Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) Table of Contents
(U) Executive Summary...........................................................3
(U) Anti-Debugging.................................................................3
(U) Using Windows APIs..............................................................................3
(U) Manually Checking Memory Structures................................................3
(U) Checking the PEB BeingDebugged Flag........................................3
(U) Checking the PEB ProcessHeap Flag.............................................3
(U) Checking the PEB NTGlobalFlag Value..........................................3
(U) Identifying Debugger Behavior.............................................................4
(U) Checking to See if SeDebugPrivilege is Set..................................4
(U) Scanning for INT...........................................................................4
(U) Code Checksums..........................................................................4
(U) Timing Checks...............................................................................4
(U) Checking the Number of Kernel DebugObjects.............................4
(U) Checking for a Debugger Window.................................................4
(U) Providing an Invalid ASCII String to OutputDebugStringA.............4
(U) Using the Stack Segment Register and Checking Trapflag...........4
(U) Trolling the Debugger...........................................................................4
(U) Modifying the SEH Chain...............................................................4
(U) Inserting INT Commands...............................................................4
(U) Inserting In-Circuit Emulator (ICE) Breakpoints.............................5
(U) Anti-Emulation.................................................................5
(U) Detecting VMWare Artifacts.................................................................5
(U) Using net start | findstr VMWare...................................................5
(U) Searching the File System.............................................................5
(U) Search the Registry for ‘VMWare’.................................................5
(U) Checking the MAC for Leading 00:0C:29.......................................5
(U) Using Sensitive Instructions to Detect VMWare....................................5
(U) The Red Pill Anti-VM Technique.....................................................5
(U) The No Pill Anti-VM Technique.......................................................5
(U) Checking the I/O Communications Port.........................................5
Timing-based VM Detection................................................................5
(U) Resources.........................................................................5
Raytheon Blackbird Technologies, Inc.
2
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED