 Welcome to malware analysis for Hedrox. Today is another anti debugging video but this time I want to show you a way how you can teach yourself how to learn anti debugging tricks. Because if you if you just jump into analyzing samples and you have they use some anti debugging tricks that you don't know it's pretty hard to find out yourself what's going on. Unless you have a person you can ask to help you out it's well you will probably not know how to search for the information that you need. So I actually recommend that you try to teach yourself beforehand anti debugging tricks and how they work. So let's check this out. Now you have there's a pretty cool reference for anti reversing tricks by Peter Ferri that's the this one on already at the right page. That's the ultimate anti debugging reference. It's a few years old so but still valid and we will check out a very simple anti debugging check the debugger present function that's in the kernel 32 DLL and well since Windows 95 okay returns a non-zero value if it is present of course. So you can call this function and you can check if it returns zero or not. But most malware authors won't or they might not want call the function directly because it's then being shown in the imports and then you will know what's wrong immediately. So there's another way to do this and that's by checking the flag the bean debug flag yourself and that's the second code snippet right here and the bean debug flag is part of the process environment block. That's a structure in memory with information about the process and now that might be not so obvious what this means but I will explain this right here. There's another structure the thread information block it's a data structure and sometimes also called thread environment block so t e b or t i b and you can access this structure using a segment register called f s f s zero that's the beginning of the thread information block and at f s 30 there is the address to the process environment block that's exactly what we need. So that's what they are doing here they put the address of the process environment block into e x and the process environment block is well only partially documented but this flag is here the second byte of the structure and for that reason we add two so we get to the bean debug flag and we compare this bean debug flag to zero so and if it's not equal zero it means jump to bean debug to the part of the code that's been executed if the program process has been debugged so and that's yeah that's what this snippet does and now it's pretty important that you can experiment with the code yourself so that's why I recommend that you get an assembler compiler like afsm flat assembler I will put a link below also for the reference here and yeah just write your own code and compile it for testing that's really makes pretty much sure that you get this into your brain if you coded yourself it's more likely to stick in your brain how this stuff works otherwise might be gone two days after you you try to understand this snippet here so just get this this frame looks a lot looks like a lot of code it's actually not that that much code that part here is just the imports that you need to access accept the process and to show a message box and so we have a message box for the good boy that's that means if the process is not being debugged we show the good boy message and that says says everything's fine have a good day and the bad boy message is here and it will say I got you stop debugging me so that's our snippet of three lines from the ultimate anti-reversing reference yeah this these three lines here are the same here and that's actually everything you you mostly need to exchange for testing the snippets that you find in here so once you have the frame uh I will post the paste the link so you can use the code for flood assembler yourself once you have the frame you just have to change this part of the code to get um compile your own anti debugging um binary that's what we will do now we compile this code it says everything went fine and here we have the it's being debugged binary yeah and of course it's not being debugged so it says everything's fine I run normally and if we open up this sample and only it's a different story please disable your plugins uh the plugins a lot of the plugins like all in advance they um automatically um have an anti anti debugging stuff in there so disable them if you want to learn and um so let's check this out what is it doing it says I got you stop debugging me so um it realized all the the check um shows that the process has been debugged and you can step through the code and see what's happening so for instance now we got the address to the process environment block here so let's just look at this here it is and that's our our flag um and that's the process environment block area and here's the flag that shows one which means it's being debugged so you could probably change it right here edit fill with zero yeah and if we step again it says everything's fine so we changed the value in the structure and everything's fine so that was a value that shows that the process has been debugged um all right another way to do this or to to monitor this structure is using process hacker uh process hackers are similar to process explorer with similar capabilities um now you can right click on the process click on properties and in the general tab you see there's the address to the process environment block okay so we know it's there and you have the memory tab where you can check what's in the memory and also in the process environment block which is here so again we see the one in here that shows that that's being debugged and um we open this up where it says everything's fine and we check it out as well um and here you see the difference there's uh the the flag is here zero so it's not been debugged and here's it's one and it's been debugged so that's um I believe a good way to experiment yourself with the entity matrix and how you can defeat them either by um editing the memory or edit editing the assembler code so you can as well just um change the jump in the code right here we could say please jump always so we don't say jump if equal we'd say jump symbol okay and uh of course now I changed it symbol and now if we step it says everything's fine so and you can also experiment uh how the plugins change the behavior now here we have the only advanced plugin and that has a is debugger present entire entire debugging function and if you turn this on I'm not sure if you have to restart only for that to work but yeah it says everything's fine so that's the plugin that I think it changes the structure of the process environment block um yeah so makes this automatically for you so you don't have to do it um yeah and that's it for today um that's a good way to learn yourself experiment and then you will really make it stuck stuck in your head so you know it next time when you see it in an actual sample yeah thanks for watching I hope to see you next time