PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-01)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab16-01.exe SHA256: 309217d8088871e09a7a03ee68ee46f60583a73945006f95021ec85fc1ec959e

VirusTotal:

  • Detection Rate: 19/54
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-20 16:42:33
  • View report here

Lab 16-1
Analyze the malware found in Lab16-01.exe using a debugger. This is the
same malware as Lab09-01.exe, with added anti-debugging techniques.
Questions
1. Which anti-debugging techniques does this malware employ?

Based on the figures below, the anti debugging techniques used are

  1. checking being debugged flag
  2. checking process heap[10h]
  3. checking NtGlobalFlag
antidebugger
Figure 1. Anti debugger
peb
Figure 2. the offset used
processheap
Figure 3. Checking process heap

2. What happens when each anti-debugging technique succeeds?

It will self delete and then terminates by calling the subroutine @00401000.

delete
Figure 4. Self Delete & terminates

3. How can you get around these anti-debugging techniques?

  1. Set breakpoint at the checks and manually change the flow in ollydbg
  2. Patch the program to make jz to jnz etc
  3. use plugins such as phantom.

4. How do you manually change the structures checked during runtime?

use command line and enter dump fs:[30]+2 (refer to figure 2). Set the byte to 0.

commandline
Figure 5. Changing structure

5. Which OllyDbg plug-in will protect you from the anti-debugging techniques
used by this malware?

PhantOm plugin will do the job

Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s