Results 1 to 4 of 4

Thread: Malware that tampers with debugger?

  1. #1
    nxa
    Guest

    Question Malware that tampers with debugger?

    Hi,

    Is anybody aware of a malware that when detecting it is being debugged, it will tamper with (make debugger function incorrectly), or even kill the debugger?

    Thanks,
    N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    How about you first attempt to help yourself. Perhaps something obvious, such as putting:

    Malware that tampers with debugger

    and/or

    Malware tampers with debugger

    in your favorite search engine and reading what you find. If you have actually attempted to find the answer to your own question, as the FAQ requires, how would we know?

    Regards,
    JMI

  3. #3
    nxa
    Guest
    hi JMI,

    Yes, I did a lot of search, before looking for help here. all the search returns useless information, that is not related to what I am looking for.

    Actually I am aware of some malware exploiting bugs (format strings, for ex) in specific debuggers to crash them. But I am looking for a malware that directly attack debugger once it detects debugger, without needing any exploit.

    Sorry if the question was not clear initially.

    Thanks,
    N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Outside of debugger and tracer.
    Code:
    	.686
    	.model flat, stdcall
    	option casemap :none
    	
    	include \masm32\include\ntdll.inc
    .code
    OS_VERSION_ID_2000	equ 0
    OS_VERSION_ID_XP	equ 1
    OS_VERSION_ID_2003	equ 2
    OS_VERSION_ID_VISTA	equ 3
    OS_VERSION_ID_7	equ 4
    
    ; +
    ;
    QueryVersion proc C
    	push eax
    	push edx
    	assume fs:nothing
    	mov ecx,fs:[TEB.Peb]
    	assume ecx:PPEB
    	mov eax,[ecx].NtMajorVersion
    	mov edx,[ecx].NtMinorVersion
    	cmp eax,5
    	je v_5_x_
    	cmp eax,6
    	jne err_ver_
    ; 6.X
    	test edx,edx
    	mov ecx,OS_VERSION_ID_VISTA
    	jz end_ver_	; 6.0
    	inc ecx		; OS_VERSION_ID_7
    	dec edx
    	jz end_ver_	; 6.1
    	jmp err_ver_
    v_5_x_:
    	xor ecx,ecx	; OS_VERSION_ID_2000
    	test edx,edx
    	jz end_ver_	; 5.0
    	inc ecx		; OS_VERSION_ID_XP
    	dec edx
    	jz end_ver_	; 5.1
    	inc ecx		; OS_VERSION_ID_2003
    	dec edx
    	jz end_ver_
    err_ver_:
    	mov ecx,0
    end_ver_:
    	pop edx
    	pop eax
    	ret
    QueryVersion endp
    
    ; +
    ;
    SystemCall proc C
    ; [Esp]:
    ; + 00 Eax
    ; + 04 Return1 <- Esp
    ; + 08 ServiceList1
    ; + 0C ServiceList2
    ; + 10 ServiceList3
    ; + 14 NumberParameters
    ; + 18 Return2
    ; + 1C Parameter1
    ; + 20 ParameterN <- Return
    ; + XX ...
    	Call QueryVersion
    	.if Zero?
    	lea edx,[esp + 14H]
    	movzx eax,word ptr [esp + ecx*2 + 4]
    	.else
    	mov eax,esp
    	.endif
    	mov ecx,esp
    	sub esp,300H	; sizeof(CONTEXT)
    	assume ecx:PCONTEXT
    	mov CONTEXT.ContextFlags[esp],CONTEXT_CONTROL or CONTEXT_INTEGER or CONTEXT_DEBUG_REGISTERS
    	mov CONTEXT.regEsp[esp],ecx
    	mov CONTEXT.regEFlags[esp],EFLAGS_IF or 2
    	mov word ptr CONTEXT.regSegSs[esp],ss
    	mov word ptr CONTEXT.regSegCs[esp],cs
    	mov CONTEXT.regDr7[esp],0
    	mov CONTEXT.regEbp[esp],ebp
    	mov CONTEXT.regEax[esp],Eax
    	mov CONTEXT.regEdx[esp],Edx
    	mov CONTEXT.regEbx[esp],Ebx
    	mov CONTEXT.regEsi[esp],esi
    	mov CONTEXT.regEdi[esp],edi
    	Call GetGraphEntry
    	mov CONTEXT.regEip[esp],ecx
    	push FALSE
    	push esp
    	push dword ptr 3CH	; Aligned.
    	add dword ptr [esp + 4],4
    	push 3722201CH
    	Call QueryVersion
    	jnz @f
    	lea edx,[esp + 8]
    	movzx eax,byte ptr [esp + ecx]
    	Int 2EH
    	DB 0CCH	; Int3
    @@:	
    	add esp,308H
    	jmp CallService
    GetGraphEntry:
    	Call GetGraphReturn
    CallService:
    	Int 2EH
    ServiceExit:
    	push eax
    	mov eax,dword ptr [esp + 14H]
    	push dword ptr [esp + 4]
    	lea eax,[eax*4 + esp + 18H]
    	pop dword ptr [eax]
    	mov dword ptr [esp + 4],eax
    	pop eax
    	pop esp
    	inc dword ptr [esp]
    	ret
    GetGraphReturn:
    	pop ecx
    	ret
    SystemCall endp
    
    $SYSCALL macro VT1:REQ, VT2:REQ, VT3:REQ, NumberParameters:REQ, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10
    	FOR Arg, <p10,p9,p8,p7,p6,p5,p4,p3,p2,p1>
    	IFNB <Arg>
    	push Arg
    	ENDIF
    	ENDM
    	push NumberParameters
    	push VT3
    	push VT2
    	push VT1
    	Call SystemCall
    endm
    
    ProcessDebugObjectHandle	equ 30
    
    STATUS_PORT_NOT_SET	equ 0C0000353H
    
    OutsideOfDebugger proc C
    	push esp
    	mov eax,esp
    	push NULL
    	push sizeof(HANDLE)
    	push eax
    	push ProcessDebugObjectHandle		; 0x1E
    	push NtCurrentProcess
    	push 5
    	push 000000EAH
    	push 00E400A1H
    	push 009A0086H
    	Call SystemCall	; NtQueryInformationProcess(ProcessDebugObjectHandle)
    	nop
    	test eax,eax
    	jnz @f
    	push dword ptr [esp]
    	push NtCurrentProcess
    	push 2
    	push 00000121H
    	push 010A00C7H
    	push 00BFFFFFH
    	Call SystemCall	; NtRemoveProcessDebug
    	nop
    	push eax
    	push dword ptr [esp + 4]
    	push 1
    	push 00000032H
    	push 0030001BH
    	push 00190018H
    	Call SystemCall	; NtClose
    	nop
    	pop eax
    @@:
    	add esp,sizeof(HANDLE)
    	   inc dword ptr [esp]	; test.
    	ret
    OutsideOfDebugger endp
    
    Entry proc
    Local Response:ULONG
    	invoke OutsideOfDebugger
    	nop
    	invoke ZwRaiseHardError, STATUS_SUCCESS, 1, 0, 0, OptionOkCancel, addr Response
    	ret
    Entry endp
    end Entry

Similar Threads

  1. PHP Malware
    By Darkelf in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: April 16th, 2010, 02:30
  2. Autorun Malware
    By AttonRand in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: April 3rd, 2010, 18:47
  3. Malware Analyser
    By beenu in forum Mini Project Area
    Replies: 1
    Last Post: December 10th, 2009, 14:30
  4. Exotic Malware ?
    By shakuni in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: August 10th, 2008, 05:53
  5. Malware fight
    By naides in forum Malware Analysis and Unpacking Forum
    Replies: 22
    Last Post: July 1st, 2007, 04:46

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •