 Hello and welcome to malware analysis for Hedrax. Today we have another ransomware sample, yay, but we will not talk about ransomware today. It's actually about an anti-debugging trick that this sample just happens to use, so it's more about this trick, how it works and how you can manually defeat it. So let's check out the sample with Oli. Okay, there it is. Now there is another video with Xilitol about the very same sample where he unpacks it. I will not show you the unpacking. If you want to see that, I will link the video below. Check it out. But I will show you an anti-debugging trick that Xilitol uses a phantom plugin, which can defeat this trick. So if you use this plugin disabled, if you want to do the same as I'm doing now. So it's generally a good idea to turn off the plugins from time to time. If you want to learn more about why debugging tricks work and how you can solve this without plugins, helps to build up your skills. There's another plugin for everything. Okay, we will search for all intermodular calls. And I already said the breakpoint here. That's the getprog address. And that together with load library is often used to solve the imports, to resolve the imports of the pack file. So it retrieves the addresses for functions that the pack file needs. And that's why we set a breakpoint here. And we will just go and run. And here you can see which functions we've gathered here. And now we are at the set unnumbered exception filter function. And if you press run F9 again, the sample will just terminate. So that's the anti-debugging trick. It terminates if it detects that you debug it. Okay, let's do this again. To the same point, set unnumbered exception filter. Now what does this actually do? This function will, and that's the documentation of it, I really recommend that you read up on the MSDN documentation if you learn about it. So if an exception occurs in a process that is not being debugged, that's very important here. And the exception makes it to the unhandled exception filter. That means the exception is not handled otherwise. That filter will call the exception filter function specified by a top-level exception folder. So that's the parameter you give to this unhandled exception folder. And the parameter is a pointer to function for, well, with your own code. And this function is only called if the process is not being debugged. So you can basically put everything important in here, and it will only be executed if the process is not being debugged. Oh, great. So who checks if the process is being debugged? That's this unhandled exception filter function without the set. So in this function, there's a check about the current process and whether it's being debugged or not, and whether to go to this function or not. And also, usually if you do not set this, Windows will display a message, but if you set this, it will call this function instead if the process is not being debugged. All right. That's the function. Good. Now, that means since the check is in unhandled exception filter, we will go there and you press Ctrl G, Ctrl G, you enter unhandled exception filter, and okay, and you get to the start of this function. Set a breakpoint, run there, and remove the breakpoint again. Might make some troubles if you don't. And we go step a bit to this. Let's get current process and get current process returns handle, pseudo handle, and here it is, retrieves pseudo handle for the current process. And the pseudo handle is a special constant, which is currently minus one. So they say currently, it might change in the future. And it's interpreted as the current process handle. But for compatibility with future operating system, it is best to call that current process instead of setting, hard coding this minus one yourself. So that's the actual, yeah, the only value of that function is to return minus one. Okay. Yeah, pseudo handle means that's not an actual address. So it's just a constant that means something. So that's what, so we expect EX to turn to minus one. And that's what happens here. If you're confused right now, that's the two's complement. And the two's, I will, I will set the link below to explain the two's complement. The two's complement and this means minus one in this context. Okay, we zero it out. Why? Here's a call to query information process that retrieves the process information of the current process. It uses, here's the push EX, it pushes the current handle. And so that means it will, I'll show you the function here. Here it is. Well, that's not the same as NT, but okay. But it uses a process handle to return information about the current process. And one information of that is whether the process is being debugged or not. That means if you set this to zero instead of minus one, it will check the process zero and that's not being debugged. So in that case, the function will decide that there's no debugger attached. Okay, let's try this. We will now just press run. And indeed, at this point, the last time, the program terminated, and it didn't do that this time. So now we can actually get to the point where we unpack the file. I told you I won't show you that, but here's the RTL decompress buffer function that's very often used, packed files. And yeah, I recommend if you want to unpack it, show the video, look into the video school tool. And that's already it for today. Thank you for watching. See you next time.