It uses RDTSC instruction to get the elapsed time in EAX:EDX and performs OR operation between EAX & EDX and saves it in ESI. RDTSC and CPUID instruction combination as depicted in Figure 2.While all these were documented tricks there are 2 tricks in particular which were quite interesting to us. Checking for qemu-ga.exe and qga.exe under Program Files.Enumerating the active windows using EnumWindows() API.ZwQueryVirtualMemory() – to detect execution with in virtual machine.In addition to previous techniques mentioned above, there were some more tricks found in the binary which was received after the end of June and they are Patching User mode hooks – patching the 1 st 5 bytes of unconditional jump (0xe9 ?) set by some AV & sandboxes.Patching ntdll.DbgBreakPoint() and ntdll.DbgUiRemoteBreakin().Debugger Anti-Attach technique – using ntdll.ZwSetInformationThread() with parameter 0x11. ![]() Anti-Analysis & Anti-VM/Debug Techniques GuLoader in March 2020 In this blog, we’ll see the improvements that have been made to the code over time. Although some of the tricks are old, they still get the job done. Figure 1: Email with Attachment (courtesy of infection vector hasn’t changed yet but we at K7 Labs still keep track of GuLoader because of the efforts taken by them to keep improving their code for detecting the Virtual/Debug environment.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |