Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) This technique is more an obnoxious annoyance than anything. Some malware samples have
been observed inserting INT 3 commands into code to cause the debugger to break, or in some
cases stop all together.
(U) Inserting an INT 1 will invoke single-step mode inside the debugger.
(U) Some malware specimen insert INT 2D commands to cause the kernel debugger to break,
similar to the insertion of INT 3 into application code.
(U) Following is an assembly language example of malware inserting an INT 3 command to
check for the presence of a debugger. This example sets EAX to 0xffffffff inside the exception
handler to signify the exception handler had been called. If EAX is not 0xffffffff after the INT 3
call, then a debugger is present.
(U) Inserting In-
Circuit
Emulator
(ICE) Breakpoints
(U) Inserting an ICE breakpoint, iceb (opcode 0xf1) generates a single-step exception and the
debugger will think it’s a normal exception and not execute the established exception handler.
Malware can take advantage of this fact by using the exception handler for its normal execution
flow, which would be interrupted if a debugger is attached thereby hiding the malicious code
from examination.
Raytheon Blackbird Technologies, Inc.
15
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED
;set exception handler
push .exception handler
push dword [fs:0]
mov [fs:0], esp
;reset flag (EAX) invoke int3
xor eax,eax
int3
;restore exception handler
pop dword [fs:0]
add esp,4
;check to see if the flag has been set
test eax,eax
je .debugger_found
;exception_handler

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh