৽஛Ѩംఱఱٯ޲ ޻ఔ terrynini38514 terrynini

ANTI ANALYZE

ANTI ANALYZE "OUJ"OBMZ[F ▸ ሣ߅෼ੳతํ๏༗ڐଟɼแؚᯩଶٴಈଶɼجຊ্बੋཁ⃧Ճٯ޲෼ੳ੒ຊ ▸ ֤ݸٕ޼Մೳ؃ࣅ؆ᄸɼୠ૊߹ࡏҰىඇৗ่௵ ▸ ૬᮫ٕ޼ඇৗڼ↳࡞ۀܥ౷ɼෆಉ࡞ۀܥ౷Լ။༗ෆಉతํ๏ɼᙛવ໵ੋ༗௨༻త ▸ ഝཫҎ8JOEPXTҝྫɼҼҝ8JOEPXTൺֱ噁৺  3

ANTI ANALYZE 5 5ISFBE&OWJSPONFOU#MPDL ▸ 5༻ိอଘᙛલࣥߦॹ૬᮫తࢿਜ ▸ ՄҎಁաଖதత5*#Ҏٴ1௚઀֫ಘ๭ࠣࢿਜࣕෆधཁ࢖༻"1* ▸ ࡏCJUܥ౷্ՄҎಁաfsଘऔ ▸ ࡏCJUܥ౷্ՄҎಁաgsଘऔ  4

ANTI ANALYZE 5  5 NT_TIB NtTib ... PPEB PEB ... TEB ... PEB

ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  6 NT_TIB NtTib ... PPEB PEB ... TEB ... PEB ExceptionList ... PNT_TIB Self 1SPDFTT&OWJSPONFOU#MPDLଠ௕ɼNFNCFS໊ॖሜ

ANTI ANALYZE )PX5P(FU5 Ntdll.NtCurrentTeb()  7

ANTI ANALYZE )PX5P(FU5  8 NT_TIB NtTib ... PPEB PEB ... TEB FS Segment Descriptor Table ҰݸFOUSZCJU

ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  9 ExceptionList ... PNT_TIB Self ... PPEB PEB ... TEB FS:[0x18] ... PEB 0x18 0x30 0x0 dereference "Self" in TEB

ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  10 ExceptionList ... PNT_TIB Self ... PPEB PEB ... TEB FS:[0x30] ... PEB 0x18 0x30 0x0 dereference "PEB" in TEB

ANTI ANALYZE 5*# 5ISFBE*OGPNBUJPO#MPDL  11 ExceptionList ... PNT_TIB Self ... PPEB PEB ... TEB FS:[0] ... PEB 0x18 0x30 0x0 dereference "ExceptionList" in TEB

ANTI ANALYZE 5  12 FS:[0] FS:[0x18] FS:[0x30] GS:[0] GS:[0x30] GS:[0x60] Exceptionlist TIB Self PEB 32bit 64bit

ANTI ANALYZE 4&)  13 Next Handler HANDLER HANDLER HANDLER Next Handler Next Handler

ANTI ANALYZE 1 1SPDFTT&OWJSPONFOU#MPDL CJU  14 ExceptionList ... PNT_TIB Self ... PPEB PEB ... TEB ... BeingDebugged ... ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x18 0x30 0x0 0x02 0x08 0x0c 0x18 0x68

ANTI ANALYZE 1 1SPDFTT&OWJSPONFOU#MPDL CJU  15 ... BeingDebugged ... ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x02 0x08 0x0c 0x18 0x68 ... InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList ... _PEB_LDR_DATA LIST_ENTRY LIST_ENTRY LIST_ENTRY 0x0c 0x14 0x1c

ANTI ANALYZE 1 1SPDFTT&OWJSPONFOU#MPDL CJU  16 ... BeingDebugged ... ImageBaseAddress Ldr ... Processheap ... NtGlobalFlag ... PEB 0x02 0x08 0x0c 0x18 0x68 ... InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList ... _PEB_LDR_DATA 0x0c 0x14 0x1c LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] LIST_ENTRY InMemoryOrderLinks PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ...

ANTI ANALYZE 1 1SPDFTT&OWJSPONFOU#MPDL CJU  17 ... InMemoryOrderModuleList Flink Blink ... _PEB_LDR_DATA LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] Flink Blink PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ... LDR_DATA_TABLE_ENTRY PVOID Reserved1[2] Flink Blink PVOID Reserved2[2]; PVOID DllBase; PVOID EntryPoint; PVOID Reserved3; UNICODE_STRING FullDllName; ... 0x14 0x8 0x8

ANTI ANALYZE "OUJ"OBMZ[F  18 ▸ େՈ౎ཧղྃ 
 ॴҎݱࡏେՈ౎࿃ಔ ▸ ࿃ಔෆੋෆ޷ɼ 
 ୠզ၇ՄҎਫ਼ਐҰԼ

DIY

ANTI ANALYZE "OUJ"OBMZ[F  20 ▸ garbage code ▸ code alignment ▸ encryption\decryption ▸ reflactive binary ▸ api redirection ▸ polymorphic code ▸ debug blocker(self debugging, nanomite)

ANTI ANALYZE "OUJ"OBMZ[F  21

ANTI ANALYZE %FCVHHFS%FUFDUJPO  22 ▸ 1 #FJOH%FCVHHFE /U(MPCBM'MBH

ANTI ANALYZE %FCVHHFS%FUFDUJPO  23 ▸ NtQueryInformationProcess() ▸ CheckRemoteDebuggerPresent() ▸ NtQueryInformationProcess() ▸ NtQuerySystemInformation() ▸ NtSetInformationThread() ▸ NtQueryObject()

ANTI ANALYZE %FCVHHFS%FUFDUJPO  24 ▸ FindWindow() ▸ Parent Process Check() ▸ GetComputerName() ▸ GetCommandLine()

END

REFERENCE 3FGFSFODF ▸ https://ithelp.ithome.com.tw/articles/10219105  26