SBN

Anti-disassembly, Anti-debugging and Anti-VM

Introduction

Malware takes advantage of a disassembler’s basic assumptions. It exploits predictable choices made by debuggers and hides when it suspects it is running on a virtual machine. 

This article offers an overview of malware defensive tricks and techniques used when disassembly and debugging tools are searching for malware, especially within a virtual machine. 

Anti-disassembly techniques

Malware authors use anti-disassembly techniques to delay, prevent and/or avoid the reverse-engineering of their code. It uses manually crafted code to cause disassembly analysis tools to produce an incorrect program listing. Here are some common anti-disassembly techniques.

API obfuscation

API obfuscation changes the names of identifies (class names, method names, field names) to random names so that the reader of the code doesn’t know what the code is doing. 

Opcode/assembly code obfuscation

Opcode/assembly code obfuscation makes disassembly of malware difficult by using tactics like executables with decrypted sections and code instructions that are hard to read or nonsensical. 

Junk/spaghetti code

Junk/spaghetti code is used to confuse the reverse engineer and hide what the current code is trying to accomplish. 

Control flow graph flattening

Control flow graph flattening, or simply CFG flattening, flattens the control flow of each function by first breaking up the nesting of loops and if-statements and then hiding each of them in a case of a large switch statement wrapped inside the body of a loop.

Jump instruction with same target

Jump instruction with the same target is produced using a combination of jz with jnz. This is an unconditional jump that the disassembler doesn’t recognize because it only disassembles one instruction at a time.

Detecting debuggers

Anti-debugging is an anti-analysis technique that is used by malware to check if it is being debugged. Malware authors use many techniques to prevent and or slow the reverse (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Jamal Chahir. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/l6HxVv7VFYw/