Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) Executive Summary
(U) This report is an overview of techniques for detecting debuggers and emulation
enviornments. This report represents a PoC delivery for July.
(U) Anti-Debugging
(U) There are a number of techniques to determine if a debugger is attached, including the use of
Windows APIs, manually checking memory for debugger artifacts, and searching the system for
forensics evidence of a debugger.
(U) Using Windows APIs
(U) The following Windows APIs can be used to determine if the application is being debugged:
IsDebuggerPresent()
CheckRemoteDebuggerPresent()
NtQueryInformationProcess()
CheckRemoteDebuggerPresent()
OutputDebugString()
(U) These function calls are easily implemented in code. However, like many APIs, they are
easily hooked to provide a false answer as to whether the application is being debugged and
therefore many malware authors prefer to manually check memory structures for the presence of
a debugger, which is why we don’t spend time on them in this report.
(U) Manually Checking Memory Structures
(U) Because Windows APIs can be hooked to return false information about whether or not the
application is being debugged, it is sometimes preferable to manually check structures such as
the PEB to determine if a debugger is present.
(U) Checking the PEB BeingDebugged Flag
(U) Windows maintains a Process Execution Block (PEB) structure for each process running.
The PEB contains all user-mode parameters of the running process, including a flag relating to
whether the process is being debugged or not (BeingDebugged). Figure 1 shows the Windows 10
x64 Enterprise PEB structure with the Notepad++ application being debugged using Ollydbg.
The BeingDebugged flag can be checked programmatically by malware.
Raytheon Blackbird Technologies, Inc.
4
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh