Reverse Engineering and More
@re_and_more
RE and More by Alexey Kleymenov (https://t.co/s1pWjL46AW). Private classes and group workshops in malware analysis and reverse engineering. #infosec #malware
ID:1273897211424911360
https://re-and-more.com 19-06-2020 08:36:57
623 Tweets
11,7K Followers
553 Following
RE tip of the day: Malware can call NtSetInformationThread WinAPI with ThreadHideFromDebugger (0x11) argument to hide its thread from the debugger preventing exceptions (including breakpoints) from being intercepted by it.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: When the debugger is attached, it creates at least one thread as part of the malware process. Malware can call SuspendThread/NtSuspendThread APIs to affect this auxiliary thread and incapacitate the debugger.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Another way how malware can disconnect the researcher from the debugger is by calling the SwitchDesktop API and this way start sending the mouse and keyboard events to another desktop.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Malware can call the BlockInput WinAPI to block mouse and keyboard events making the attached debugger unusable for the researcher.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Another way how the researcher can suddenly lose control during the dynamic analysis is when malware performs a process injection and continues execution as part of another process's virtual address space.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Malware can set up a custom SEH callback and intentionally raise an exception by calling a wrong instruction (performing division by zero, violating memory protection flags, etc) to complicate the debugging.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Pay attention to Windows events callbacks as they can execute code in a way you don't notice it. The callback functions can be registered using either RegisterClass/RegisterClassEx or SetWindowLong WinAPIs.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Always pay attention to TLS callbacks as they may execute code without you noticing it. Make sure the debugger is set up to stop at them (by default it may stop only at the entry point or a system breakpoint)
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: If malware accidentally exits or crashes during the debugging, track what leads to this logic. It may be either anti-RE techniques or just unexpected by the sample setup like missing command line arguments.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Many debugger plugins may help researchers bypass anti-RE tricks: Olly Advanced, HideOD, StrongOD, ScyllaHide, etc. Be careful when using them if you want to notice malware using anti-RE documenting its logic
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Just like in the user mode, malicious drivers can detect the kernel debugger. For example, NtQuerySystemInformation API with SystemKernelDebuggerInformation (0x23) argument can be used to reveal it.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: In the past, malware samples were checking error codes after the OutputDebugString calls to detect attached debuggers. Its behaviour changed in Windows Vista and can no longer be used for this purpose
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: APIs like DebugActiveProcess, DbgUiDebugActiveProcess or NtDebugActiveProcess can be used by malware to attach to its own process. If the debugger is attached, they will fail this way revealing its presence
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: To detect the debugger by measuring execution time, malware can use a dedicated rdtsc instruction or WinAPIs like GetTickCount, QueryPerformanceCounter, GetSystemTime, timeGetTime and many others.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: As executing instructions in the debugger during dynamic analysis may take significantly longer than normal execution, malware can measure execution time and detect the debugger this way.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: A more robust way to detect a running debugger is by searching for its window name using APIs like FindWindow[Ex] / EnumWindows / EnumThreadWindows. The name can be found by its hash, not only by a substring
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: A running debugger can be discovered by malware simply by its file name using CreateToolhelp32Snapshot with Process32First / Process32Next or NtQueryInformationProcess (SystemProcessInformation arg) WinAPIs
#infosec #cybersecurity #malware #reverseengineering