Defeating Anti-Debugging Routines in Malware
Current malware variants are becoming more and more devious in their methods of infection, propagation, and their ability to defend themselves from analysis. Aside from common code-obfuscation techniques, such as using packers or encryption techniques, malware will commonly employ anti-debugging routines in an attempt to prevent a malware analyst from using a debugger to understand its behavior. Using Immunity Debugger and some Python, we are able to create some simple scripts to help bypass some of these anti-debugging routines to assist an analyst when observing a malware sample. Let's look at some of the more prevalent anti-debugging routines and write some corresponding code to bypass them.
IsDebuggerPresent ...
Get Gray Hat Python now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.