Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Please help me to understand malware sample protection

Herzenstube
Herzenstube
in Malware Reverse Engineering

Featured Replies

Posted

I'm a beginner in reverse engineering. I'm studying and practicing unpacking malware.
I accidentally downloaded a protected sample from Malware Bazaar that is obfuscated and has anti-debugging techniques.

bdda0a3d90cf0ee7423b918b0b268f5f8d9768c64399446014ff73d80d47ed0c
https://bazaar.abuse.ch/sample/bdda0a3d90cf0ee7423b918b0b268f5f8d9768c64399446014ff73d80d47ed0c/

I'm using the excellent book Kyle Cucci — Evasive Malware as a reference.
I've already tried all the anti-debug techniques from the book, namely:

List of techniques

Direct PEB acess (+0x2, +0x18, +0x68)
TrapFlag instruction (pushfd, pop eax, or eax, 0x0100, push eax, popfd)

We were trying hardware and software breakpoints


bp IsDebuggerPresent
bp CheckRemoteDebuggerPresent

bp NtQueryInformationProcess

bp NtQuerySystemInformation

Checking OutputDebugString

bp SetLastError

bp OutputDebugString

Enumerating Windows

bp FindWindow

bp EnumWindows

Enumeration Loaded Modules

bp GetModuleHandle

bp Module32First

bp Module32Next

Searching for debugger process

bp CreateToolHelp32Snapshot

bp Process32Next

bp Process32First

Time Based Check

bp GetTickCount

bp GetLocalTime

bp GetSystemTime

bp NtQuerySystemTime

rdtsc

My friend and I have been trying to find the technique for three days now.

DetectItEasy says the sample uses VMProtect, and the message "Please turn off debugger" also looks like a standard VMProtect MessageBox.
But I've never bypassed this protection before, and I'm very interested in learning how.


Maybe it's not a good sample for study, but I thought that sample from real life would be much better to study than crackme's.

If anyone has free time to look at this sample and give a hint — or if someone has already encountered this technique — I'd appreciate any help.

  • Author

Also, can you explain this to me?
In this sample, right after the Entry Point the program calls NtQueryInformationProcess with ProcessInformationClass = 0x7.
You would think the function should return a non-zero value, because the sample was opened with x64dbg.
But for some reason after the call EAX = 0.
That totally throws me off, since plugins like ScyllaHide were not running.
And also, for some reason at PEB + 0x2 the value is 0 by default, even though the process is being debugged.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.