In this post, we covered the methods and techniques hackers use to make their malware difficult to analyze by reverse engineers and malware analysts. These methods and techniques encompass anti debugging, VM detection and evasion, packing and code obfuscation. These methods go under the term Anti Reverse Engineering. We used lab material from the room TryHackMe Anti Reverse Engineering and also covered the answers for the tasks’ questions.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Malware Analysis Study Notes

Windows Active Directory Penetration Testing Study Notes

Definition of Reverse Engineering

Reverse engineering is an advanced method to analyze binaries including malware samples. It requires knowledge of the CPU language, that is, Assembly. In reverse engineering, we reverse the binary back to its cpu language to reveal all instructions that it sends to the CPU.

Anti Reverse Engineering

Anti reverse engineering is the process of designing malware code that evades detection and makes it difficult for analysts to analyze it and understand its behaviour.

Anti Debugging

Malware authors use anti-debugging measures to make it difficult for analysts to use debugging tools to analyze the malware’s behaviour.

VM Detection

When malware identifies that it is running on a VM, it may decide to respond differently; for example, it may change its behaviour by:

  • Executing only a minimal subset of its functionality
  • Self-destructing by deleting itself or overwriting parts of its code 
  • Cause damage to the system by deleting or encrypting files; or
  • Not run at all

Obfuscation & Packing

The most common obfuscation techniques used by malware authors include:

  • Using encoding techniques – This involves encoding data (i.e. command line strings, domain names, etc.) using popular encoding techniques like XOR or Base64. You may have seen a Base64 encoded strings that look like this VGhpcyBpcyBhbiBCQVNFNjQgZW5jb2RlZCBzdHJpbmcu==.
  • Using encryption techniques – This involves encrypting data such as communications to a command and control server, file formats, and network traffic. The most common types used are symmetric key and public key encryption.
  • Code obfuscation – This involves various techniques such as manipulating the code to alter its syntax and structure, renaming functions, or splitting code across multiple files or code segments.

Room Answers | TryHackMe Anti-Reverse Engineering

What is the name of the Windows API function used in a common anti-debugging technique that detects if a debugger is running?
IsDebuggerPresent

What is the Windows API function that enumerates windows on the screen so the malware can check the window name?
EnumWindows

What is the hex value of a nop instruction?

90

What is the instruction found at memory location 004011CB?

add esp,8

What is the name of the identifiable process used by malware to check if the machine is running inside VirtualBox?
vboxservice

What is the OUI automatically assigned specifically to VMware?

00:50:56

Using Task Manager, what process indicates that the machine for this room is an Amazon EC2 Virtual Machine?

amazon-ssm-agent.exe

In the C code snippet, what is the full WQL query used to get the temperature from the Win32_TemperatureProbe class?
SELECT * FROM MSAcpi_ThermalZoneTemperature

What register holds the memory address that tells the debugger what instruction to execute next?

EIP

Before uReturn is compared to zero, what is the memory location pointed to by [ebp-4]

0019FF1C

What is the decoded string of the base64 encoded string “VGhpcyBpcyBhIEJBU0U2NCBlbmNvZGVkIHN0cmluZy4=”?
This is a BASE64 encoded string.

According to DetectItEasy, what is the version of the Microsoft Linker used for linking packed.exe?

14.16

According to pestudio, what is the entropy of the UPX2 section of packed.exe?

2.006

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles