RE tip of the day: Malware can call NtSetInformationThread WinAPI with ThreadHideFromDebugger (0x11) argument to hide its thread from the debugger preventing exceptions (including breakpoints) from being intercepted by it.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: When the debugger is attached, it creates at least one thread as part of the malware process. Malware can call SuspendThread/NtSuspendThread APIs to affect this auxiliary thread and incapacitate the debugger.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Another way how malware can disconnect the researcher from the debugger is by calling the SwitchDesktop API and this way start sending the mouse and keyboard events to another desktop.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Malware can call the BlockInput WinAPI to block mouse and keyboard events making the attached debugger unusable for the researcher.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Another way how the researcher can suddenly lose control during the dynamic analysis is when malware performs a process injection and continues execution as part of another process's virtual address space.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Malware can set up a custom SEH callback and intentionally raise an exception by calling a wrong instruction (performing division by zero, violating memory protection flags, etc) to complicate the debugging.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: If as part of your Responsible Eating efforts you want to try a vegetarian diet:
a) learn about umami or meat craving is guaranteed!
b) find alternatives to your comfort/social food
c) get enough elements like B12, iron and proteins
d) enjoy the new tastes!

RE tip of the day: Pay attention to Windows events callbacks as they can execute code in a way you don't notice it. The callback functions can be registered using either RegisterClass/RegisterClassEx or SetWindowLong WinAPIs.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Always pay attention to TLS callbacks as they may execute code without you noticing it. Make sure the debugger is set up to stop at them (by default it may stop only at the entry point or a system breakpoint)
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: If malware accidentally exits or crashes during the debugging, track what leads to this logic. It may be either anti-RE techniques or just unexpected by the sample setup like missing command line arguments.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Many debugger plugins may help researchers bypass anti-RE tricks: Olly Advanced, HideOD, StrongOD, ScyllaHide, etc. Be careful when using them if you want to notice malware using anti-RE documenting its logic
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Just like in the user mode, malicious drivers can detect the kernel debugger. For example, NtQuerySystemInformation API with SystemKernelDebuggerInformation (0x23) argument can be used to reveal it.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: In the past, malware samples were checking error codes after the OutputDebugString calls to detect attached debuggers. Its behaviour changed in Windows Vista and can no longer be used for this purpose
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: APIs like DebugActiveProcess, DbgUiDebugActiveProcess or NtDebugActiveProcess can be used by malware to attach to its own process. If the debugger is attached, they will fail this way revealing its presence
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: As DbgUiRemoteBreakin and DbgBreakPoint APIs are called when the debugger is attaching, hooking them can be used to kill the debugger the moment it attaches to the already running malware (or a victim of process injection)
#infosec #malware #reverseengineering

RE tip of the day: To detect the debugger by measuring execution time, malware can use a dedicated rdtsc instruction or WinAPIs like GetTickCount, QueryPerformanceCounter, GetSystemTime, timeGetTime and many others.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: As executing instructions in the debugger during dynamic analysis may take significantly longer than normal execution, malware can measure execution time and detect the debugger this way.
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: A more robust way to detect a running debugger is by searching for its window name using APIs like FindWindow[Ex] / EnumWindows / EnumThreadWindows. The name can be found by its hash, not only by a substring
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: A running debugger can be discovered by malware simply by its file name using CreateToolhelp32Snapshot with Process32First / Process32Next or NtQueryInformationProcess (SystemProcessInformation arg) WinAPIs
#infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Another way how malware can find its parent process's ID is with NtQueryInformationProcess API, ProcessBasicInformation and SystemProcessInformation args populate structures containing the InheritedFromUniqueProcessId field
#infosec #malware #reverseengineering