Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) Brief code explanation:
(U) NOTE: there are several Ollydbg plug-in modules that change the BeingDebugged flag in
order to ‘trick’ malware into believing it is not being debugged. The Ollydbg plug-ins that alter
the BeingDebugged flag are: Hide Debugger, Hidedebug, and PhantOm.
(U) Checking the PEB ProcessHeap Flag
(U) Within the PEB is a data structure called ProcessHeap located at offset 0x18 in the PEB as
shown in Figure 3. The first heap (at ef0000 in this example) contains a header with fields used
to tell the kernel whether the heap was created within a debugger. The flags we are interested in
are ForceFlags and Flags, which can be seen in Figure 4. The ForceFlags flag is a more reliable
flag to check because Flags is usually either set to the value of ForceFlag or XORed with 2, as it
is in our example as can be seen in Figure 4.
(U) The ForceFlags flag offset in the heap will differ depending on the OS version as shown in
Table 1.
Table 1. ForceFlags Offset by Windows OS Version
OS Version ForceFlags Offset
Windows XP 32-bit 0x10
Windows 7 32-bit 0x44
Windows 7 64-bit 0x74
Windows 8 32-bit 0x44
Windows 8 64-bit 0x74
Windows 10 32-bit 0x44
Windows 10 64-bit 0x74
Raytheon Blackbird Technologies, Inc.
7
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED
mov eax, large fs:30h ; move PEB structure (fs:30h) into EAX
cmp byte ptr [eax+2], 1 ; check to see if the BeingDebugged flag is 1
j
z
s
hort
oc
_4010E
1
;
f byt
e
pt
r [e
a
x+
2]
=
1 i
t
s
be
i
ng
de
bugge
d a
nd j
m
not
m
a
e

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh