debugger detect & evade

From ema
Jump to navigation Jump to search
EMA ID: ema-1253
Description: The 'debugger evasion' Behavior detects whether the malware instance is being executed inside of a debugger and if so, executes benign path.

Variations:

  • Debugger Artifacts: Detects a debugger by its artifact (window title, device driver, exports, etc.).
  • API Call: IsDebuggerPresent: The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.
  • Monitoring Thread: Spawn a monitoring thread to detect tampering, breakpoints, etc.
  • Process Environment Block (PEB): The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.
  • Timing/Date Checks: Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
  • Timing/Delay Checks: Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
  • Timing/Uptime Check: Comparing single GetTickCount with some value to see if system has been started at least X amount ago.
  • Stack Canary: Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.
  • TIB Aware: Accessing thread information (fs:[20h]) for debug detection or process obfuscation.
  • RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.
  • Interrupt 2D: If int 0x2d is mishandled by the debugger, it can cause a single-byte instrustion to be inadvertently skipped, which can be detected by the malware.
Associated Attributes: Common: applicable platform, Common: technique
Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis


,