Time Table

Malware authors often employ anti-debugging techniques to obstruct analysis. When executed on a debugger, the malware detects the debugger and either stops its subsequent actions or behaves differently than usual, making analysis difficult. The number of anti-debugging implementations varies with each malware.

Notably, malware spread through mass-mailing campaigns that affect many organizations, and popular ransomware has been confirmed to possess multiple anti-debugging techniques. For example, anti-debugging techniques include VM detection, which checks for a debugging environment, detection of Breakpoints (which temporarily pause program execution during debugging), and time difference detection, which utilizes the difference in execution time when analyzing malware with a debugger.

“AntiDebugSeeker” is an open-source plugin for the binary analysis tools IDA and Ghidra, which are frequently utilized by analysts. It streamlines the malware analysis process by automatically identifying the anti-debugging techniques embedded within Windows malware. Code with anti-debug capabilities often overlaps with techniques used for anti-analysis, as well as with the preparatory steps for process injection, which are frequently employed by malware. Therefore, by flexibly customizing the detection rules, it is possible not only to identify anti-debugging features but also to understand the functionalities of the malware. Furthermore, the tool also provides functionalities to explain these anti-debugging measures and approaches to the corresponding functions. This enhances the analyst’s ability to understand and counteract the malware’s evasion techniques effectively, offering a more comprehensive understanding and response strategy against such threats.

In this presentation, we will demonstrate malware analysis and explain how to use the tool’s features, providing a practical understanding of how these features can be applied in actual threat scenarios.