Anti-Unpacking techniques Peter Ferrie Senior Anti-virus Researcher 1 May, 2008 1

Anti-Unpacking techniques

Peter FerrieSenior Anti-virus Researcher

1 May, 2008

1

Classes of unpackers

Memory dumperDebuggerEmulatorCode-bufferW-X interceptor

2Peter Ferrie, Microsoft Corporation

Anti-dumping

SizeOfImage Field in PEB When altered, prevents debugger from attaching Causes incorrect number of pages to be dumped

Erasing the header Removes section information Not obvious how many pages should be dumped Used by Yoda’s Crypter

Nanomites Introduced in Armadillo Replace branches with int 3 and encoded pointers


Anti-dumping (cont.)

Stolen bytes Introduced in ASProtect Copy bytes elsewhere and execute from there Optionally destroy original bytes

Guard pages Allows on-demand decryption or decompression Used by Armadillo (decryption) Used by Shrinker (decompression)

Imports Table is often removed, encrypted or compressed Sometimes erased after first use Functions can be redirected to another location


Anti-dumping (cont.)

Virtual machines Uses p-code instead of native code P-code can be polymorphic (Themida) P-code can contain anti-debugging (HyperUnpackMe2) Interpreter can be obfuscated (Virtual CPU)


Anti-debugging

NtGlobalFlag Field in PEB Debugger typically causes certain flags to be set Very common method Very commonly incorrect (cmp instead of test) Very unreliable (several ways to set/clear flags) Used by ExeCryptor

Heap flags Pointer is field in PEB Two sets of flags Debugger typically causes certain flags to be set Also very unreliable (flags controllable like NtGlobalFlag)


Anti-debugging (cont.)

Heap Tail markers appear if certain flag is set Debugger typically causes flag to be set Marker is constant and easy to find Used by Themida

IsDebuggerPresent() Introduced in Windows 95 Reads field in PEB One of the most common methods Returns true if a debugger is present



CheckRemoteDebuggerPresent() Introduced in Windows XP SP1 Wrapper around NtQueryInformationProcess (ProcessDebugPort) Returns true if a debugger is present

NtQueryInformationProcess() Can be called with ProcessDebugPort class Returns EPROCESS->DebugPort value Non-zero if a debugger is present Used by MSLRH



Debug objects Another use for NtQueryInformationProcess() Introduced in Windows XP Can be called with ProcessDebugObjectHandle class Returns non-zero if a debugger is present Used by HyperUnpackMe2

More debug objects Yet another use for NtQueryInformationProcess() Also introduced in Windows XP Can be called with ProcessDebugFlags class Returns inverse of EPROCESS->NoDebugInherit bit Returns zero if a debugger is present Used by HyperUnpackMe2



Kernel debugger Final use for NtQueryInformationProcess() Can be called with SystemKernelDebuggerInformation class Not supported by any version of Windows(?) Returns non-zero in AH register if a debugger is present Used by SafeDisc

NtQueryObject() Supported since Windows NT Extended in Windows XP to include debug object Request all objects Search for "DebugObject" Check associated handle count Non-zero if a debugger is present



Thread hiding NtSetInformationThread() method Introduced in Windows 2000 Can be called with HideThreadFromDebugger class Debugger receives no further events for that thread Used by HyperUnpackMe2

OpenProcess() Csrss.exe process can be opened If debug privilege is obtained first Even though it's a system process Process can be opened with full access rights Allows thread injection and system-wide DoS



CloseHandle() Different behaviour if debugger is present Kernel raises EXCEPTION_INVALID_HANDLE For invalid handle if debugger is present Exception can be intercepted by debugged process

OutputDebugString() Different behaviour if debugger is present Kernel clears thread error code If debugger is present

ReadFile() Indirect breakpoint removal Read data from file over location of breakpoint



WriteProcessMemory() Alternative breakpoint removal Write data from memory over location of breakpoint Used by NsAnti

UnhandledExceptionFilter() Called as last resort if no other handlers succeed Not called if a debugger is present Exception is passed to debugger instead

BlockInput() Blocks mouse and keyboard events Used by Yoda's Protector



SuspendThread() Can be used on remote processes Such as debuggers Used by Yoda's Protector

Guard pages Certain debuggers might not support them properly Access should cause EXCEPTION_GUARD_PAGE OllyDbg uses guard pages for memory breakpoints Consumes breakpoint and allows execution Used by PC Guard



Alternative desktop Sessions support multiple desktops A new desktop can be created and made active No obvious way to switch back Used by HyperUnpackMe2

Prefetch queue Queue is not flushed when rep instruction is used Allows for some old self-overwriting tricks Two known variations of the trick One is used by Invius The other is used by Obsidium



Hardware breakpoints Exception handler receives context structure Structure contains all CPU debug registers Non-zero values suggest presence of debugger Handler can also remove breakpoints and resume

Instruction counting Handler can insert own hardware breakpoints Then count number of exceptions that occur Debugger might skip some breakpoints

Execution timing Single-stepping through code take a long time Delay can be detected Several time sources available



Exceptions Obfuscated method to move EIP around Infinite variety of possible implementations

Header entrypoint Some debuggers don't use VirtualProtectEx() So header remains write-protected Cannot set initial breakpoint Code runs freely

Parent process Should be shell process if launched by clicking Usually Explorer.exe, unless debugger is involved Used by Yoda's Protector



Self-execution Simple method to escape from debugger Synchronisation object prevents infinite executions Used by MSLRH

Process name Process names can be enumerated Names can be compared to "watch list" List commonly includes anti-malware software



Threads Multiple threads are hard to trace Some anti-malware emulators don't support them One thread is often devoted to debugger detection Can also be used to detect code changes Used by PE-Crypt32

Self-debugging Effective anti-debugging method Only one debugger can attach to a process Defeated by zeroing EPROCESS->DebugPort Or call DebugActiveProcessStop() on Windows XP Used by Armadillo



Disassembly Can be used to steal instructions Safer method to detect breakpoints Can also be used to detect detours Problematic if routine is hot-patched Since that will be a detour

TLS callback Relatively little-known method to execute code Code executes before main entrypoint Also executes before inserted breakpoint Debuggers typically don't handle it Used by ExeCryptor



Device names A way to communicate with drivers Also a way to detect presence of drivers List of names often target SoftICE, RegMon and FileMon

SoftICE-specific Driver names can be enumerated Version information can be queried Product and copyright strings can be compared to "watch list" Harder to change than renaming the driver List of strings are usually SoftICE-related



SoftICE-specific (cont.) Interrupt 1 is normally not invokable from ring 3 SoftICE hooks interrupt 1 and allows ring 3 access So wrong exception when SoftICE is running Used by SafeDisc

OllyDbg-specific Cannot handle unusual NumberOfRvaAndSizes value Some unchecked fields allow memory allocation DoS Initial ESI register value is -1 on Windows XP Looks like a detection method It's just a coincidence



OllyDbg-specific (cont.) Passes user-defined data directly to _vsprintf() Leads to DoS condition Debugger window can be found by calling FindWindow("OLLYDBG")

HideDebugger-specific Plug-in for OllyDbg Detectable by far jump at OpenProcess()+6

ImmunityDebugger-specific Based on OllyDbg Shares many of the same vulnerabilities

WinDbg-specific Debugger window can be found by calling FindWindow("WinDbgFrameClass")


Anti-emulating

Interrupt 3 Size of instruction is not checked Using "cd 03" instead of "cc" instruction -> EIP points to "03" Prefixed "cc" instruction works, too Except perhaps in some emulators Used by TryGames

Time-locks Effective anti-emulation technique Causes all iterations to be consumed before anything happens Some loops can be skipped arbitrarily Some loops cannot (results might be used for decryption keys) Used by Tibs


Anti-emulating (cont.)

Invalid API parameters Some emulators do not support invalid parameters in APIs An expected error code can be used for decryption keys No error code means no decryption Used by Tibs

GetProcAddress There are too many possible APIs for emulators to handle So some emulators always return a value for GetProcAddress() Sometimes GetProcAddress() should return 0 A non-zero value reveals the emulator Used by NsAnti



"Modern" CPU instructions Some emulators do not handle modern CPU instructions Some malware use FPU and MMX as do-nothing instructions Emulators might give up early as a result Used by NsAnti

Undocumented instructions Some emulators do not handle undocumented CPU instructions Some instructions more undocumented than others Example: multi-byte NOP Example: fully allocated PREFETCH



Selector verification Some emulators pretend to be Windows NT-based While using Windows 9x-based selector values A CS selector value larger than 0xff reveals this Used by MSLRH

Memory layout Certain in-memory structures are at predictable memory locations Example: RTL_USER_PROCESS_PARAMETERS at 0x20000 If they are missing, the program might not run Used by TryGames



File-format tricks Non-aligned SizeOfImage

Windows will silently round up the value Overlapping structures

Tools such as IDA have a problem with this Non-standard NumberOfRvaAndSizes

SoftICE and OllyDbg have a problem with this Non-aligned SizeOfRawData

Windows will silently round up the value Non-aligned PointerToRawData

Windows will silently round down the value No section table

Allowed when SectionAlignment is less than 4kb Header becomes writable and executable


Anti-intercepting

Write->Exec Some interceptors watch for write-then-exec Executing dummy just-written instruction can fool them Used by ASPack, but probably for multi-processor support

Write^Exec Some interceptors prevent write and exec on the same page Change can be detected indirectly Kernel functions return error when writing to read-only pages VirtualQuery() and VirtualProtect() return old page attributes


Thank you

More techniques in the paperhttp://pferrie.tripod.comQuestions?


Documents

Anti-Unpacking techniques Peter Ferrie Senior Anti-virus Researcher 1 May, 2008 1