Anti Reversing Techniques

1---2name: anti-reversing-techniques3description: Understand anti-reversing, obfuscation, and protection techniques encountered during software analysis. Use this skill when analyzing malware evasion techniques, when implementing anti-debugging protections for CTF challenges, when reverse engineering packed binaries, or when building security research tools that need to detect virtualized environments.4---5 6> **AUTHORIZED USE ONLY**: This skill contains dual-use security techniques. Before proceeding with any bypass or analysis:7>8> 1. **Verify authorization**: Confirm you have explicit written permission from the software owner, or are operating within a legitimate security context (CTF, authorized pentest, malware analysis, security research)9> 2. **Document scope**: Ensure your activities fall within the defined scope of your authorization10> 3. **Legal compliance**: Understand that unauthorized bypassing of software protection may violate laws (CFAA, DMCA anti-circumvention, etc.)11>12> **Legitimate use cases**: Malware analysis, authorized penetration testing, CTF competitions, academic security research, analyzing software you own/have rights to13 14# Anti-Reversing Techniques15 16Understanding protection mechanisms encountered during authorized software analysis, security research, and malware analysis. This knowledge helps analysts bypass protections to complete legitimate analysis tasks.17 18For advanced techniques, see [references/advanced-techniques.md](references/advanced-techniques.md)19 20---21 22## Input / Output23 24**What you provide:**25 26- **Binary path or sample**: the executable, DLL, or firmware image under analysis27- **Platform**: Windows x86/x64, Linux, macOS, ARM — affects which checks apply28- **Goal**: bypass for dynamic analysis, identify protection type, build detection code, implement for CTF29 30**What this skill produces:**31 32- **Protection identification**: named technique (e.g., RDTSC timing check, PEB BeingDebugged) with location in binary33- **Bypass strategy**: specific patch addresses, hook points, or tool commands to neutralize each check34- **Analysis report**: structured findings listing each protection layer, severity, and recommended bypass35- **Code artifacts**: Python/IDAPython scripts, GDB command sequences, or C stubs for bypassing or implementing checks36 37---38 39## Anti-Debugging Techniques40 41### Windows Anti-Debugging42 43#### API-Based Detection44 45```c46// IsDebuggerPresent47if (IsDebuggerPresent()) {48    exit(1);49}50 51// CheckRemoteDebuggerPresent52BOOL debugged = FALSE;53CheckRemoteDebuggerPresent(GetCurrentProcess(), &debugged);54if (debugged) exit(1);55 56// NtQueryInformationProcess57typedef NTSTATUS (NTAPI *pNtQueryInformationProcess)(58    HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);59 60DWORD debugPort = 0;61NtQueryInformationProcess(62    GetCurrentProcess(),63    ProcessDebugPort,        // 764    &debugPort,65    sizeof(debugPort),66    NULL67);68if (debugPort != 0) exit(1);69 70// Debug flags71DWORD debugFlags = 0;72NtQueryInformationProcess(73    GetCurrentProcess(),74    ProcessDebugFlags,       // 0x1F75    &debugFlags,76    sizeof(debugFlags),77    NULL78);79if (debugFlags == 0) exit(1);  // 0 means being debugged80```81 82**Bypass:** Use ScyllaHide plugin in x64dbg (patches all common checks automatically). Manually: force `IsDebuggerPresent` return to 0, patch `PEB.BeingDebugged` to 0, hook `NtQueryInformationProcess`. In IDA: `ida_bytes.patch_byte(check_addr, 0x90)`.83 84#### PEB-Based Detection85 86```c87// Direct PEB access88#ifdef _WIN6489    PPEB peb = (PPEB)__readgsqword(0x60);90#else91    PPEB peb = (PPEB)__readfsdword(0x30);92#endif93 94// BeingDebugged flag95if (peb->BeingDebugged) exit(1);96 97// NtGlobalFlag98// Debugged: 0x70 (FLG_HEAP_ENABLE_TAIL_CHECK |99//                 FLG_HEAP_ENABLE_FREE_CHECK |100//                 FLG_HEAP_VALIDATE_PARAMETERS)101if (peb->NtGlobalFlag & 0x70) exit(1);102 103// Heap flags104PDWORD heapFlags = (PDWORD)((PBYTE)peb->ProcessHeap + 0x70);105if (*heapFlags & 0x50000062) exit(1);106```107 108**Bypass:** In x64dbg, follow `gs:[60]` (x64) or `fs:[30]` (x86) in dump. Set `BeingDebugged` (offset +2) to 0; clear `NtGlobalFlag` (offset +0xBC on x64).109 110#### Timing-Based Detection111 112```c113// RDTSC timing114uint64_t start = __rdtsc();115// ... some code ...116uint64_t end = __rdtsc();117if ((end - start) > THRESHOLD) exit(1);118 119// QueryPerformanceCounter120LARGE_INTEGER start, end, freq;121QueryPerformanceFrequency(&freq);122QueryPerformanceCounter(&start);123// ... code ...124QueryPerformanceCounter(&end);125double elapsed = (double)(end.QuadPart - start.QuadPart) / freq.QuadPart;126if (elapsed > 0.1) exit(1);  // Too slow = debugger127 128// GetTickCount129DWORD start = GetTickCount();130// ... code ...131if (GetTickCount() - start > 1000) exit(1);132```133 134**Python script — timing-based anti-debug detection scanner:**135 136```python137#!/usr/bin/env python3138"""Scan a binary for common timing-based anti-debug patterns."""139import re140import sys141 142PATTERNS = {143    "RDTSC":              rb"\x0f\x31",                    # RDTSC opcode144    "RDTSCP":             rb"\x0f\x01\xf9",                # RDTSCP opcode145    "GetTickCount":       rb"GetTickCount\x00",146    "QueryPerfCounter":   rb"QueryPerformanceCounter\x00",147    "NtQuerySysInfo":     rb"NtQuerySystemInformation\x00",148}149 150def scan(path: str) -> None:151    data = open(path, "rb").read()152    print(f"Scanning: {path} ({len(data)} bytes)\n")153    for name, pattern in PATTERNS.items():154        hits = [m.start() for m in re.finditer(re.escape(pattern), data)]155        if hits:156            offsets = ", ".join(hex(h) for h in hits[:5])157            print(f"  [{name}] found at: {offsets}")158    print("\nDone. Cross-reference offsets in IDA/Ghidra to find check logic.")159 160if __name__ == "__main__":161    scan(sys.argv[1])162```163 164**Bypass:** Use hardware breakpoints (no INT3 overhead), NOP the comparison + conditional jump, freeze RDTSC via hypervisor, or hook timing APIs to return consistent values.165 166#### Exception-Based Detection167 168```c169// SEH: if debugger is attached it consumes the INT3 exception170// and execution falls through to exit(1) instead of the __except handler171__try { __asm { int 3 } }172__except(EXCEPTION_EXECUTE_HANDLER) { return; }  // Clean: exception handled here173exit(1);  // Dirty: debugger swallowed the exception174 175// VEH: register handler that self-handles INT3 (increments RIP past INT3)176// Debugger intercepts first, handler never runs → detected177LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ep) {178    if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) {179        ep->ContextRecord->Rip++;180        return EXCEPTION_CONTINUE_EXECUTION;181    }182    return EXCEPTION_CONTINUE_SEARCH;183}184```185 186**Bypass**: In x64dbg, set "Pass exception to program" for EXCEPTION_BREAKPOINT (Options → Exceptions → add 0x80000003).187 188### Linux Anti-Debugging189 190```c191// ptrace self-trace192if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) {193    // Already being traced194    exit(1);195}196 197// /proc/self/status198FILE *f = fopen("/proc/self/status", "r");199char line[256];200while (fgets(line, sizeof(line), f)) {201    if (strncmp(line, "TracerPid:", 10) == 0) {202        int tracer_pid = atoi(line + 10);203        if (tracer_pid != 0) exit(1);204    }205}206 207// Parent process check208if (getppid() != 1 && strcmp(get_process_name(getppid()), "bash") != 0) {209    // Unusual parent (might be debugger)210}211```212 213**Bypass (LD_PRELOAD hook):**214 215```bash216# hook.c: long ptrace(int request, ...) { return 0; }217# gcc -shared -fPIC -o hook.so hook.c218LD_PRELOAD=./hook.so ./target219```220 221**GDB bypass command sequence:**222 223```gdb224# 1. Make ptrace(PTRACE_TRACEME) always return 0 (success)225catch syscall ptrace226commands227  silent228  set $rax = 0229  continue230end231 232# 2. Bypass check after ptrace call: find "cmp rax, 0xffffffff; je <exit>"233#    Clear ZF so the conditional jump is not taken:234#    set $eflags = $eflags & ~0x40235 236# 3. Bypass /proc/self/status TracerPid check at the open() level237catch syscall openat238commands239  silent240  # If arg contains "status", patch the fd result to /dev/null equivalent241  continue242end243 244# 4. Bypass parent process name check245set follow-fork-mode child246set detach-on-fork off247```248 249---250 251## Anti-VM Detection252 253### Hardware Fingerprinting254 255```c256// CPUID-based detection257int cpuid_info[4];258__cpuid(cpuid_info, 1);259// Check hypervisor bit (bit 31 of ECX)260if (cpuid_info[2] & (1 << 31)) {261    // Running in hypervisor262}263 264// CPUID brand string265__cpuid(cpuid_info, 0x40000000);266char vendor[13] = {0};267memcpy(vendor, &cpuid_info[1], 12);268// "VMwareVMware", "Microsoft Hv", "KVMKVMKVM", "VBoxVBoxVBox"269 270// MAC address prefix271// VMware: 00:0C:29, 00:50:56272// VirtualBox: 08:00:27273// Hyper-V: 00:15:5D274```275 276### Registry/File Detection277 278```c279// Windows registry keys280// HKLM\SOFTWARE\VMware, Inc.\VMware Tools281// HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions282// HKLM\HARDWARE\ACPI\DSDT\VBOX__283 284// Files285// C:\Windows\System32\drivers\vmmouse.sys286// C:\Windows\System32\drivers\vmhgfs.sys287// C:\Windows\System32\drivers\VBoxMouse.sys288 289// Processes290// vmtoolsd.exe, vmwaretray.exe291// VBoxService.exe, VBoxTray.exe292```293 294### Timing-Based VM Detection295 296```c297// VM exits cause timing anomalies298uint64_t start = __rdtsc();299__cpuid(cpuid_info, 0);  // Causes VM exit300uint64_t end = __rdtsc();301if ((end - start) > 500) {302    // Likely in VM (CPUID takes longer)303}304```305 306**Bypass:** Use bare-metal environment, harden VM (remove guest tools, randomize MAC, delete artifact files), patch detection branches in the binary, or use FLARE-VM/REMnux with hardened settings.307 308For advanced VM detection (RDTSC delta calibration, VMware backdoor port, hypervisor leaf enumeration, guest driver artifact checks), see [references/advanced-techniques.md](references/advanced-techniques.md).309 310---311 312## Code Obfuscation313 314### Control Flow Obfuscation315 316#### Control Flow Flattening317 318```c319// Original320if (cond) {321    func_a();322} else {323    func_b();324}325func_c();326 327// Flattened328int state = 0;329while (1) {330    switch (state) {331        case 0:332            state = cond ? 1 : 2;333            break;334        case 1:335            func_a();336            state = 3;337            break;338        case 2:339            func_b();340            state = 3;341            break;342        case 3:343            func_c();344            return;345    }346}347```348 349**Analysis Approach:**350 351- Identify state variable352- Map state transitions353- Reconstruct original flow354- Tools: D-810 (IDA), SATURN355 356#### Opaque Predicates357 358```c359int x = rand();360if ((x * x) >= 0) { real_code(); }   // Always true  → junk_code() is dead361if ((x*(x+1)) % 2 == 1) { junk(); }  // Always false → consecutive product is even362```363 364**Analysis Approach:** Identify invariant expressions via symbolic execution (angr, Triton), or pattern-match known opaque forms and prune them.365 366### Data Obfuscation367 368#### String Encryption369 370```c371// XOR encryption372char decrypt_string(char *enc, int len, char key) {373    char *dec = malloc(len + 1);374    for (int i = 0; i < len; i++) {375        dec[i] = enc[i] ^ key;376    }377    dec[len] = 0;378    return dec;379}380 381// Stack strings382char url[20];383url[0] = 'h'; url[1] = 't'; url[2] = 't'; url[3] = 'p';384url[4] = ':'; url[5] = '/'; url[6] = '/';385// ...386```387 388**Analysis Approach:**389 390```python391# FLOSS for automatic string deobfuscation392floss malware.exe393 394# IDAPython string decryption395def decrypt_xor(ea, length, key):396    result = ""397    for i in range(length):398        byte = ida_bytes.get_byte(ea + i)399        result += chr(byte ^ key)400    return result401```402 403#### API Obfuscation404 405```c406// Dynamic API resolution407typedef HANDLE (WINAPI *pCreateFileW)(LPCWSTR, DWORD, DWORD,408    LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);409 410HMODULE kernel32 = LoadLibraryA("kernel32.dll");411pCreateFileW myCreateFile = (pCreateFileW)GetProcAddress(412    kernel32, "CreateFileW");413 414// API hashing415DWORD hash_api(char *name) {416    DWORD hash = 0;417    while (*name) {418        hash = ((hash >> 13) | (hash << 19)) + *name++;419    }420    return hash;421}422// Resolve by hash comparison instead of string423```424 425**Analysis Approach:** Identify the hash algorithm, build a database of known API name hashes, use HashDB plugin for IDA, or run under a debugger to let the binary resolve calls at runtime.426 427### Instruction-Level Obfuscation428 429```asm430; Dead code insertion — semantically inert but pollutes disassembly431push ebx / mov eax, 1 / pop ebx / xor ecx, ecx / add ecx, ecx432 433; Instruction substitution — same semantics, different encoding434xor eax, eax  →  sub eax, eax  |  mov eax, 0  |  and eax, 0435mov eax, 1    →  xor eax, eax; inc eax  |  push 1; pop eax436```437 438For advanced anti-disassembly tricks (overlapping instructions, junk byte insertion, self-modifying code, ROP as obfuscation), see [references/advanced-techniques.md](references/advanced-techniques.md).439 440---441 442## Bypass Strategies Summary443 444### General Principles445 4461. **Understand the protection**: Identify what technique is used4472. **Find the check**: Locate protection code in binary4483. **Patch or hook**: Modify check to always pass4494. **Use appropriate tools**: ScyllaHide, x64dbg plugins4505. **Document findings**: Keep notes on bypassed protections451 452### Tool Recommendations453 454```455Anti-debug bypass:    ScyllaHide, TitanHide456Unpacking:           x64dbg + Scylla, OllyDumpEx457Deobfuscation:       D-810, SATURN, miasm458VM analysis:         VMAttack, NoVmp, manual tracing459String decryption:   FLOSS, custom scripts460Symbolic execution:  angr, Triton461```462 463### Ethical Considerations464 465This knowledge should only be used for:466 467- Authorized security research468- Malware analysis (defensive)469- CTF competitions470- Understanding protections for legitimate purposes471- Educational purposes472 473Never use to bypass protections for: software piracy, unauthorized access, or malicious purposes.474 475---476 477## Troubleshooting478 479**Detection technique works on x86 but not ARM**480 481RDTSC and CPUID are x86-only. On ARM, use `MRS x0, PMCCNTR_EL0` (requires kernel PMU access) or `clock_gettime(CLOCK_MONOTONIC)`. PEB/TEB do not exist on ARM — replace with `/proc/self/status` (Linux) or `task_info` (macOS). Rebuild detection logic with platform-specific APIs.482 483**False positive on legitimate debugger or analysis tool**484 485Timing checks fire when Process Monitor or AV hooks inflate syscall latency. Calibrate the threshold at startup: measure the guarded path 3 times and use `mean + 3*stddev`. For ptrace checks, verify the TracerPid comm name via `/proc/<pid>/comm` before exiting — it may be an unrelated monitoring tool, not a debugger.486 487**Bypass patch causes crash instead of continuing execution**488 489Before NOPing a conditional jump, trace the "detected" branch fully. If it initializes or frees heap state needed later, patching the jump skips that setup and corrupts state. Instead, patch the comparison operand to the expected "clean" value, or use x64dbg's "Set condition to always false" on the breakpoint rather than modifying bytes.490 491---492 493## Related Skills494 495- `binary-analysis-patterns` — static and dynamic analysis workflows for ELF/PE/Mach-O496- `memory-forensics` — process memory acquisition, artifact extraction, and live analysis497- `protocol-reverse-engineering` — decoding custom binary protocols and encrypted network traffic