Results 1 to 6 of 6

Thread: AntiUnpacking Tricks of Malware

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,106
    Blog Entries
    5

    AntiUnpacking Tricks of Malware

    AntiRE en Masse
    Investigating Ferrie’s Documented AntiUnpacking Tricks in the World’s Worst Mal‐Families

    http://www.virusbtn.com/pdf/conference_slides/2009/Baumgartner-VB2009.pdf

    You remember Peter Ferrie’s AntiUnpacking Tricks 7-part series don't you? (actually, I see there's a part 8 now, hopefully made public soon)

    http://pferrie.tripod.com/

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Peter's articles are a must read for anyone involved in unpacking. Absolutely love them.

  3. #3
    •Int 0x2e calls with invalid eax/edx parameters
    Simple old ways. In addition the author fails to understand the mechanisms that are described.
    Recently discussed the most effective way of anti-debugging:
    Code:
    ; +
    ; Сохранение контекста.
    ; o Eax: ID NtUserEnumDisplayMonitors.
    ; o Esi: адрес возврата.
    ; o Edi: ссылка на стек.
    ;
    TsSave proc C
    	xor ecx,ecx
    	push esp	; Параметр для калбэка - ссылка на стек для его восстановления.
    	Call @f	; Ссылка на калбэк.
    ; Калбэк.
    ; typedef BOOL (CALLBACK* MONITORENUMPROC)(HMONITOR, HDC, LPRECT, LPARAM);
    	mov esp,dword ptr [esp + 4*4]	; Восстанавливаем стек, ссылка для восстановления передаётся параметром.
    	xor eax,eax
    	retn
    @@:
    	push ecx
    	push ecx
    	mov edx,esp
    ; BOOL
    ; NtUserEnumDisplayMonitors(
    ;     IN HDC             hdc,
    ;     IN LPCRECT         lprcClip,
    ;     IN MONITORENUMPROC lpfnEnum,
    ;     IN LPARAM          dwData)
    	Int 2EH	; NtUserEnumDisplayMonitors
    ; При восстановлении контекста возвращается не ноль.
    	.if !Eax	; Калбэк не был вызван изза исчерпания лимита вызовов/вложенности(0x2C).
    	add esp,4*4	; Удаляем параметры сервиса.
    	retn
    	.else
    	mov esp,edi
    	add eax,3*4	; Ссылка на стек, который был при вызове TsLoad(для передачи параметров).
    	jmp esi
    	.endif
    TsSave endp
    
    ; +
    ; Восстановление контекста.
    ;
    TsLoad proc C	; stdcall
    	xor eax,eax
    	mov edx,3*4
    	push eax
    	push eax
    	push esp
    	mov ecx,esp
    	Int 2BH
    	add esp,3*4
    	retn		; В случае ошибки возвратит STATUS_NO_CALLBACK_ACTIVE.
    TsLoad endp
    http://wasm.ru/forum/viewtopic.php?id=37300
    http://indy-vx.narod.ru/Temp/kicb.zip
    It is not possible to debug without kernel debugger

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    some fun.. after assembling given code, NOD quarantined it: " - a variant of Win32/Kryptik.APB trojan"

    PS. on what Win version it works?

  5. #5
    PS. on what Win version it works?
    Should work across the range of x86 NT.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,106
    Blog Entries
    5
    Quote Originally Posted by Kayaker View Post
    You remember Peter Ferrie’s AntiUnpacking Tricks 7-part series don't you? (actually, I see there's a part 8 now, hopefully made public soon)
    ANTI-UNPACKER TRICKS – PART EIGHT
    http://pferrie2.tripod.com/papers/unpackers31.pdf

Similar Threads

  1. Virtual PC 2007 Detection Tricks
    By walied in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 3rd, 2012, 06:10
  2. Anti-Unpacker Tricks
    By Plazmic in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 22nd, 2010, 18:00
  3. Anti-Emulation Tricks
    By evilcry in forum Blogs Forum
    Replies: 7
    Last Post: March 30th, 2009, 02:36
  4. Mac OS X PPC Shellcode Tricks
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  5. Remove Anti-Disassembling-Tricks
    By Mefeus in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: June 5th, 2002, 09:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •