debug malware

=Yazdığım kiçik dokumentasiya. Öz hazırladıqım malware-da istifadə etdiyim anti-dbg texnikalarından biridir.=
Windows NT data structure TIB ==> PEB (opaque type)
PEB addr can be accessed as an offset of segment register FS locate == > the addr at TIB (Thread environment block data structure) in import table offset 0x30 (30h) linear address of PEB

img diagram: http://1.bp.blogspot.com/-qu8V9tv1p2I/T9Hby63yfAI/AAAAAAAAACA/wlwHTQMkgmU/s1600/finding_kernel32.png

Receiving PEB (pointer) addr from TIB
INSTRUCTION (1)

http://en.wikipedia.org/wiki/Win32_Thread_Information_Block#Contents_of_the_TIB_.2832-bit_Windows.29

Position    Length  Windows Versions    Description
FS:[0x30]   4   NT          Linear address of Process Environment Block (PEB)


The address of PEB movement with mov instruction
INSTRUCTION(2)
    In the PEB settled BeingDebugged field = offset 0x0002

Ref:
blog.rewolf.pl/blog/wp-content/uploads/2013/03/PEB_Evolution.pdf

x86 offset  Field Name          x64 offset
offset:bit(len)                 offset:bit(len)
0x0002      unsigned char,BeingDebugged     0x0002


======================================================================================================
used extra segment register : FS +==> FS are commonly used by OS kernels to access thread-specific memory.In windows, the FS register is used to manage thread-specific memory.

asm (intel) syntax

mov EAX, FS:[0x30] #1
mov EAX,[EAX+2] #2

C my malware source :)

#include<stdio.h>
void *antideb()
{
    void *pTib;
//AT&T syntax
    __asm__("movl %%fs:0x30, %%eax" : : : );
    __asm__("movl 2(%%eax), %%eax" : "=r" (pTib) : : );
    return pTib;
}

void main(){

    printf("%x\n",antideb());
    //validation pointer and kayfa davam :)
}

debug screen :?

http://f-picture.net/lfp/s004.radikal.ru/i205/1411/88/20ffac09e12d.png/htm


#eminghuliev,@st1ll_di3