Anti Debugging Trick

Anti-debugging is a popular anti-analysis technique used by malware to recognize when it is under the control of a debugger or to thwart debuggers. Malware authors know that malware analysts use debuggers to figure out how malware operates, and the authors use anti-debugging techniques in an attempt to slow down the analyst as much as possible. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts. There are many anti-debugging techniques—perhaps hundreds of them -  I will discuss only the most popular ones that we have encountered in the real world cover as much I can and also show some sophisticated one also and also how to defeat the while debugging session I will use python scripting with immunity debugger to defeat the tricks if you don’t about python scripting with immunity debugger the visit  this might help you ;) . But first lets start with the most simplest and  basic one with uses Windows API -

IsDebuggerPresent() :

By far the most common anti-debugging technique is to use the IsDebugger- Present function exported from kernel32.dll. This function call takes no parameters and returns 1 if there is a debugger attached to the current process or 0 if there isn’t. If we disassemble this function, we see the following assembly:

7C813093 >/$ 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]

7C813099 |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]

7C81309C |. 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]

7C8130A0 \. C3 RETN

This code is loading the address of the Thread Information Block (TIB), which is always located at offset 0x18 from the FS register. From there it loads the Process Environment Block (PEB), which is always located at

offset 0x30 in the TIB. The third instruction is setting EAX to the value of the BeingDebugged member in the PEB, which is at offset 0x2 in the PEB. If there is a debugger attached to the process, this byte will be set to 0x1. A simple bypass for this was posted by Damian Gomez of Immunity, and this is one line of Python that can be contained in a PyCommand or executed from the Python shell in Immunity Debugger:

imm.writeMemory( imm.getPEBaddress() + 0x2, "\x00" )

This code simply zeros out the BeingDebugged flag in the PEB, and now any malware that uses this check will be tricked into thinking there isn’t a debugger attached .

Breaking Single Character XOR Cipher

Of course this been topic cryptography I wouldn’t bug you up with whole lot of complicated mathematic. Single character XOR cipher been the most simplest and effective encoding technique used by malware author for exfiltration of data and it is used very often. For those who are not familiar with this term, exfiltration data files contains stolen data from victims computer and it resides on victims computer and the malware will export it to Command and Control center eventually. Another reason using such simple technique instead of algorithms such as Blowfish or AES-256, is it might trigger IDS or IPS single character XOR inspite of been simple it does gives sufficient level of obfuscation.

Now talking about Single Character XOR cipher, the data to encode is XOR with one byte key this will yield cipher text. For ex

To encode the data :

DATA  ⊕ Key = Cipher text
  5Fh    ⊕ 54h = 0Bh

To decode the data :

 Cipher text ⊕ Key = DATA
  0B    ⊕ 54h = 5Fh

But our goal is to break Ciphertext and to recover the   key which help us to recover the original data. The tool we will be using are :

1.   A hex editor   

2.   Python 2.7

Now talking about the algorithm we will use :

We will simply assume a key the XOR the data to recover the plain text now we will search for occurrence of most frequently occurring English words some method for "scoring" a piece of English plaintext. (Character frequency is a good metric.) Evaluate each output and choose the one with the best score. if we get the word then bingo we got the key. If not try other key since the range of key is from 0 to 255(FFh) i.e one byte it is abe piece of cake for a computers of this era.

This is the encoded data which we will crack:

 After XOR with X (0x58) we will get :

Taking the top 100 most commonly used English word we can do this attack first we will put the XOR logic in a loop which iterate the key from 0(0x0) to 255(0xFF) on each iteration we will compare the decoded data to our list of 100 frequently occurring English if we have the occurrence  we will print it .

The script is as follows :

import binascii,sys

keywords=['the', 'be', 'to', 'of', 'and', 'a', 'in', 'that', 'have', 'I', 'it', 'for', 'not', 'on', 'with', 'he', 'as', 'you', 'do', 'at', 'this', 'but', 'his', 'by', 'from', 'they', 'we', 'say', 'her', 'she', 'or', 'an', 'will', 'my', 'one', 'all', 'would', 'there', 'their', 'what', 'so', 'up', 'out', 'if', 'about', 'who', 'get', 'which', 'go', 'me', 'when', 'make', 'can', 'like', 'time', 'no', 'just', 'him', 'know', 'take', 'people', 'into', 'year', 'your', 'good', 'some', 'could', 'them', 'see', 'other', 'than', 'then', 'now', 'look', 'only', 'come', 'its', 'over', 'think', 'also', 'back', 'after', 'use', 'two', 'how', 'our', 'work', 'first', 'well', 'way', 'even', 'new', 'want', 'because', 'any', 'these', 'give', 'day', 'most', 'us']

def inc_key(key):

    int_key=int(key,16)

    int_key=int_key+1

    hex_key=hex(int_key)[2:]

    return hex_key

def decrypt(data,key):

    xor=lambda x ,y :int(x,16)^int(y,16)

    ans=""

    for temp in [data[a:a+2] for a in range(0,len(data)-2,2)]:

        ans=ans+chr(xor(temp,key))

       

       

    return ans

       

def body(data):

   

    key="00"

    for a in range(0,255):

        ans=decrypt(data,key)

        for word in keywords:

            word=" "+word+" "

            if word in ans or word+" " in ans or " "+word in ans or " "+word+" " in ans:

                print "[*]Encrypted data : "+data

                print "[*]Decrypted data : "+ans

                print "[*]key : 0x"+(key)

                break

        key=inc_key(key)

if(len(sys.argv)==1):

        print "\tuseage :\n\t"+sys.argv[0]+" <file name>"

if(len(sys.argv)==2):

          print "[+]Starting Decrpytion ..."

          for data in open(sys.argv[1]):

                   body(data)

          print "[+] Done

It should also be noted that this technique is useful in extracting malware from antivirus quarantines. Frequently, intrusion analysts are only called in after a first responder already tried to fix the problem. The “fix” may include installing an antivirus program that captures and encrypts valuable evidence. If the only copy of malware that you need to analyze is located in a quarantine container, then consider what methodologies may have been used to lock them inside. For example, simply unzipping McAfee quarantine files with 7-zip and reversing the files with the XOR key j (hex 0x6A) will yield the original malware.

XOR encryption is used frequently, for both legitimate and illegal purposes; it is important for analysts to know that this encryption can be broken with minimal effort and the result may be very valuable to the investigation.