debugger prevention

From ema
Jump to navigation Jump to search
EMA ID: ema-1230
Description: The 'debugger prevention' Behavior prevents the execution of the malware instance in a debugger.

Examples:

  • Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).
  • Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).
  • Token Check: Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.).
  • Fingerprinting: Token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.)
  • Data Integrity Check: Check the contents of data sections are unmodified with checksum or hash. Depending on implementation, may detect file, in-memory, or both. Typically this does not affect analysis.
  • Code Integrity Check: Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the “key” used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.
  • Illusion: Makes the analyst think something incorrect happened. This is a general category of anti-analysis and may refer to any number of techniques.
  • Self-Debugging: Debug itself to prevent another debugger to be attached.
  • Interrupt Hooking: Block interrupt 1 and/or 3 to prevent debuggers from working.
  • Interrupt Use: The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption “key”.
  • Self-Unmapping: UnmapViewOfFile() on itself
  • RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.
  • Change SizeOfImage: Changinging this value during run time can prevent some debuggers from attaching. see example assembly on page 1. Also confuses some unpackers and dumpers.
  • Pre-Debug: Prevents debugger from attaching to process or to break until after the code of interest has been executed
  • Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).
  • Nanomites: int3 with code replacement table; debugs itself.
  • Encode File: Encode a file on disk, such as an implant’s config file.
  • Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.

Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis

Notes: Could also be associated with the AntiCodeAnalysisBehaviorEnum-1.0.
Associated With debugger prevention
BehaviorInstance.png Interrupt Hooking BehaviorInstance.png Self Debugging      
References:
Date Malware Family URL
February 17, 2016 Fake Adobe Flash Update OS X Malware https://www.synack.com/2016/02/17/analyzing-the-anti-analysis-logic-of-an-adware-installer/
March 18, 2015 Dridex http://phishme.com/dridex-code-breaking-modify-the-malware-to-bypass-the-vm-bypass/