Vulnerability Analysis

Makin – Reveal Anti-Debugging Tricks

makin is to make initial malware assessment little bit easier, It helps to reveal a debugger detection techniques used by a sample.

Supports x64 and x86

How does it work?
makin opens a sample as a debuggee and injects asho.dll, asho.dll hooks several functions at ntdll.dll library and after parameters checkings, it sends the corresponding message to the debugger (makin.exe).
For hooking, it uses Capstone engine, which makes hooking much stealthier.
At this moment, makin can reveal following techniques:

Note: Use The “Ultimate” Anti-Debugging Reference as a reference

  • NtClose: ref: The “Ultimate” Anti-Debugging Reference: 7.B.ii
  • NtOpenProcess: ref: The “Ultimate” Anti-Debugging Reference: 7.B.i
  • NtCreateFile: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open itself)
  • NtCreateFile: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open a driver)
  • LdrLoadDll– ref: The “Ultimate” Anti-Debugging Reference: 7.B.iv
  • NtSetDebugFilterState – ref: The “Ultimate” Anti-Debugging Reference: 7.D.vi
  • NtQueryInformationProcess – ref: The “Ultimate” Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.c
  • NtQuerySystemInformation – ref: The “Ultimate” Anti-Debugging Reference: 7.E.iii
  • NtSetInformationThread – ref: The “Ultimate” Anti-Debugging Reference 7.F.iii
  • NtCreateUserProcess – ref: The “Ultimate” Anti-Debugging Reference 7.G.i
  • NtCreateThreadEx – ref: ntuery blog post
  • NtSystemDebugControl – ref: @waleedassar – pastebin
  • NtYieldExecution – ref: The “Ultimate” Anti-Debugging Reference 7.D.xiii
  • NtSetLdtEntries – ref: ANTI-UNPACKER TRICKS: PART ONE – 2.1.2

About the author

Icarus

Add Comment

Click here to post a comment

Leave a Reply

Advertisement

%d bloggers like this:
000webhost logo