I create makin to make initial malware assessment little bit easier for me, I think it's useful for others as well, It helps to reveal a debugger detection techniques used by a sample.
Any feedback is greatly appreciated: @_qaz_qaz
makin opens a sample as a debuggee and injects asho.dll, asho.dll hooks several functions at ntdll.dll library and after parameters checkings, it sends the corresponding message to the debugger (makin.exe).
For hooking, it uses Capstone engine, which makes hooking much stealthier.
At this moment, makin can reveal following techniques:
Note: Use The “Ultimate” Anti-Debugging Reference as a reference
NtClose: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iiNtOpenProcess: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iNtCreateFile: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open itself)NtCreateFile: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open a driver)LdrLoadDll- ref: The "Ultimate" Anti-Debugging Reference: 7.B.ivNtSetDebugFilterState- ref: The "Ultimate" Anti-Debugging Reference: 7.D.viNtQueryInformationProcess- ref: The "Ultimate" Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.cNtQuerySystemInformation- ref: The "Ultimate" Anti-Debugging Reference: 7.E.iiiNtSetInformationThread- ref: The "Ultimate" Anti-Debugging Reference 7.F.iiiNtCreateUserProcess- ref: The "Ultimate" Anti-Debugging Reference 7.G.iNtCreateThreadEx- ref: ntuery blog postNtSystemDebugControl- ref: @waleedassar - pastebinNtYieldExecution- ref: The "Ultimate" Anti-Debugging Reference 7.D.xiiiNtSetLdtEntries- ref: ANTI-UNPACKER TRICKS: PART ONE - 2.1.2
That's all for now, you can add as much as you wish :)
-
[DONE]
Use a disassembler such as capstone to hook little bit deeper and avoid simple hook checks. -
At this moment,
makindoes not support child processes. -
Add more tricks.
-
[DONE]
x86 support
