Automatically Detect and Support Against Anti-Debug with IDA/Ghidra to Streamline Debugging Process
DAY 1
10:00-
10:40
Malware authors often employ anti-debugging techniques to obstruct analysis. When executed on a debugger, the malware detects the debugger and either stops its subsequent actions or behaves differently than usual, making analysis difficult. The number of anti-debugging implementations varies with each malware.
Notably, malware spread through mass-mailing campaigns that affect many organizations, and popular ransomware has been confirmed to possess multiple anti-debugging techniques. For example, anti-debugging techniques include VM detection, which checks for a debugging environment, detection of Breakpoints (which temporarily pause program execution during debugging), and time difference detection, which utilizes the difference in execution time when analyzing malware with a debugger.
“AntiDebugSeeker” is an open-source plugin for the binary analysis tools IDA and Ghidra, which are frequently utilized by analysts. It streamlines the malware analysis process by automatically identifying the anti-debugging techniques embedded within Windows malware. Code with anti-debug capabilities often overlaps with techniques used for anti-analysis, as well as with the preparatory steps for process injection, which are frequently employed by malware. Therefore, by flexibly customizing the detection rules, it is possible not only to identify anti-debugging features but also to understand the functionalities of the malware. Furthermore, the tool also provides functionalities to explain these anti-debugging measures and approaches to the corresponding functions. This enhances the analyst’s ability to understand and counteract the malware’s evasion techniques effectively, offering a more comprehensive understanding and response strategy against such threats.
In this presentation, we will demonstrate malware analysis and explain how to use the tool’s features, providing a practical understanding of how these features can be applied in actual threat scenarios.
-
Location :
-
Track 3(Room 2)
-
-
Category :
-
Bluebox
-
-
Share :
Speakers
-
Takahiro Takeda
武田 貴寛
Takahiro Takeda is a member of the Cyber Emergency Center at LAC in Tokyo, Japan, specializing in malware analysis and cyber threat intelligence.
He has dedicated himself to analyzing malware involved in security incidents.
Additionally, he is committed to spreading his knowledge through writing books and participating in educational activities.
His experience includes analyzing IDS and IPS logs through MSS at the Japan Security Operation Center (JSOC) and serving as a cyber threat investigator during his secondment to the Japan Cyber Crime Control Center (JC3).
Furthermore, he has presented his research findings at various conferences, including PACSEC, AVAR, and HITCON.