In this post, we covered the methods and techniques hackers use to make their malware difficult to analyze by reverse engineers and malware analysts. These methods and techniques encompass anti debugging, VM detection and evasion, packing and code obfuscation. These methods go under the term Anti Reverse Engineering. We used lab material from the room TryHackMe Anti Reverse Engineering and also covered the answers for the tasks’ questions.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Windows Active Directory Penetration Testing Study Notes
Definition of Reverse Engineering
Reverse engineering is an advanced method to analyze binaries including malware samples. It requires knowledge of the CPU language, that is, Assembly. In reverse engineering, we reverse the binary back to its cpu language to reveal all instructions that it sends to the CPU.
Anti Reverse Engineering
Anti reverse engineering is the process of designing malware code that evades detection and makes it difficult for analysts to analyze it and understand its behaviour.
Anti Debugging
Malware authors use anti-debugging measures to make it difficult for analysts to use debugging tools to analyze the malware’s behaviour.
VM Detection
When malware identifies that it is running on a VM, it may decide to respond differently; for example, it may change its behaviour by:
- Executing only a minimal subset of its functionality
- Self-destructing by deleting itself or overwriting parts of its code
- Cause damage to the system by deleting or encrypting files; or
- Not run at all
Obfuscation & Packing
The most common obfuscation techniques used by malware authors include:
- Using encoding techniques – This involves encoding data (i.e. command line strings, domain names, etc.) using popular encoding techniques like
XORorBase64. You may have seen a Base64 encoded strings that look like thisVGhpcyBpcyBhbiBCQVNFNjQgZW5jb2RlZCBzdHJpbmcu==. - Using encryption techniques – This involves encrypting data such as communications to a command and control server, file formats, and network traffic. The most common types used are symmetric key and public key encryption.
- Code obfuscation – This involves various techniques such as manipulating the code to alter its syntax and structure, renaming functions, or splitting code across multiple files or code segments.
Room Answers | TryHackMe Anti-Reverse Engineering
What is the name of the Windows API function used in a common anti-debugging technique that detects if a debugger is running?
IsDebuggerPresent
What is the Windows API function that enumerates windows on the screen so the malware can check the window name?
EnumWindows
What is the hex value of a nop instruction?
90
What is the instruction found at memory location 004011CB?
add esp,8
What is the name of the identifiable process used by malware to check if the machine is running inside VirtualBox?
vboxservice
What is the OUI automatically assigned specifically to VMware?
00:50:56
Using Task Manager, what process indicates that the machine for this room is an Amazon EC2 Virtual Machine?
amazon-ssm-agent.exe
In the C code snippet, what is the full WQL query used to get the temperature from the Win32_TemperatureProbe class?
SELECT * FROM MSAcpi_ThermalZoneTemperature
What register holds the memory address that tells the debugger what instruction to execute next?
EIP
Before uReturn is compared to zero, what is the memory location pointed to by [ebp-4]
0019FF1C
What is the decoded string of the base64 encoded string “VGhpcyBpcyBhIEJBU0U2NCBlbmNvZGVkIHN0cmluZy4=”?
This is a BASE64 encoded string.
According to DetectItEasy, what is the version of the Microsoft Linker used for linking packed.exe?
14.16
According to pestudio, what is the entropy of the UPX2 section of packed.exe?
2.006
Video Walkthrough
