makin: reveal anti-debug tricks

makin make initial malware assessment little bit easier for me. It helps to reveal a debugger detection techniques used by a sample.

Note: Only supports x64

How does it work?

makin opens a sample as a debuggee and injects asho.dll, asho.dll hooks several functions at ntdll.dll library and after parameters checkings, it sends the corresponding message to the debugger (makin.exe).

For hooking, it uses Capstone engine, which makes hooking much stealthier.

At this moment, makin can reveal following techniques:

Note: Use The “Ultimate” Anti-Debugging Reference as a reference

• NtClose: ref: The “Ultimate” Anti-Debugging Reference: 7.B.ii
• NtOpenProcess: ref: The “Ultimate” Anti-Debugging Reference: 7.B.i
• NtCreateFile: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open itself)
• NtCreateFile: ref: The “Ultimate” Anti-Debugging Reference: 7.B.iii (Open a driver)
• LdrLoadDll– ref: The “Ultimate” Anti-Debugging Reference: 7.B.iv
• NtSetDebugFilterState – ref: The “Ultimate” Anti-Debugging Reference: 7.D.vi
• NtQueryInformationProcess – ref: The “Ultimate” Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.c
• NtQuerySystemInformation – ref: The “Ultimate” Anti-Debugging Reference: 7.E.iii
• NtSetInformationThread – ref: The “Ultimate” Anti-Debugging Reference 7.F.iii
• NtCreateUserProcess – ref: The “Ultimate” Anti-Debugging Reference 7.G.i
• NtCreateThreadEx ref: ntuery blog post

Download

git clone https://github.com/secrary/makin.git

DEMO: NtCreateThreadEx:

Copyright (c) 2017 Lasha Khasaia

Source: https://github.com/secrary/