Anti-debugging exercises
PEB tricks, and more
The binary we will be analyzing is from the Practical Malware Analysis book and is available at http://ccom.uprrp.edu/~rarce/ccom4995/misc/Lab16-01.exe. It will not modify or harm your Windows VM. This lab is an adaptation of Lab16-1 from the book.
-
In the class presentation we saw that one of the techniques that malware uses to detect if its being run by the debugger is by reading the Process Environment Block (PEB) at
fs:[30h]
. Offset +2 is the first that is checked by the Lab16-01.exe binary. What PEB field is at that offset? -
Under what conditions is the first call to
sub_4010000
(at address0x0040356E
) made? -
The code block that begins at address
0x403573
, also accesses the PEB. What field of the PEB is read this time? -
Under what condition is the second call to
sub_4010000
(at address0x0040358F
) made? -
The code block that begins at address
0x403594
, also reads the PEB. What field of the PEB. is read this time? -
Under what condition is the THIRD call to
sub_4010000
(at address0x004035B0
) made? is executed if: -
Lab16-01.exe
is just a toy malware, but just in case something goes wrong with its contents, create a copy of the fileLab16-01.exe
before the next step. -
Lets find out what
sub_4010000
does, using dynamic analysis. OpenLab16-01.exe
in OllyDbg (in your Windows 2008 VM). Put a breakpoint in the first CALL tosub_4010000
, then click the run button on OllyDbg. Did the execution hit the first CALL sub_4010000? -
Use your breakpoint/step into/ step abilities to execute the program until just before the call to
ShellExecuteA
(in thesub_4010000
) . Inspect the parameters that are being sent toShellExecuteA
. Explain what is the intention of that call. (Hint: https://stackoverflow.com/questions/515309/what-does-cmd-c-mean) -
How could you make OllyDbg avoid the traps set by the malware? You could change the control flow of the program by patching the jumps. Alternately you could manually modify the values of the fields that the program is checking within the PEB. Since verifying the PEB is a common anti-debugging technique, some kind programmers have created plugins that allow OllyDbg to "fool" the anti-debugging malware. The PhantOm plugin is one of them.
-
Install the PhantOm plugin from https://tuts4you.com/e107_plugins/download/download.php?view.1276. Unzip the downloaded file and copy the DLL into the same directory as OllyDbg executable. Rerun OllyDbg and activate the plugin by going to: Plugins -> PhantOm -> Options -> Hide from PEB. Put breakpoints in the CALLS to
sub_4010000
. PhantOm was designed to work in Windows XP. Some of the locations for PEB fields have changed, so in Windows 2008 PhantOm may protect against only some PEB anti-debugging tricks. Which of the following was PhantOm capable of avoiding? -
Patch the conditional jump(s) that are leading the program to CALL
sub_4010000
during the first three checks on the PEB. Also put a breakpoint on ther first instruction ofsub_4010000
to monitor when it is called. Once you have activated PhanOm and patched the conditional jump(s), restart and run the program through the debugger (you may need to enter the Patch window to re-patch the conditional jumps). You will find out that you are not able to avoid calling thesub_4010000
by managing those three initial PEB reads. Explain why. -
Besides verifying the PEB fields, describe at least one other situation that leads this program to call
sub_4010000
?
A little TLS to ruin your RE day
The binary for this part is also from the Practical Malware Analysis book and is available at http://ccom.uprrp.edu/~rarce/ccom4995/misc/Lab16-02.exe. It will not harm or modify your Windows VM.
-
Make sure that you are not currently running any OllyDbg windows. Run
Lab16-2.exe
from the command line. What message is displayed? -
Now open
Lab16-02.exe
in OllyDbg. Notice that it immediately displays Terminated in red font at lower right corner, without giving you a chance to even run the program. This is due in part to the malware setting a TLS callback. Can you find the callback function? (hint: use the [M] button in OllyDbg or find the TLSCallback_0 function in IDA). What is the address the TLSCallback_0 function? -
Explain what happens in the
TLSCallback_0
function which explains why the program immediately terminates in OllyDbg. -
How would you patch the program so that the
TLSCallback_0
function does not callexit
? In order to perform the patch you need to at least be able to open theLab16-02.exe
without trying to go through theTLSCallback_0
function. To do this: Options - Debugging options - Events: set Make first pause = System breakpoint. -
Perform the patch and put a breakpoint in the main function to validate that now your program at least arrives at the main function.
-
Statically analize the main function and deduce its pseudocode.
-
The main function decides wether to print a success or failure message based on a comparison with a string at
byte_408030
? Where is this string assigned its value? -
Use OllyDbg (with properly placed breakpoints) to execute the binary to determine what is the parameter that will make the program output "You entered the correct password!". (use Debug - > arguments to pass command line arguments to the debugged program in OllyDbg). Briefly explain how you found the password.