1. Home
  2. Techniques
  3. Enterprise
  4. 调试器规避

调试器规避

调试器规避是攻击者检测并规避调试分析环境的关键对抗技术,涉及对系统调试接口、运行时环境和时序特征的深度利用。传统防御依赖于监控敏感API调用(如IsDebuggerPresent)和分析异常进程行为(如频繁环境检查),通过行为沙箱或动态污点分析捕获反调试企图。现代终端检测与响应(EDR)系统可结合机器学习模型识别可疑的调试器交互模式。

ID: T1622
Sub-techniques:  No sub-techniques
Tactics: 防御规避, 环境测绘
Platforms: Linux, Windows, macOS
Contributors: TruKno
Version: 1.0
Created: 01 April 2022
Last Modified: 16 April 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过代码混淆和日志伪装技术,将反调试操作隐藏在合法功能模块中。例如将环境检测代码嵌入软件许可证校验流程,或使调试日志噪声模拟合法应用的错误输出模式。这种手法使得反调试行为在静态分析和动态监控中均呈现正常功能特征,实现恶意代码的"表面合法化"。

行为透明

时间差检测技术通过物理时序特征的异常识别调试环境,其检测过程不依赖可见的系统交互行为。攻击者利用处理器指令级的时间差作为判定依据,使得反调试操作在行为监控层面不可见,形成"无痕检测"的隐蔽对抗能力。

数据遮蔽

调试日志噪声污染技术通过向调试通道注入海量无效数据,掩盖真实恶意行为的日志记录。加密通信和编码变异进一步隐藏关键操作数据,使得防御方难以从日志中提取有效攻击信息,形成数据维度的遮蔽效应。

Procedure Examples

ID Name Description
S1087 AsyncRAT

AsyncRAT can use the CheckRemoteDebuggerPresent function to detect the presence of a debugger.[1]
S1070 Black Basta

The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.[2]
S1039 Bumblebee

Bumblebee can search for tools used in static analysis.[3]
S1111 DarkGate

DarkGate checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.[4]
S1066 DarkTortilla

DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.[5]
S0694 DRATzarus

DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.[6]
S1160 Latrodectus

Latrodectus has the ability to check for the presence of debuggers.[7]
S1060 Mafalda

Mafalda can search for debugging tools on a compromised host.[8]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.[6]
S1145 Pikabot

Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.[9][10][11]
S1130 Raspberry Robin

Raspberry Robin leverages anti-debugging mechanisms through the use of ThreadHideFromDebugger.[12]
S0240 ROKRAT

ROKRAT can check for debugging tools.[13][14][15]
S1018 Saint Bot

Saint Bot has used is_debugger_present as part of its environmental checks.[16]
S0595 ThiefQuest

ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.[17]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor debugger logs for signs of abnormal and potentially malicious activity.
DS0017 Command Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.
DS0009 Process OS API Execution

Monitor for API calls (such as IsDebuggerPresent()) that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.
Process Creation

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

References

  1. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  2. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  3. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  4. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  5. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  6. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  7. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  8. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  9. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  1. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  2. Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
  3. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  4. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  5. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  6. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  7. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  8. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.