Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) The use of the rdtsc command is quite popular among malware authors as a time checking
function. In addition to rdtsc, the Windows APIs QueryPerformanceCounter() and GetTickCount
are also heavily used as well.
(U) Checking the Number of Kernel DebugObjects
(U) When an application is being debugged, a DebugObject is created in the kernel. The number
and type of Objects created can be retrieved via the NtQueryObject() API, which returns an
OBJECT_ALL_INFORMATION structure. The OBJECT_ALL_INFORMATION structure is
searched for the string, “DebugObject” and is checked for a non-zero value, indicating the
presence of a debugger.
(U) Checking for a Debugger Window
(U) Most debuggers create windows, which can be detected. For example, Windbg creates
WinDbgFrameClass and Ollydbg creates OLLYDBG. The Windows APIs FindWindow() and
FindWindowEx() can be used to search for the debugger windows, indicating the presence of a
debugger.
(U) Providing an Invalid ASCII String to OutputDebugStringA
(U) Calling OutputDebugStringA() with an invalid ASCII string will normally return a value of
1. If the process is being run under the control of a debugger, the return value when providing an
invalid ASCII string to OutputDebugStringA() is the address of the string passed in as a
parameter, indicating the presence of a debugger.
(U) Using the Stack Segment Register and Checking Trapflag
(U) This is an anti-tracing technique. If a debugger is tracing over a sequence of instructions that
includes pop ss and pushf instructions, the debugger will not be able to unset the trapflag in the
pushed value on the stack. The protection checks for the trapflag and if set it indicates the
presence of a debugger. For example:
Raytheon Blackbird Technologies, Inc.
13
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED
push ss
pop ss
pushf

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh