joscandreu/makin

makin - reveal anti-debugging tricks

I create makin to make initial malware assessment little bit easier for me, I think it's useful for others as well, It helps to reveal a debugger detection techniques used by a sample.

Any feedback is greatly appreciated: @_qaz_qaz

Note: Only supports x64 Supports x64 and x86. Works on Windows 10.

How does it work?

makin opens a sample as a debuggee and injects asho.dll(main module renames all dlls before injection), asho.dll hooks several functions at ntdll.dll and kernelbase.dll libraries and after parameters checkings, it sends the corresponding message to the debugger (makin.exe).

For hooking, it uses Capstone engine, which makes hooking much stealthier.

Note: You can use vcpkg to get Capstone.

makin also generates a script for IDA Pro to set breakpoints at detected APIs.

At this moment, makin can reveal following techniques:

ntdll.dll:

• NtClose - ref: The "Ultimate" Anti-Debugging Reference: 7.B.ii
• NtOpenProcess - ref: The "Ultimate" Anti-Debugging Reference: 7.B.i
• NtCreateFile - ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open itself)
• NtCreateFile - ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open a driver)
• LdrLoadDll - ref: The "Ultimate" Anti-Debugging Reference: 7.B.iv
• NtSetDebugFilterState - ref: The "Ultimate" Anti-Debugging Reference: 7.D.vi
• NtQueryInformationProcess - ref: The "Ultimate" Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.c
• NtQuerySystemInformation - ref: The "Ultimate" Anti-Debugging Reference: 7.E.iii
• NtSetInformationThread - ref: The "Ultimate" Anti-Debugging Reference 7.F.iii
• NtCreateUserProcess - ref: The "Ultimate" Anti-Debugging Reference 7.G.i
• NtCreateThreadEx - ref: ntuery blog post
• NtSystemDebugControl - ref: @waleedassar - pastebin
• NtYieldExecution - ref: The "Ultimate" Anti-Debugging Reference 7.D.xiii
• NtSetLdtEntries - ref: ANTI-UNPACKER TRICKS: PART ONE - 2.1.2
• NtQueryInformationThread - ref: ntquery - NtQueryInformationThread
• NtCreateDebugObject and NtQueryObject - ref: Anti-Debug NtQueryObject
• RtlAdjustPrivilege - ref: Using RtlAdjustPrivilege to detect debugger by insid3codeteam
• GetWriteWatch - ref: Anti-debug with VirtualAlloc’s write watch

kernelbase.dll:

• IsDebuggerPresent - ref: MSDN
• CheckRemoteDebuggerPresent - ref: MSDN
• SetUnhandledExceptionFilter - ref: The "Ultimate" Anti-Debugging Reference: D.xv

That's all for now, you can add as much as you wish :)

TODO:

• [DONE] Use a disassembler such as capstone to hook little bit deeper and avoid simple hook checks.

• At this moment, makin does not support child processes.

• [DONE] x86 support

• [DONE] ~~~hook kernelbase.dll~~~

• Add anti-vm, anti-emulation tricks detection

• [DONE] ~~~Generate IDA Pro script to set BPs at detected APIs~~~

DEMO: