• TODO

• API Calls:
  • kernel32→IsDebuggerPresent()
  • ntdll→NtQueryInformationProcess with ProcessInformationClass argument of 7 (7 == ProcessDebugPort)
• Timing checks. Some functions or instructions can be used to infer the presence of a debugger
  • rdtsc instruction
  • GetTickCount()
  • QueryPerformanceCounter()
• Virtual Machine Detection
  • Thwarting VM Detection under VMWare
• TEB or PEB access

  • xor eax, eax
    mov eax, fs:[eax+0x0] -> _TEB
     
    xor eax, eax
    mov eax,  fs:[eax+0x30] -> _TEB.Peb
     
    mov eax, fs:[30]
    mov eax, [eax+2]  -> PEB.IsDebugged flag
    test eax, eax 
    jnz debugger_detected

  • SEH manipulation
• The following IDC script checks for basic stuff mentioned above

  • antidebug_highlight.idc

    #include <idc.idc>
     
    static main() {
        auto start, end, addr, mnem, count, opnd, opnd1, opnd2;
        start = SegStart( ScreenEA() );
        end = SegEnd( ScreenEA() );
        addr = start;
        count = 0;
        while( addr < end ) {
            mnem = GetMnem( addr );
            // Common VM detect instructions
            if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) {
                Message( "%08x: Found %s\n", addr, mnem );
                SetColor( addr, CIC_ITEM, 0x0088ff ); // orange
            }
            // Read Time Stamp Counter
            if( mnem == "rdtsc" ) {
                Message( "%08x: Found %s\n", addr, mnem );
                SetColor( addr, CIC_ITEM, 0xff8800 ); // blue
            }
            // Exception Handling or other PEB/TEB access
            opnd = "";
            opnd1 = GetOpnd( addr, 0 );
            opnd2 = GetOpnd( addr, 1 );
            if( strstr( opnd1, "fs:" ) > -1 ) {
                opnd = opnd1;
            }
            else {
                if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2;
            }
            if( opnd != "" ) {
                Message( "%08x: Found %s\n", addr, opnd );
                SetColor( addr, CIC_ITEM, 0xff8888 ); // purple
            }
            addr = NextHead( addr, BADADDR );
            count = count + 1;
        }
        Message( "Processed %d instructions from %08x to %08x\n", count, start, end );
    }

• More details and other techniques here

• .NET Decompiler ILSpy
• .NET code analyzer .NET Reflector and plugin for assembly editing ReflexIL

• LLVM bytecode can be converted to ELF with llvmc

• CFF Explorer supports packing identification

TODO

• Steps for APK binary decompilation

• FindCrypt: IDA plugin that detects standard crypto/hash algorithms
• Excellent gdbinit script for facilitating debugging in gdb
• RE framework - https://github.com/radare/radare2