Anti-Analysis Techniques
Evasion
Malware authors use anti-analysis techniques to hinder reverse engineering. Understanding these techniques helps analysts bypass them during investigation.
Anti-Debugging
c
// Common anti-debugging techniques
// 1. IsDebuggerPresent (Windows API)
if (IsDebuggerPresent()) {
exit(1);
}
// 2. CheckRemoteDebuggerPresent
BOOL debugged = FALSE;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &debugged);
// 3. PEB.BeingDebugged flag (manual check)
// fs:[0x30] points to PEB, offset 0x2 is BeingDebugged
mov eax, dword ptr fs:[0x30]
movzx eax, byte ptr [eax+0x2]
test eax, eax
jnz debugger_detected
// 4. Timing checks
DWORD start = GetTickCount();
// ... some code ...
DWORD end = GetTickCount();
if ((end - start) > 1000) { // Too slow = debugger
exit(1);
}
// 5. Hardware breakpoint detection
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
GetThreadContext(GetCurrentThread(), &ctx);
if (ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3) {
exit(1);
}
// Bypass: Patch IsDebuggerPresent to return 0
// Or use ScyllaHide/TitanHide pluginsVM Detection
c
// VM detection techniques
// 1. Check for VM-specific registry keys
// HKLM\SOFTWARE\VMware, Inc.\VMware Tools
// HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
// 2. Check MAC address prefixes
// VMware: 00:0C:29, 00:50:56
// VirtualBox: 08:00:27
// 3. Check for VM processes
// vmtoolsd.exe, vmwaretray.exe, VBoxService.exe
// 4. CPUID check (hypervisor bit)
int cpuInfo[4];
__cpuid(cpuInfo, 1);
if (cpuInfo[2] & (1 << 31)) {
// Hypervisor present
}
// 5. Check for VM-specific files
// C:\Windows\System32\drivers\vmmouse.sys
// C:\Windows\System32\drivers\vmhgfs.sys
// Bypass: Use bare-metal analysis or patch checks