accessing thread information (fs:[20h]) for debug detection or process obfuscation.
  • Modify PE Header: Any part of the header is changed or erased.
  • Stolen API Code: A variation of “byte stealing” where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.
  • Return Obfuscation: Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.
  • Section Misalignment: Some analysis tools cannot handle binaries with misaligned sections.
  • Static Linking: Copy locally the whole content of API code.
  • Inlining: variation of static linking where full API code inserted everywhere it would have been called.
  • Page Guard: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. AKA guard pages. One variant uses self-debugging to accomplish.
  • Hook Interrupt: modification of interrupt vector or descriptor tables
  • Hook File System: do something when particular file/dir is accessed; often through hooking certain API calls such as CreateFileA and CreateFileW.
  • Byte Stealing: Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.
  • Get Base Indirectly: CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.
  • Obfuscate Library Use: LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.
  • Relocate API Code: relocate API code in separate buffer (calls don’t lead to imported DLLs).
  • Import Obfuscation: Add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, etc.).
Associated Attributes: Command and Control: port number
Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis

Associated With debugger obstruction
No results