Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) INT 3 is a software interrupt that debuggers insert into
running code, replacing an existing instruction, which calls
the debug exception handler, i.e. sets a breakpoint. The
opcode for INT 3 is 0xcc. In addition to inserting an INT 3
opcode into running code, debuggers also insert INT
<immediate value> in some cases. The opcode for INT
<immediate value> is 0xcd. A common method malware uses
to detect if it’s running under the control of a debugger is to
scan for these opcodes. A rough assembly language routine
to scan for INT 3 is:
(U) Code Checksums
(U) Some malware samples calculates checksums of specific sections of its code, either CRC or
MD5 to detect debugger modification of the code to implement breakpoints. This technique is
less common than INT scanning, but just as effective.
(U) Timing Checks
(U) Because processes run substantially slower under a debugger (think single-stepping through
code), timing checks is a very effective and popular way malware authors check for the presence
of a debugger. There are a few methods for conducting timing checks for the presence of a
debugger:
Take a timestamp, perform some specific operations and take another timestamp, calculate the
time difference and make a judgment about whether or not the time difference is outside the
bounds of normal time to conduct the operations.
Take a timestamp before and after causing an exception, calculate the time difference and make a
judgment about whether the time to respond to the exception is well outside the normal time
require to handle an exception.
Raytheon Blackbird Technologies, Inc.
12
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED
mov ecx, 400h ; loop counter
mov eax, 0cch ; INT 3 (0cch) search value
repne scasb ; string search command (look for INT 3 (0cch))
j
z De
bugge
rDetected
;
De
bugge
rDetected function is defined elsewhere

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh