Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) An assembly language example of manually checking the
value of the NTGlobalFlag is:
(U) Identifying Debugger Behavior
(U) Because some debugging activities by necessity modify the code at debugger runtime, these
alterations of the code can be detected. Debugger generated code modifications include insertion
of INT instructions (not just INT 3), these INT instructions can be scanned for. Malware can use
checksums on their code to determine if the running code has been altered in any way,
presumably by a debugger. Lastly, malware can also perform timing checks because processes
run slower when being debugged.
(U) Checking to See if SeDebugPrivilege is Set
(U) By default, a process has SeDebugPrivilege disabled. When the process is loaded by a
debugger, SeDebugPrivilege is enabled. Malware will check to see if SeDebugPrivilege has been
enabled by trying to open the CSRSS.EXE process and if it is able to open it the process is
running under a debugger.
(U) Scanning for INT
Raytheon Blackbird Technologies, Inc.
11
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED
mov eax, large fs:30h ; move PEB structure into EAX
cmp dword ptr ds:[eax+bch], 70h ; check to see if NTGlobalFlag is 0x70
jz DebuggerDetected ; DebuggerDetected function defined elsewhere

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh