- Apply the techniques presented in Tutorials 3 and 4 to analyzing Max++ anti-debugging trick.
- Practice reverse engineering/interpretation of Intel x86 assembly.
- Computer Architecture
- Operating Systems Security
- Software Engineering
Challenge of the Day:
- Write a Python snippet for Immunity Debugger that executes Max++ and generates a log message for each INT 2D instruction executed.
[Lab Configuration: we assume that you are running the VM instance using NON-DEBUG mode. We will use the Immunity Debugger in this tutorial.]
We now revisit Max++ and apply the knowledge we have obtained in Tutorial 3 and Tutorial 4. Figure 1 presents the disassembly of the first 20 instructions of Max++. The entry point is 0x00403BC8. Execute the code step by step until you reach 0x403BD5, now you are facing your first challenge: How do you deal with the INT 2D instruction?
There are several choices you could take: (1) Simply press F8 and IMM will SKIP the RETN instruction and directly jumps to 0x413BD8 (by executing the CALL 0x413BD8 instruction right after the RETN instruction); (2) Execute the RETN instruction by readjusting the EIP register to enforce its execution. In IMM, you can readjust the value of EIP by launching the Python window (clicking the 2nd button on the toolbar, on the right of the "open_file" button), and then executing the following Python command: "imm.setReg("EIP", 0x00413BD7);".
Figure 1. Entry Point of Max++ |
Which action to take will depend on the behavior of IMM -- if we press F8, will its behavior be the same as running the program without any debuggers attached? Following a similar approach taken in Tutorial 4 we can do an experiment for the case of EAX=1 (i.e., calling the debug print service of INT 2D). The conclusion is:
When the DEBUG-MODE is NOT enabled at booting, the behavior of IMM is the same as regular execution, given EAX=1 (note that in tutorial 4, our experiments explore the case when EAX=0). Hence, we can feel safe about stepping over (and skipping the RETN instruction) in IMM!
2.Diverting Control Flow using Int 2D
As shown in Figure 2, now we are at 0x00413A38. In this function, we only have four instructions: STD, MOV EDI, EDI, CALL 0x00413BB4, and IRETD.
The purpose of the STD instruction is to set the growth direction of EDI (i.e., direction flag) to -1. EDI/ESI registers are frequently used in RAM copy instructions such as "REP STOSB" (to repeatedly copy from memory address pointed by ESI to the destination address pointed by EDI). Later we'll see the use of these instructions in the decoding of encrypted malicious code in Max++.
The MOV EDI,EDI instruction does nothing (no impacts on any flag registers) and then we are calling the function at 0x00413BB4.
Note that it looks like once we are back from 0x00413BB4, the next immediate instruction is to return (IRETD), however, it is not the case. Function 0x413BB4 will retrieve a section of encrypted code, decrypt them, and deploy it from the location of IRETD. So if a static analysis tool is used to analyze the program, e.g., draw the control flow graph of Max++, it will mislead the malware analyzers. We'll get to the decoding function in the next tutorial.
Figure 2. Function 0x413A38 |
Press "F7" to step into Function 0x00413BB4. Now we are getting to the interesting point. Look at instruction CALL 0x00413BB9 at 0x413BB4 in Figure 3!
The CALL instruction basically does two things: (1) it pushes the address of the next instruction to the stack (so when the callee returns, the execution will resume at the next instruction); If you observe the stack content (the pane on the right-bottom on IMM), you will notice that 0x413BB9 is pushed into stack. (2) It then jumps to the entry address of the function, which is 0x00413BB9.
Now the next two instructions is to call the INT 2D service. Notice that the input parameter EAX is 3 (standing for the load image service). Using an approach similar to Tutorial 4, you can design an experiment to tell what is the next action you would take. The conclusion is: when EAX is 3, in the non-kernel-debug mode, the IMM behavior is the same as normal execution, which is: the next immediate byte instruction after INT 2D will be skipped.
Now, what if the RETN instruction is executed (i.e., the byte instruction is not skipped, assume that an automatic analyzer does not do a good job at handling INT 2D)? You will jump directly and return. The trick is as follows: Recall that RETN takes out the top element in stack and jump to that address. The top element in stack is now 0x00413BB9. So what happens is that the execution comes back to 0x00413BB9 again. Then doing the INT 2D again and RETN again will force the execution to 0x00413A40 (the IRETD instruction, which is right after the CALL 0X00413BB4 in function 0x00413A38 (see Figure 2)). It then returns to the main program and exits. So the other malicious activities will not be performed in this scenario. To this point, you can see the purpose of the int 2d trick: the malware author is trying to evade automatic analysis tools (if they did not handle int 2dh well) and certain kernel debuggers such as WinDbg.
Challenge of the day: use WinDbg instead of Immunity Debugger to debug through Max++ (with DEBUG-MODE enabled at booting). What is your observation?
Figure 3. Trick: Infinite Loop of Call |
3. Conclusion
We have shown you several examples of the use of INT 2D in Max++ to detect the existence of debugger and change malware behavior to avoid being analyzed by a debugger. For debugger to cope with INT 2D automatically will not be an easy job. First, there are many scenarios to deal with (affected by the type of debugger, existence of kernel debugger, and the booting options). Second, don't expect to catch all INT 2D instructions when the program is loaded, because a program can be self-extracting (modifying its code segment at run time).
4. Challenge of the Day
It is beneficial to write a Python script that drives the Immunity Debugger to cope with INT 2D automatically. We provide some basic ideas here:
In IMM, there is a global variable "imm" for you to drive the debugger. You can use "imm" to inspect all register values, set all register values (thus including modifying EIP to change control flow), examine and modify RAM. Your program will be a simple loop, which executes instructions one by one (to do this, you can take advantage of breakpoint functions available in the Python API of IMM). Before executing an instruction, you can examine its opcode (using libanalyze.opcode, check the IMM documentation), and take proper actions for INT 2D (skipping the next byte based on the value of EAX, to simulate a normal non-debug environment).
Dr. Fu,
ReplyDeleteFirst off, let me say I am thoroughly enjoying the tutorial. I have a question though. I was wondering if you have ran in to this at all. Upon stepping to 0x413BD5 and then pressing F8 to step over and going to instruction 0x413A38 I noticed that the "FD" opcode is showing up as "DB FD" instead of "STD". The instructions following it are doing it as well. I don't see anything similar to Figure 2. It seems as if IMM is not recognizing the opcode and instead is treating it like a DB. Thanks for any help.
I think I figured it out. I read ahead a little and in tutorial 10 you pointed out that "If you see a lot of DB instructions, select them and right click -> 'During next analysis treat them as Command'. Exit from IMM and restart it again...". It may be worth mentioning in this tutorial as well. Just a thought. Thanks again for the tutorials.
DeleteHey Brad!
Deletethx for tip! Reversing byte by byte was a real pain! Just to be more accurate:
select (highlight)the opcodes-->right-click-->analysis-->during next analysis-->command
And as usual, excellent tutorial Dr. Fu !
Dr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download Now
Delete>>>>> Download Full
Dr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download LINK
>>>>> Download Now
Dr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download Full
>>>>> Download LINK uh
Dr. Fu, hi!
ReplyDeleteI wrote some script to go over INT 2d and to log its addresses. But it is very slow((
Can you please advise if there is any way to improve it?
Source is below:
def main(args):
imm = immlib.Debugger()
if (len(args) < 1):
imm.Log(" Usage : !pi stop_adress")
imm.Log(" Example : !pi 0x10073a4L")
else:
loop_status = True
while loop_status == True:
imm.stepIn()
regs = imm.getRegs()
opcode = imm.disasm(regs['EIP'])
opcode.getDisasm()
if opcode.getDisasm() == 'INT 2D':
imm.log("Found INT 2D at 0x%08x " % regs["EIP"])
imm.setReg("EIP", regs["EIP"]+3)
if hex(regs["EIP"]) == args[0]:
loop_status = False
#loop_status = False
return "Reached address: " + args[0]
Quantum Binary Signals
ReplyDeleteGet professional trading signals delivered to your mobile phone every day.
Start following our signals NOW & gain up to 270% per day.
Nice Content Thanks for sharing .Shop Drawings Preparation in UK
ReplyDeleteShop Drawings Preparation in India
ReplyDeleteThanks for sharing, very informative blog.
ReverseEngineering
Nice blog!!!!!!!.
ReplyDeleteReverseEngineering
You are sure to get the best quality Write My Research Paper Online Services in the shortest period when you get professional help from our fast college Write My Research Paper Online.
ReplyDeleteThank you for excellent article.You made an article that is interesting.
ReplyDeleteInformatica online job support from India|Informatica project support AWS online job support from India|AWS project support|ETL Testing online job support from India|ETL Testing project support||Pega online job support from India|Pega project support|Pentaho online job support from India|Pentaho project support|Python online job support from India|Python project support
Keep on the good work and write more article like this...
I just loved your article on the beginners guide to starting a blog.If somebody take this blog article seriously in their life, he/she can earn his living by doing blogging.thank you for thizs article. pega online training , best pega online training ,
ReplyDeletetop pega online training
I just wanted to give you a quick heads up! Other then that, superb blog!
ReplyDeleteDownload Latest Graphics crack free:
https://softserialskey.com/golden-software-grapher-crack/
ReplyDeleteHey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
I’ve been looking for a plug-in like this for quite some
time and was hoping maybe you would have some experience with something like this.
Please let me know if you run into anything. I truly enjoy
reading your blog and I look forward to your new updates.
softkeygenpro
ReplyDeleteVery informative and It was an awesome post...... Golden Software Grapher Crack
Great post! I am actually getting ready to across this information, It's very helpful for this blog. Also great with all of the valuable information you have Keep up the good work you are doing well.
ReplyDeleteGreat Article
ReplyDeleteCyber Security Projects
Networking Security Projects
JavaScript Training in Chennai
JavaScript Training in Chennai
The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training
Pycharm Crack
ReplyDeletePyCharm Activation Code provides smart assistance to its users. It knew everything about the code. The user can fully trust and rely on it for intelligence code completion. Moreover, This software provides fly error checking to professional users. After their detection, it will quickly fix and provide easy way navigation projection. All of these tools are provided in a smart way, which saves them time and increases productive work.
Winzip Driver Updater Crack
ReplyDeleteWinZip Driver Updater Torrent contains a complete database of the latest software and hardware drivers. The driver will scan your system for updates. And decide which drivers are out of date. Moreover, this software is available for Microsoft Windows and Vista OS. You can get the latest updates on your operating system.
portrait pro 15 torrent
ReplyDeletePortrait Pro Crack free download will help you check hair dye cosmetics and get back to mascara, blush, lipstick, shadows, and more. Many stickers or logos are advertised on your photos and can change the style of your photos, such as B. Hair Style, Background Style, Age, and Face Style. Gives initial trouble and no errors in this process. This app does the task very quickly and easily without any problems. Use BackupTrans for the perfect backup solution.
I like what you guys are up too. Such clever work and reporting! Keep up the superb works guys I have incorporated you guys to my blogroll. I think it’ll improve the value of my web site :).
ReplyDeletepsychiatry in Dubai
ReplyDeleteThrough single-stepping the malware, you might observe that the program's access point is 0x00413bc8. After the AMAZONG execution of the primary 8 instructions, proper before the "int 2d" education, the price of eax is 0x1. This is an critical fact you should recall inside the later analysis.
ReplyDeleteGood Software And Latest Work
ReplyDeleteGet4pcs Team Sporrt
WinZip Pro Crack
Golden Software Grapher Crack
Cyberlink PowerDirector Crack
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
vstpatch.net
Golden Software Grapher Crack
Stardew Valley Crack
iZotope Insight 2 PRO Crack
W. A. Production Crack
FireShot Pro Crack
Very Nice Blog this amazing Software.
ReplyDeleteThank for sharing Good Luck!
Golden Software Grapher Crack
HandBrake CS2 Crack
MacKeeper Crack
NCH Express Zip Crack
TeamViewer Crack
HandBrake CS2 Crack
WavePad Sound Editor Crack
Adobe Lightroom Crack
Hello, Dear Thanks for sharing such content. Click on for more information.
ReplyDeletezbrush to keyshot bridge license crack
windows loader 3.1 download
vray for sketchup 2018 free download with crack
nice post.Golden Software Grapher Crack
ReplyDeleteYou have done really good work. Thank you for the information you provide, it helped me a lot
ReplyDeleteI have bookmarked it and I am looking forward to reading new articles. Keep up the good work. And Thanks For Sharing !
ScreenHunter Pro Crack
Duplicate Photo Cleaner Crack
Reviversoft Security Reviver Crack
Directory Monitor Pro Crack
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
PyCharm Crack
BandiCam Crack
Advanced System Crack
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
startcracked.com
PyCharm Crack
I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the
ReplyDeletepast 6 years, but I had no idea of solving some basic issues. I do not know how to
Download Cracked Pro Softwares But thankfully, I recently visited a website named Crack Softwares Free Download
installcrack.net
FireShot Pro Crack
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
plugintorrents.info
cloudmounter-crack
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot.
ReplyDeleteScreenHunter Pro Crack
Driver Magician Crack
USB Disk Security Crack
PC Reviver Crack
ScreenHunter Pro Crack
Wise Care 365 Pro Crack
Spring cleaning is the practice of thoroughly cleaning a house in the springtime. The practice of spring cleaning is especially prevalent in climates with a cold winter. In many cultures, annual cleaning occurs at the end of the year, which may be in spring or winter, depending on the calendar.
ReplyDeleteI Like your post, It informative for every user, Thanks for share it, Keep it up,
ReplyDeletePycharm
Apowersoft Video Editor Crack
TouchCopy Crack
SmartFTP Crack
PhotoPad Image Editor Pro Crack
Thank you for your post. This is superb information. It is amazing and great to visit your site.
ReplyDeleteeniac full form in computer
dvd full form
sit full form
pcc full form
iucn full form
full form of lcd
brics full form
tally erp full form
full form of ctbt
crpf full form
You can Also download cracked softwares for windows and mac's.Check my web page: Music Tag Editor Crack
ReplyDeleteDr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download Now
ReplyDelete>>>>> Download Full
Dr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download LINK
>>>>> Download Now
Dr. Fu'S Security Blog: Malware Analysis Tutorial 5: Int2D Anti-Debugging Trick (Part Iii) >>>>> Download Full
>>>>> Download LINK aD
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
SuperCopier Crack
Glary Utilities Pro
ReplyDeleteis a powerful tool that will help you improve any type of system and performance. While it is used to get all kinds from another organized system that allows the user to choose different kinds of tools.
Glary Utilities Pro
Corel Painter 2022 Crack
Studio One 5 Crack
Infected Mushroom Manipulator Mac Crack
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
Tone Empire Goliath Crack
Sonnox Oxford Reverb Crack
Sound theory Gullfoss Crack
Overloud TH-U Full Crack
Electronik Sound Lab Drumart Crack
SoundToys Crack
Sejda PDF Desktop Pro Crack Crack
plugin alliance all bundle Crack
Free Link And Free Download ANd Latest Version!!!!
ReplyDeleteBurnaware Professional Crack
Maxwell Render Studio Crack
XForce Crack
Snap Art Crack
MobiKin Assistant for Android Crack
Planner 5D Crack
IceCream Screen Recorder Crack
Adobe Photoshop Lightroom Crack
Sugar Bytes Looperator v1.0.8 Crack
ReplyDeleteallows you to create subtle rhythm enhancements to create stunning pyrotechnic effects fun and easy. It also comes with an array of pre-set effects to play with. However, making your own is simple simply click on a cell, and select the effect you want. It’s better to sound, has a better appearance, and a simpler to use audio software.
Sugar Bytes Looperator v1.0.8 Crack
PassFab For RAR Crack
Melodyne Studio Crack
Voicemeeter Potato Crack
I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues. I do not know how to Crack Softwares Free Download But thankfully, I recently visited a website named crackplus.org
ReplyDeletePhpStorm Crack
Such a nice post
ReplyDeleteSerial Link
SpyHunter Crack
ApowerEdit Pro Crack
Hard Disk Sentinel Pro Crack
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
crackplus.org
PhpStorm Crack
Such a nice post and very informative Content
ReplyDeleteSerial Link
JPEGmini Pro Crack
Kutools for Excel Crack
set.a.light 3D STUDIO Crack
PhotoStage Slideshow Producer Crack
Excelent content you provide in your blog. I appreciate your work. But you will be glad to visit Auslogics Driver Updater Crack
ReplyDelete