{ enessakircolak }

IsBeingDebugged

Aug 15, 2023
3 minutes

Anti-Analysis_101

What if attacker want to get precaution about you ?
In this series we will examine such cases. Depends on the attacker knowledge It can be Anti Debug, Anti VM or Anti Disassembler. I think, it seems like a cat and mouse chase. Attacker try to hide from cat who is us.
Maybe mouse just want to fun a little bit, who knows.

Somehow attacker detect analyst and changes the flow of the program or complicates. Main purposes is make sure to victim not feeling it. If you don’t understand what is going on, there is nothing to do left :)).
So need to be carefully about anti analysis methods

Let’s Begin

It is easy to know Windows API goals. Because if you just open browser and write API NAME+MSDN then enter, you will be learned what is it for.

IsDebuggerPresent()


Let’s look at an easy example with IsDebuggerPresent() API which is the common anti analysis method.

isdebuggerApi.png


As you can see there “Hello World!” message not printed. Reason is I execute program at debugger.
It seems like tooooo easy to understand why.


idaDebugger.png


Now we look at the disassembled code and it still can easily seen the call for IsDebuggerPresent() API. After the call it will check return value, then decide to go which side.
First option is change flag to jump other label. But maybe we can inspect inside of the IsDebuggerPresent().


Inside of IsDebuggerPresent()


teb.png


fs:[18] provide you to TEB address. Let’s check it.


tebArea.png


7EFDB00 -> 7EFDDFFF is belong to TEB and we will use it for the reach to PEB.


Peb.png


After second step of this function EAX point to the PEB. You can check address from previous image.


isbeing.png


This is the last part and it will be the return value. So, TRUE .


msdnPeb.png


Process Environment Block (PEB) structure is this. As you can see the first and second byte are reserved. When we try to reach at the third byte we will get information about process is being debugged or not. Of course you can change it manuel or with a plugin.

Attacker side

Wholee process is not just for the understand why. Now we can use it for obfuscation :)).
Of course it is going to be for understand how it work and see the attacker’s perspective.

    ASSUME FS:NOTHING
    MOV EAX, FS:[030H]
    ASSUME FS:ERROR
    mov ah, [eax+2]
    xor edx,edx
    mov dh,ah
    xor eax,eax
    mov eax,edx
    
    ret

It is for MASM to use Assembly inside of the C++. With this small piece of code we will check if debugger exist. And nobody see any API call at the program. So analyst have to be aware about it or need to know where to look.


cff.png


This is belong to assembly code. As you can see during static analysis there is no IsDebuggerPresent API because we didn’t use it :))


cff2.png


Anndd it is program which is compiled with the IsDebuggerPresent API call.

👇You can reach codes at the link below.
Github_BeingDebugged

⬅️If you think something is wrong or want to talk about it please contact with me from the links on the left.
Good Luck with your work, 💻

~Practice makes improvement…

Older Control-Flow-Flattening
Newer Return-Oriented_Programming