ANTI-UNPACKER TRICKS – PART TWO
Peter Ferrie
Microsoft, USA
In the first part of this series last month we looked at a number of anti-unpacking tricks that have come to light recently. New anti-unpacking tricks continue to be developed because the older ones are constantly being defeated. In this article and the ones that follow, we will describe [...]
ANTI-UNPACKER TRICKS – PART ONE
Peter Ferrie
Microsoft, USA
Unpackers have been around for as long as packers themselves, but anti-unpacking tricks are a more recent development. Anti-unpacking tricks have grown quickly both in number and, in some cases, complexity. This paper is an addendum to a paper presented at the CARO workshop in May this year [1], [...]
Далее хотел бы предложить идею реализации мини ВМ, для защиты кода в программе.
Под мини ВМ подразумевается ВМ, с поддержкой ограниченного числа регистров и инструкций, по принципу чтения и исполнения байт кода/псевдокода.
Плагин для скрытия OllyDbg (вместе с драйвером). Помогает от следующих методов обнаружения:
драйвер — extremehide.sys
[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.
плагин — PhantOm.dll
[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[+] OutputDebugString
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput
Код, позволяет обнаружить, запускается ли программа в виртуальной среде VMWare.
This code presents pretty effective and nasty debugger «on attach»
detection. When debugger (every which uses debug apis) attach to the
target process NtContinue function is executed, this acts BEFORE
debugger stops on DebugBreak, so we have the ability to do some
nasty things while debugger is still loading the process, i think
you know what possibilities it gives.
Антиотладочный трюк через trapflag
