makin
is to make initial malware assessment little bit easier, It helps to reveal a debugger detection techniques used by a sample.
Supports x64 and x86
How does it work?makin
opens a sample as a debuggee and injects
asho.dll
,
asho.dll
hooks several functions at
ntdll.dll
library and after parameters checkings, it sends the corresponding message to the debugger (
makin.exe
).
For hooking, it uses
Capstone engine, which makes hooking much stealthier.
At this moment,
makin
can reveal following techniques:
Note
: Use The “Ultimate”
Anti-Debugging Reference
as a reference
-
NtClose
: ref: The “Ultimate” Anti-Debugging Reference: 7.B.ii
-
NtOpenProcess
: ref: The “Ultimate” Anti-Debugging Reference: 7.B.i
-
NtCreateFile
: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open itself)
-
NtCreateFile
: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open a driver)
-
LdrLoadDll
– ref: The “Ultimate” Anti-Debugging Reference: 7.B.iv
-
NtSetDebugFilterState
– ref: The “Ultimate” Anti-Debugging Reference: 7.D.vi
-
NtQueryInformationProcess
– ref: The “Ultimate” Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.c
-
NtQuerySystemInformation
– ref: The “Ultimate” Anti-Debugging Reference: 7.E.iii
-
NtSetInformationThread
– ref: The “Ultimate” Anti-Debugging Reference 7.F.iii
-
NtCreateUserProcess
– ref: The “Ultimate” Anti-Debugging Reference 7.G.i
-
NtCreateThreadEx
– ref: ntuery blog post
-
NtSystemDebugControl
– ref: @waleedassar – pastebin
-
NtYieldExecution
– ref: The “Ultimate” Anti-Debugging Reference 7.D.xiii
-
NtSetLdtEntries
– ref: ANTI-UNPACKER TRICKS: PART ONE – 2.1.2