Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Windows Debugger Detection
Дальше: Interfering with Debugger Functionality
. shows a real malware sample using the rdtsc technique..Example 16-8. GetTickCount timing technique
a = GetTickCount(); MaliciousActivityFunction(); b = GetTickCount(); delta = b-a; if ((delta) > 0x1A) { //Debugger Detected } else { //Debugger Not Found }
All of the timing attacks we’ve discussed can be found during debugging or static analysis by identifying two successive calls to these functions followed by a comparison. These checks should catch a debugger only if you are single-stepping or setting breakpoints between the two calls used to capture the time delta. Therefore, the easiest way to avoid detection by timing is to run through these checks and set a breakpoint just after them, and then start your single-stepping again. If that is not an option, simply modify the result of the comparison to force the jump that you want to be taken.
rdtsc technique..
Example 16-8. GetTickCount timing technique
a =GetTickCount(); MaliciousActivityFunction(); b =GetTickCount(); delta = b-a; if ((delta) > 0x1A) { //Debugger Detected } else { //Debugger Not Found }
All of the timing attacks we’ve discussed can be found during debugging or static analysis by identifying two successive calls to these functions followed by a comparison. These checks should catch a debugger only if you are single-stepping or setting breakpoints between the two calls used to capture the time delta. Therefore, the easiest way to avoid detection by timing is to run through these checks and set a breakpoint just after them, and then start your single-stepping again. If that is not an option, simply modify the result of the comparison to force the jump that you want to be taken.
Войти в систему
Войти с помощью соц. сетей:
