Hiding Debuggers from Malware using Apate

Members

Overview

Malware analysis uses debuggers to understand and manipulate the behaviors of stripped binaries. To circumvent analysis, malware applies a variety of anti-debugging techniques, such as self-modifying, checking for or removing breakpoints, hijacking keyboard and mouse events, escaping the debugger, etc. Most state-of-the-art debuggers are vulnerable to these anti-debugging techniques.

We first systematically analyze the spectrum of possible anti-debugging techniques and compile a list of 79 attack vectors. We then propose a framework, called Apate, which detects and defeats each of these attack vectors, by performing: (1) just-in-time disassembling based on single-stepping, (2) careful monitoring of the debuggee's execution and, when needed, modification of the debugee's states to hide the debugger's presence.

Anti-debugging Techniques We Handle

Overall Design of Apate

Stage 1
- Preprocess the debuggee by parsing its portable executable header.
Stage 2
- Analyze the instruction that is about to execute.
Stage 3
- Execute this instruction

Software & Code

Publications

Hao Shi and Jelena Mirkovic. Hiding Debuggers from Malware with Apate. In Proceedings of ACM Symposium on Applied Computing. SAC 2017, April 03 - 07, 2017, Marrakech, Morocco.

Acknowledgments

This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number HSHQDC-16-C-00024. The views and conclusions contained herein are those of the authors only.