Anti-Reverse Engineering

Anti-Debugging

For avoiding to be analyse, a malware can detect if a debugger is installed or executed in a debugger. For doing, it can use various techniques:

SuspendThread

When a malware has detected it's running in debugger context, it can call the Windows API SuspendThread to block the process and to avoid to be executed, especially if we do dynamic analysis. We can easily bypass that, we patch the program with the NOP assembly instruction with the value 90. For instance:

VM Detection

When we try to analyze a malware, we do that in a VM. But some malware try to detect if the itself is executed in a VM. For doing that, the malware can employ various techniques:

  • Checking running process -> VMware execute the process vmtools and VirtualBox execute the process vboxservice. A malware can try to detect these process with the EnumProcess Windows API.
  • Checking install software -> Can list all software installed, they are listed in the Registry SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
  • Network fingerprint -> Malware can detect if it's executed in VM with the MAC address, with the OUI which indicate the vendor
  • Checking machine resources -> Can detect the number of RAM or CPU, because a VM have less RAM than a physical machine
  • Checking for domain memberchip -> Can detect if the machine is a part of the Windows domain with the Windows API LoggonServer and ComputerName
  • Timing-based attacks -> measure the time it takes to execute instructions. A physical machine take less time to execute these instructions than a VM
  • The malware can detect the temperature. A VM has no Temperature, so, if the malware can not detect temperature with the Win32_TemperaturePRobe Windows API, that's means it's a physical machine.

If the malware detect if it's executed in a VM, it can do nothing, or try to hide the code, or, to destroy itself or encrypt file.