Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Reverse Engineering

You're reading from  Mastering Reverse Engineering

Product type Book
Published in Oct 2018
Publisher Packt
ISBN-13 9781788838849
Pages 436 pages
Edition 1st Edition
Languages
Concepts
Author (1):
Reginald Wong Reginald Wong
Profile icon Reginald Wong
LinkedIn
Reginald Wong has been in the software security industry for more than 15 years.Currently, Reggie is a lead anti-malware researcher at Vipre Security, a J2 Global company, covering various security technologies focused on attacks and malware. He previously worked for Trend Micro as the lead for the Heuristics team, dealing with forward-looking malware detection. Aside from his core work, he has also conducted in-house anti-malware training for fresh graduates. He is currently affiliated with CSPCert.ph, Philippines' CERT, and is a reporter for Wildlist.org. He has also been invited to speak at local security events, including Rootcon.
See other products by Reginald Wong

Table of Contents (20) Chapters

Title Page
Copyright and Credits
Packt Upsell
Contributors
Preface
1. Preparing to Reverse 2. Identification and Extraction of Hidden Components 3. The Low-Level Language 4. Static and Dynamic Reversing 5. Tools of the Trade 6. RE in Linux Platforms 7. RE for Windows Platforms 8. Sandboxing - Virtualization as a Component for RE 9. Binary Obfuscation Techniques 10. Packing and Encryption 11. Anti-analysis Tricks 12. Practical Reverse Engineering of a Windows Executable 13. Reversing Various File Types 1. Other Books You May Enjoy Index

Chapter 11. Anti-analysis Tricks

Anti-debugging, anti-virtual-machine (VM), anti-emulation, and anti-dumping are all tricks that attempt to analysis put a halt to an analysis. In this chapter, we will try to show the concepts of these anti-analysis methods. To help us identify these codes, we will explain the concept and show the actual disassembly codes that makes it work. Being able to identify these tricks will help us to avoid them. With initial static analysis, we would be able to skip these codes.

In this chapter, we will achieve the following learning outcomes:

  • Identifying anti-analysis tricks
  • Learning how to overcome anti-analysis tricks

Anti-debugging tricks

Anti-debugging tricks are meantto ensure that the codes are not working under the influence of a debugger. Say we have a program with an anti-debugging code in it. The behavior of the program is just as if it were running without an anti-debugging code. The story becomes different, however, when the program is being debugged. While debugging, we encounter code that goes straight to exiting the program or jumps into code that doesn't make sense. This process is illustrated in the following diagram:

Developing anti-debugging code requires understanding the traits of the program and the system, both when normally running and when being debugged. For example, the Process Environment Block (PEB) contains a flag that is set when a program is being run under a debugger. Another popular trick is to use a Structured Exception Handler (SEH) to continue code that forces an error exception while debugging. To better understand how these work, let's discuss these tricks in a little...

Anti-VM tricks

This trick's aim is to exit the program when it identifies that it is running in a virtualized environment. The most typical way to identify being in a VM is to check for specific virtualization software artifacts installed in the machine. These artifacts may be located in the registry or a running service. We have listed a few specific artifacts that can be used to identify being run inside a VM. 

VM running process names

The easiest way for a program to determine whether it is in a VM is by identifying known file names of running processes. Here's a list for each of the most popular pieces of VM software:

Virtualbox

VMWare

QEMU

Parallels

VirtualPC

vboxtray.exevboxservice.exevboxcontrol.exe

vmtoolsd.exevmwaretray.exevmwareuserVGAuthService.exevmacthlp.exe

qemu-ga.exe

prl_cc.exeprl_tools.exe

vmsrvc.exevmusrvc.exe

Existence of VM files and directories

Identifying the existence of at least one of the VM software's files can tell if the program is running in a virtual machine. The following...

Anti-emulation tricks

Anti-emulation or anti-automated analysis are methods employed by a program to prevent moving further in its code if it identifies that it is being analyzed. The behavior of a program can be logged and analyzed using automated analysis tools such as Cuckoo Sandbox, Hybrid Analysis, and ThreatAnalyzer. The concept of these tricks is in being able to determine that the system in which a program is running is controlled and was set up by a user.

Here are some things that distinguish a user-controlled environment and an automated analysis controlled system from each other:

  • A user-controlled system has mouse movement.
  • User controlled systems can include a dialog box that waits for a user to scroll down and then click on a button.
  • The setup of an automated analysis system has the following attributes:
    • A low amount of physical memory
    • A low disk size
    • The free space on the disk may be nearly depleted
    • The number of CPUs is only one
    • The screen size is too small

Simply setting up a task...

Anti-dumping tricks

This method does not stop dumping memory to a file. This trick instead prevents the reverser from easily understanding the dumped data. Here are some examples of how this could be applied:

  • Portions of the PE header have been modified, so that the process dump gives the wrong properties.

  • Portions of PEB, such as SizeOfImage, have been modified, so that the process dumping tool dumps wrong.

  • Dumping is very useful for seeing decrypted data. Anti-dumping tricks would re-encrypt the decrypted code or data after use.

To overcome this trick, we can either identify or skip the code that modifies data. For re-encryption, we can also skip the code that re-encrypts, to leave it in a decrypted state.

Summary

Malware have been evolving by adding new techniques to evade anti-virus and reverse engineering.  These techniques include process hollowing, process injection, process doppelganging, code anti-debugging, and anti-analysis.  Process hollowing and process doppelganging techniques basically overwrites the image of a legit process with a malicious image.  This masks the malicious program with a legit process.  Process injection, on the other hand, inserts and runs code in a remote process space.

Anti-debugging, anti-analysis, and the other tricks discussed in this chapter are obstacles for reverse engineering. But knowing the concept for these tricks enables us to overcome them. Doing static analysis with deadlisting, we can identify and then skip the tricky code, or in the case of SEH, place a breakpoint at the handler.

We discussed anti-debugging tricks and their technique of using errors to cause exceptions and hold the rest of its code at the handler. We also discussed other tricks...

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 20
Next Chapter arrow right
You have been reading a chapter from
Mastering Reverse Engineering
Published in: Oct 2018 Publisher: Packt ISBN-13: 9781788838849
© 2018 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Reginald Wong
LinkedIn
Reginald Wong has been in the software security industry for more than 15 years.Currently, Reggie is a lead anti-malware researcher at Vipre Security, a J2 Global company, covering various security technologies focused on attacks and malware. He previously worked for Trend Micro as the lead for the Heuristics team, dealing with forward-looking malware detection. Aside from his core work, he has also conducted in-house anti-malware training for fresh graduates. He is currently affiliated with CSPCert.ph, Philippines' CERT, and is a reporter for Wildlist.org. He has also been invited to speak at local security events, including Rootcon.
Read more
See other products by Reginald Wong

Other recommended products

Related to this chapter
Left arrow icon
Mastering Assembly Programming
Mastering Assembly Programming
The Assembly language is the lowest level human readable programming language on any platform. Knowing the way things are on the Assembly level will help developers design their code in a much more elegant and efficient way. This book will take readers on a journey to mastering the Assembly language.
Sep 2017 9 hours 40 minutes
Antivirus Bypass Techniques
Antivirus Bypass Techniques
Antivirus Bypass Techniques follows a unique approach that will help you explore the security landscape, understand the fundamentals of antivirus software, and put antivirus bypass techniques to use. This book will enable you to bypass antivirus software solutions in order to develop efficient antivirus software.
Jul 2021 8 hours 4 minutes
Learning Malware Analysis
Learning Malware Analysis
Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis and memory forensics.
Jun 2018 17 hours 0 minutes
Penetration Testing with Shellcode
Penetration Testing with Shellcode
Security has always been a major concern for your application, your system, or your environment. This book's main goal is to build your skills for low-level security exploits, finding vulnerabilities and covering loopholes with shellcode, assembly, and Metasploit.
Feb 2018 11 hours 32 minutes
Mastering Malware Analysis
Mastering Malware Analysis
Malware analysis is a powerful investigation technique widely used in various security areas including digital forensics and incident response processes. Working through practical examples, you'll be able to analyze any type of malware you may encounter within the modern world.
Jun 2019 18 hours 44 minutes
Malware Analysis Techniques
Malware Analysis Techniques
Comprehensive threat analysis is important for incident responders as it helps them to ensure that a threat has been entirely eliminated. This book shows you how to quickly triage, identify, attribute, and remediate threats with proper analysis techniques, and guides you in implementing your knowledge to prevent further incidents.
Jun 2021 9 hours 24 minutes
Binary Analysis Cookbook
Binary Analysis Cookbook
Binary Analysis is a complex and constantly evolving topic, crossing into several realms of IT and information security. The recipes in this book will serve as a good reference for you to get a better understanding of various aspects related to analyzing malware, identifying vulnerabilities in code, exploit writing and reverse engineering.
Sep 2019 13 hours 12 minutes
Preventing Ransomware
Preventing Ransomware
Ransomware is the most critical threat and its intensity has grown exponentially in recent times. This book provides comprehensive, up-to-the-minute details about different kinds of ransomware attack as well some notable ones from the past. It also talks about different aspects of cyber security that can help you prevent ransomware attacks.
Mar 2018 8 hours 52 minutes
Ghidra Software Reverse Engineering for Beginners
Ghidra Software Reverse Engineering for Beginners
Ghidra is the NSA’s state-of-the-art reverse engineering framework. It is open source, allowing the community to extend it with impressive range of features. This book offers a comprehensive introduction to anyone new to the Ghidra reverse engineering framework and malware reverse engineering.
Jan 2021 10 hours 44 minutes
Modern Computer Architecture and Organization
Modern Computer Architecture and Organization
A no-nonsense, practical guide to help you learn the current and future processor and computer architectures that will enable you to design computer systems and develop better software applications across a variety of domains.
Apr 2020 18 hours 40 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon