Behaviors

Examples:

• Web Injection: On Macs, unpatched versions of applications can be exploited via malicious websites. If users have an unpatched and vulnerable version of an application, malicious websites can inject code into the user's system to either steal information or present specific ads. This can be accomplished by installing the malicious code as a launch agent, also giving persistence.

Examples:

• Dead Code Insertion: Inclusion of "dead" code in the malware instance with no real functionality but with the intent of impeding disassembly.
• Fake Code Insertion: Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.
• Jump Insertion: Insertion of jumps to make analysis visually harder.
• Junk Code Insertion: Insertion of dummy code between relevant opcodes. Can make signature writing more complex.
• Thunk Code Insertion: Variation on “jump”; also used by some compilers for user-generated functions (ex: Visual Studio /INCREMENTAL)

Examples:

• Code Encryption: Encryption of the code in the malware instance in order to hinder static analysis.
• Entry Point Obfuscation: Obfuscation of the entry point of the malware executable, in order to hinder static analysis.
• Import Address Table Obfuscation: Obfuscation of the import address table of the malware instance, in order to hinder static analysis.
• Symbolic Obfuscation: The removing or renaming of textual information in the code of the malware instance, in order to hinder static analysis.
• Interleaving Code: A form of obfuscation that splits code into sections that are rearranged and connected by unconditional jumps, in order to hinder static analysis and disassembly.
• Merge Code Sections: Merge all sections; just one entry in the sections table. Only affects readability slightly, so may not even be worth mitigating. May affect some detection signatures if written to be section dependent.

Examples:

• Call Optimization: Turn relative operands of jumps and calls into absolute (better compression). May confuse some basic block detection algorithms.
• Minification: Per wikipedia, minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' A simple example is when all the unecessary whitespace and comments are removed. This is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.

Examples:

• Password Cracking: Consume system resources for the purpose of password cracking.
• Mine for Cryptocurrency: Consume system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining.

Examples:

• Different Opcode Sets: Use different opcodes sets (ex: FPU, MMX, SSE) to block emulators.

• Undocumented Opcodes: Use rare or undocumented opcodes to block non-exhaustive emulators.

• Unusual/Undocumented API Calls: Call unusual APIs to block non-exhaustive emulators (particularly anti-virus).

• Extra Loops/Time Locks: Add extra loops to make time-constraint emulators give up.

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Malloc Use: Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, uses malloc()/VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.

• Pipeline Misdirection: Taking advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.

• Loop Escapes: Using SEH or other methods to break out of a loop instead of a conditional jump.

Examples:

• Flow Opcodes: flow opcodes are removed and emulated (or decrypted) by the packer during execution.

• Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (e.g., JNE loc_401345fe+2).

• Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Examples:

• Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (ex: JNE loc_401345fe+2).

• Argument Obfuscation: simple number or string arguments to API calls are calculated at runtime, making static analysis more difficult.

• Variable Recomposition: Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.

• Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Examples:

• Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (ex: JNE loc_401345fe+2).

• Argument Obfuscation: simple number or string arguments to API calls are calculated at runtime, making static analysis more difficult.

• Variable Recomposition: Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.

• Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Examples:

• Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (ex: JNE loc_401345fe+2).

• Argument Obfuscation: simple number or string arguments to API calls are calculated at runtime, making static analysis more difficult.

• Variable Recomposition: Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.

• Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Examples:

• Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (ex: JNE loc_401345fe+2).

• Argument Obfuscation: simple number or string arguments to API calls are calculated at runtime, making static analysis more difficult.

• Variable Recomposition: Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.

• Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Examples:

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Hook Interrupt: modification of interrupt vector or descriptor tables

• Hook File System: do something when particular file/dir is accessed; often through hooking certain API calls such as CreateFileA and CreateFileW.

• Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.

• Drop Code: Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).

Methods:

• Process detection: malware can scan for the process name associated with common analysis tools.
  • Debuggers: OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
  • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
  • PCAP Utilities: Wireshark / Dumpcap
  • Process Utilities: ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
  • PE Utilities: ImportREC / PETools / LordPE
  • Sandboxes: Joe Sandbox, etc.

Examples:

• Debugger Artifacts: Detects a debugger by its artifact (window title, device driver, exports, etc.).

• API Call: IsDebuggerPresent: The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.

• Debugger Artifacts: Detects a debugger by its artifact (window title, device driver, exports, etc.).

• Monitoring Thread: Spawn a monitoring thread to detect tampering, breakpoints, etc.

• Process Environment Block (PEB): The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.

• Timing/Date Checks: Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.

• Timing/Delay Checks: Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.

• Timing/Uptime Check: Comparing single GetTickCount with some value to see if system has been started at least X amount ago.

• Stack Canary: Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.

• TIB Aware: Accessing thread information (fs:[20h]) for debug detection or process obfuscation.

• RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.

• Interrupt 2D: If int 0x2d is mishandled by the debugger, it can cause a single-byte instrustion to be inadvertently skipped, which can be detected by the malware.

Examples:

• Injected DLL Testing: Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.

• Product Key/ID Testing: Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.

• Screen Resolution Testing: Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.

• Check Machine Specs: By determining which software are installed the sandbox can be detected (e.g: Python, Tracer, Debugging Tools, Vmware tools); Most of the modern user machine are at least 4GB or memory. Machine with less memory size can be detected as a sandbox; Not so much user machine are using less than 80GB, by requesting the drive size, malware can determine a virtual environment; Some sandboxes use a name like Sandbox, Maltest, Malware, malsand, ClonePC; Another way to determine if it's a sandbox, is to detect a potential USB drive; Another way to determine if it's a sandbox, is to detect a potential connected printer or identify the default Windows printers, Adobe, Onenote; Malware can check the number of processor to detect if it's a sandbox. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

• Monitoring Thread: Spawn a monitoring thread to detect tampering, breakpoints, etc.

• Timing/Date Checks: Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.

• Timing/Delay Checks: Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.

• Timing/Uptime Check: Comparing single GetTickCount with some value to see if system has been started at least X amount ago.

• Check Folders: Special path like C:\Cuckoo can be used on the guest system. A malware could be able to detect this folder to evade the sandbox. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

• Hooked Function: To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

• Request Pipe: Cuckoo uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

• Find Agent: Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an agent.py in the system, a malware can detect Cuckoo. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

Possible methods:

• Guest Process Testing: Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
• HTML5 Performance Object: In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
• Named System Object Checks: Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
• x86 Instructions: The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
  • SIDT (red pill): Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.
  • SGDT/SLDT (no pill): The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.
  • SMSW
  • STR
  • CPUID
  • IN
  • RDTSC
  • VMCPUID
  • VPCEXT
• Check CPU Location: When an Operating System is virtualized, the CPU is relocated. That allows a malware to detect the virtual environment. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Check for Memory Artifacts: VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Mac Address Detection: VMware uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: "00:0C:29", "00:1C:14", "00:50:56", "00:05:69". Virtualbox uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: 08:00:27. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Registry Keys: The VMware installation directory C:\Program Files\VMware\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse. The Virtualbox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys. Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\Description\System with a value of SystemBiosVersion and data of QEMU. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Check Processes: The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Check Files: Some files are created by VMware on the system. Malware can check the different folder to find VMware artifacts. Some files are created by Virtualbox on the system. Malware can check the different folder to find Virtualbox artifacts like VBoxMouse.sys. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Check Running Services: VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services. http://unprotect.tdgt.org/index.php/Sandbox_Evasion
• Query I/O Communication Port: VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

• Memory size: Most modern machines have at least 4 GB or more. Machines with less memory can be detected as a sandbox.
• Drive size: Not many modern machines have less than 80 GB, by requesting the drive size, malware can determine a virtual environment.
• USB drive: Another way to determine if it's a sandbox, is to detect a potential USB drive.
• Printer: Another way to determine if it's a sandbox, is to detect a potential connected printer or identify the default Windows printers, Adobe, Onenote, etc.
• CPU: Malware can check the number of processors to detect if it's running in a sandbox.

Examples:

• API Call: NtQuerySystemInformation: Hooking NtQuerySystemInformation to hide a process name from TaskManager/tasklist.

Examples:

• Malloc Use: Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, uses malloc()/VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.

• Pipeline Misdirection: Taking advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.

• Loop Escapes: Using SEH or other methods to break out of a loop instead of a conditional jump.

• Exception Misdirection: Using exception handling (SEH) to cause flow of program to non-obvious paths.

• Break Point Clearing: Intentionally clearing software or hardware breakpoints.

• Parallel Threads: Use several parallel threads to make analysis harder.

• TIB Aware: Accessing thread information (fs:[20h]) for debug detection or process obfuscation.

• Modify PE Header: Any part of the header is changed or erased.

• Stolen API Code: A variation of “byte stealing” where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.

• Return Obfuscation: Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.

• Section Misalignment: Some analysis tools cannot handle binaries with misaligned sections.

• Static Linking: Copy locally the whole content of API code.

• Inlining: variation of static linking where full API code inserted everywhere it would have been called.

• Page Guard: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. AKA guard pages. One variant uses self-debugging to accomplish.

• Hook Interrupt: modification of interrupt vector or descriptor tables

• Hook File System: do something when particular file/dir is accessed; often through hooking certain API calls such as CreateFileA and CreateFileW.

• Byte Stealing: Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.

• Get Base Indirectly: CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.

• Obfuscate Library Use: LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.

• Relocate API Code: relocate API code in separate buffer (calls don’t lead to imported DLLs).

• Import Obfuscation: Add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, etc.).

Examples:

• Erasing the PE header from memory

• SizeOfImage

• Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).

• Page Guard: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. AKA guard pages. One variant uses self-debugging to accomplish.

• On-the-Fly APIs: API address is resolved before each use to prevent complete dumping.

• Byte Stealing: Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.

• Import Obfuscation: Add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, etc.).
• Feed Misinformation: Report inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved.

Examples:

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Token Check: Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.).

• Fingerprinting: Token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.)

• Data Integrity Check: Check the contents of data sections are unmodified with checksum or hash. Depending on implementation, may detect file, in-memory, or both. Typically this does not affect analysis.

• Code Integrity Check: Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the “key” used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.

• Illusion: Makes the analyst think something incorrect happened. This is a general category of anti-analysis and may refer to any number of techniques.

• Self-Debugging: Debug itself to prevent another debugger to be attached.

• Interrupt Hooking: Block interrupt 1 and/or 3 to prevent debuggers from working.

• Interrupt Use: The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption “key”.

• Self-Unmapping: UnmapViewOfFile() on itself

• RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.

• Change SizeOfImage: Changinging this value during run time can prevent some debuggers from attaching. see example assembly on page 1. Also confuses some unpackers and dumpers.

• Pre-Debug: Prevents debugger from attaching to process or to break until after the code of interest has been executed

• Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).

• Nanomites: int3 with code replacement table; debugs itself.

• Encode File: Encode a file on disk, such as an implant’s config file.

• Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.

Examples:

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Token Check: Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.).

• Fingerprinting: Token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.)

• Data Integrity Check: Check the contents of data sections are unmodified with checksum or hash. Depending on implementation, may detect file, in-memory, or both. Typically this does not affect analysis.

• Code Integrity Check: Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the “key” used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.

• Illusion: Makes the analyst think something incorrect happened. This is a general category of anti-analysis and may refer to any number of techniques.

• Self-Debugging: Debug itself to prevent another debugger to be attached.

• Interrupt Hooking: Block interrupt 1 and/or 3 to prevent debuggers from working.

• Interrupt Use: The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption “key”.

• Self-Unmapping: UnmapViewOfFile() on itself

• RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.

• Change SizeOfImage: Changinging this value during run time can prevent some debuggers from attaching. see example assembly on page 1. Also confuses some unpackers and dumpers.

• Pre-Debug: Prevents debugger from attaching to process or to break until after the code of interest has been executed

• Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).

• Nanomites: int3 with code replacement table; debugs itself.

• Encode File: Encode a file on disk, such as an implant’s config file.

• Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.

Examples:

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Token Check: Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.).

• Fingerprinting: Token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.)

• Data Integrity Check: Check the contents of data sections are unmodified with checksum or hash. Depending on implementation, may detect file, in-memory, or both. Typically this does not affect analysis.

• Code Integrity Check: Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the “key” used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.

• Illusion: Makes the analyst think something incorrect happened. This is a general category of anti-analysis and may refer to any number of techniques.

• Self-Debugging: Debug itself to prevent another debugger to be attached.

• Interrupt Hooking: Block interrupt 1 and/or 3 to prevent debuggers from working.

• Interrupt Use: The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption “key”.

• Self-Unmapping: UnmapViewOfFile() on itself

• RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.

• Change SizeOfImage: Changinging this value during run time can prevent some debuggers from attaching. see example assembly on page 1. Also confuses some unpackers and dumpers.

• Pre-Debug: Prevents debugger from attaching to process or to break until after the code of interest has been executed

• Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).

• Nanomites: int3 with code replacement table; debugs itself.

• Encode File: Encode a file on disk, such as an implant’s config file.

• Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.

Examples:

• Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).

• Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).

• Token Check: Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.).

• Fingerprinting: Token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.)

• Data Integrity Check: Check the contents of data sections are unmodified with checksum or hash. Depending on implementation, may detect file, in-memory, or both. Typically this does not affect analysis.

• Code Integrity Check: Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the “key” used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.

• Illusion: Makes the analyst think something incorrect happened. This is a general category of anti-analysis and may refer to any number of techniques.

• Self-Debugging: Debug itself to prevent another debugger to be attached.

• Interrupt Hooking: Block interrupt 1 and/or 3 to prevent debuggers from working.

• Interrupt Use: The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption “key”.

• Self-Unmapping: UnmapViewOfFile() on itself

• RtlAdjustPrivilege: Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.

• Change SizeOfImage: Changinging this value during run time can prevent some debuggers from attaching. see example assembly on page 1. Also confuses some unpackers and dumpers.

• Pre-Debug: Prevents debugger from attaching to process or to break until after the code of interest has been executed

• Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).

• Nanomites: int3 with code replacement table; debugs itself.

• Encode File: Encode a file on disk, such as an implant’s config file.

• Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.