- IDA Pro
- Lab16-01.exe SHA256: 309217d8088871e09a7a03ee68ee46f60583a73945006f95021ec85fc1ec959e
- Detection Rate: 19/54
- Analyzed on 2016-03-19
Compilation Date: 2011-10-20 16:42:33
- View report here
Analyze the malware found in Lab16-01.exe using a debugger. This is the
same malware as Lab09-01.exe, with added anti-debugging techniques.
1. Which anti-debugging techniques does this malware employ?
Based on the figures below, the anti debugging techniques used are
- checking being debugged flag
- checking process heap[10h]
- checking NtGlobalFlag
2. What happens when each anti-debugging technique succeeds?
It will self delete and then terminates by calling the subroutine @00401000.
3. How can you get around these anti-debugging techniques?
- Set breakpoint at the checks and manually change the flow in ollydbg
- Patch the program to make jz to jnz etc
- use plugins such as phantom.
4. How do you manually change the structures checked during runtime?
use command line and enter dump fs:+2 (refer to figure 2). Set the byte to 0.
5. Which OllyDbg plug-in will protect you from the anti-debugging techniques
used by this malware?
PhantOm plugin will do the job