makin
is to make initial malware assessment little bit easier, It helps to reveal a debugger detection techniques used by a sample.Supports x64 and x86
How does it work?
makin
opens a sample as a debuggee and injects asho.dll
, asho.dll
hooks several functions at ntdll.dll
library and after parameters checkings, it sends the corresponding message to the debugger (makin.exe
).For hooking, it uses Capstone engine, which makes hooking much stealthier.
At this moment,
makin
can reveal following techniques:Note
: Use The “Ultimate”
Anti-Debugging Reference
as a referenceNtClose
: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iiNtOpenProcess
: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iNtCreateFile
: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open itself)NtCreateFile
: ref: The "Ultimate" Anti-Debugging Reference: 7.B.iii (Open a driver)LdrLoadDll
- ref: The "Ultimate" Anti-Debugging Reference: 7.B.ivNtSetDebugFilterState
- ref: The "Ultimate" Anti-Debugging Reference: 7.D.viNtQueryInformationProcess
- ref: The "Ultimate" Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.cNtQuerySystemInformation
- ref: The "Ultimate" Anti-Debugging Reference: 7.E.iiiNtSetInformationThread
- ref: The "Ultimate" Anti-Debugging Reference 7.F.iiiNtCreateUserProcess
- ref: The "Ultimate" Anti-Debugging Reference 7.G.iNtCreateThreadEx
- ref: ntuery blog postNtSystemDebugControl
- ref: @waleedassar - pastebinNtYieldExecution
- ref: The "Ultimate" Anti-Debugging Reference 7.D.xiiiNtSetLdtEntries
- ref: ANTI-UNPACKER TRICKS: PART ONE - 2.1.2