These techniques include:
- Obfuscation/hiding of codes & scripts
- Encryption of Source code & data
- Junk code (useless instructions and rountine)
- Detection of analysis tools (virtual system, monitoring tools, debugger)
- Conduct integrity checks (Prevent tampering and patching)
Obfuscation of script, commonly using "unescape" function and various encoding (e.g Base64) to hide malicious javascript (e.g unescape(dz+cz+op+st)+'dw(dz+cz($+st));')}else{$=''};function sc(cnm,v,ed)). Source codes can be obfuscation using packer such as UPX
Packer (Compressed executable) uses proprietary methods of compression and encryption to hinder malware analysis. Configuration data may also be obfuscated or encrypted.
Useless instructions were inserted between real instructions. Jumping into middle of instructions will sometime cause a debugger to halt with error.
Malware can react differently when analysis tools were detected in the system to fool the analyst. Some sample methods shown below.
Malware may contain checksum and protection routine to prevent any tampering to their program.
Detect OllyDbg
The function IsODBGLoaded will return true if debugger is detected
__inline bool IsODBGLoaded() {char *caption="DAEMON";}
_asm {push 0x00normal_:
push caption
mov eax, fs:[30h]
movzx eax, byte ptr[eax+0x2]
or al,al
jz normal_
jmp out_xor eax, eaxout_:
leave
retmov eax, 0x1}
leave
ret
Detect VMWare
It checks the version and see if it is running inside the virtual
/* Check VMware version only */
int VMGetVersion() {/* Check if running inside VMWare */unsigned long version, magic, command;}
command=VMCMD_GET_VERSION;
VMBackDoor(&version, &magic, &command, NULL);
if(magic==VMWARE_MAGIC) return version;
else return 0;
int IsVMWare() {int version=VMGetVersion();}
if(version) return true; else return false;
Detecting Breakpoints
The function IsBPX checks if the given memory address is a breakpoint.
__inline bool IsBPX(void *address) {_asm {}mov esi, addressBPXed:
mov al, [esi]
cmp al, 0xCC
je BPXed
xor eax, eax
jmp NOBPXmov eax, 1NOBPX:
}
