ABSTRACT
Malware analysis uses debuggers to understand and manipulate the behaviors of stripped binaries. To circumvent analysis, malware applies a variety of anti-debugging techniques, such as self-modifying, checking for or removing breakpoints, hijacking keyboard and mouse events, escaping the debugger, etc. Most state-of-the-art debuggers are vulnerable to these anti-debugging techniques.
In this paper, we first systematically analyze the spectrum of possible anti-debugging techniques and compile a list of 79 attack vectors. We then propose a framework, called Apate, which detects and defeats each of these attack vectors, by performing: (1) just-in-time disassembling based on single-stepping, (2) careful monitoring of the debuggee's execution and, when needed, modification of the debuggee's states to hide the debugger's presence. We implement Apate as an extension to WinDbg and extensively evaluate it using five different datasets, with known and new malware samples. Apate outperforms other debugger-hiding technologies by a wide margin, addressing 58+--465+ more attack vectors.
- aadp. Anti-Anti-Debugger Plugins. https://code.google.eom/p/aadp/.Google Scholar
- W. API. Windows API Index. https://msdn.microsoft.com/en-us/library/windows/desktop/ff818516+28v=vs.85+29.aspx.Google Scholar
- R. Bajcsy, T. Benzel, Bishop, et al. Cyber Defense Technology Networking and Evaluation. Commun. ACM, 47(3), 2004. Google ScholarDigital Library
- R. R. Branco, G. N. Barbosa, and P. D. Neto. Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies. In Black Hat, 2012.Google Scholar
- X. Chen, J. Andersen, Z. Mao, et al. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. In DSN, 2008.Google Scholar
- I. Debugger. Immunity Debugger. http://debugger.immunityinc.com/.Google Scholar
- A. Dinaburg, P. Royal, et al. Ether: Malware Analysis via Hardware virtualization Extensions. In CCS, 2008. Google ScholarDigital Library
- P. Ferrie. The "Ultimate" Anti-Debugging Reference. http://pferrie.host22.com/.Google Scholar
- I. T. Georgia. Open Malware. http://oc.gtisc.gatech.edu/.Google Scholar
- Hex-Rays. IDA: multi-processor disassembler and debugger, https://www.hex-rays.com/products/ida/.Google Scholar
- Intel. Intel 64 and IA-32 Architectures Software DeveloperâĂŹs Manuals, http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html.Google Scholar
- D. Kirat and G. Vigna. MalGene: Automatic Extraction of Malware Analysis Evasion Signature. In CCS, 2015. Google ScholarDigital Library
- M. Lindorfer, C. Kolbitsch, and P. Milani Comparetti. Detecting Environment-Sensitive Malware. In RAID, 2011. Google ScholarDigital Library
- Microsoft. Microsoft PE and COFF Specification. https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx.Google Scholar
- J. Newger. IDAStealth Plugin. http://newgre.net/idastealth.Google Scholar
- G. Pék, B. Bencsáth, and L. Buttyán. nEther: In-guest Detection of Out-of-the-guest Malware Analyzers. In EuroSec, 2011.Google ScholarDigital Library
- F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-Force: Force-Executing Binary Programs for Security Applications. In USENIX Security, 2014. Google ScholarDigital Library
- F. Rce. OllyExt. https://forum.tuts4you.com/files/file/715-ollyext/.Google Scholar
- ScyllaHide. ScyllaHide. https://bitbucket.org/NtQuery/scyllahide.Google Scholar
- M. Sikorski and A. Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, 2012. Google ScholarDigital Library
- V. Total. VirusTotal. https://www.virustotal.com/en/.Google Scholar
- J. Tully. An Anti-Reverse Engineering Guide. http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide/.Google Scholar
- A. Vasudevan and R. Yerraballi. Cobra: fine-grained Malware Analysis using Stealth Localized-executions. In Security and Privacy, 2006. Google ScholarDigital Library
- T. Werner. Waledac's Anti-Debugging Tricks. http://www.honeynet.org/node/550, 2010.Google Scholar
- W. Windows. WinDbg. https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx.Google Scholar
- O. Yuschuk. OllyDbg. http://www.ollydbg.de.Google Scholar
- F. Zhang, K. Leach, A. Stavrou, H. Wang, and K. Sun. Using Hardware Features for Increased Debugging Transparency. In Security and Privacy, May 2015. Google ScholarDigital Library
Index Terms
- Hiding debuggers from malware with apate
Recommendations
Malware Dynamic Analysis Evasion Techniques: A Survey
The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and NetworkingMalware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...
Comments