My last topic was how to get started writing your own malwar3, now let's talk about how Malwar3 authors have always looked for new techniques to stay invisible. This includes, of course, being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis. make the post-detection analysis more difficult, threat actors use various anti-analysis techniques, one of the more common ones is Anti-Debugging. Threat actors have proven to be more innovative not only in the malwar3 they are creating, but also the techniques they are employing in order to evade detection and analysis by malwar3 analysts and products. Anti-debugging, therefore, poses a hindrance for malwar3 analysts as it can prolong the process of being able to reverse engineer the code and thus make it more difficult to decipher how it works. Once the malwar3 realizes that it is running under a debugger, it can adjust its usual code execution path or modify the code to provoke a crash, which then hinders the analysts’ attempts to decipher it, all the while adding time and additional overhead to their efforts.
There are many methods to prevent Debugging. In this post I will show some neat and simple method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

//EvilSec
#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
printf("Debugging noticed, Screw You!\n" ) ;
return 1;
}
printf("Normal Execution\n" ) ;
return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;
printf("Debugging noticed, Screw You!\n" ) ;

If not We get the message:
printf("Normal Execution\n" ) ;

How Can We bypass The Control Made In This Situation?
The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function. First of all ptrace (); We’re creating a fake library to replace it as follows:
> long ptrace(int request, int pid, int addr, int data)
> {
> return 0;
> }

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb
printf (“Normal Execution\n” ) ;

We get This message. So we successfully bypassed Control.

Neat and simple, but not effective to some serious reversers. Nice post more of this. As I could remember anti debugging technique was brought to life by virus coders who hates to see their work being stopped like this trickbot disturbing the peace of the internet.

Bahat:
Neat and simple, but not effective to some serious reversers. Nice post more of this. As I could remember anti debugging technique was brought to life by virus coders who hates to see their work being stopped like this trickbot disturbing the peace of the internet.

That's true, some reversers will have no problem finding a workaround. But of cause you can harden it too xD
TrickBot is pretty insane, my tracker saw it targeting the States recently (both via malspam and Emotet drops). Seems TrickBot is a multinational crime enterprise not some skid screaming copy and paste code at things.

Can you help me with iPhone spoofing? Want to change my iPhone location

charlesazeh:
Can you help me with iPhone spoofing? Want to change my iPhone location

Uh! Just use a VPN?? Or go the long route and jailbreak your iPhone to use locationfaker or go another longer route and grab an hardware spoofer like Gfaker

EvilSec:
My last topic was how to get started writing your own malwar3, now let's talk about how Malwar3 authors have always looked for new techniques to stay invisible. This includes, of course, being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis. make the post-detection analysis more difficult, threat actors use various anti-analysis techniques, one of the more common ones is Anti-Debugging. Threat actors have proven to be more innovative not only in the malwar3 they are creating, but also the techniques they are employing in order to evade detection and analysis by malwar3 analysts and products. Anti-debugging, therefore, poses a hindrance for malwar3 analysts as it can prolong the process of being able to reverse engineer the code and thus make it more difficult to decipher how it works. Once the malwar3 realizes that it is running under a debugger, it can adjust its usual code execution path or modify the code to provoke a crash, which then hinders the analysts’ attempts to decipher it, all the while adding time and additional overhead to their efforts.
There are many methods to prevent Debugging. In this post I will show some neat and simple method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

//EvilSec
#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
printf("Debugging noticed, Screw You!\n" ) ;
return 1;
}
printf("Normal Execution\n" ) ;
return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;
printf("Debugging noticed, Screw You!\n" ) ;

If not We get the message:
printf("Normal Execution\n" ) ;

How Can We bypass The Control Made In This Situation?
The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function. First of all ptrace (); We’re creating a fake library to replace it as follows:
> long ptrace(int request, int pid, int addr, int data)
> {
> return 0;
> }

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb
printf (“Normal Execution\n” ) ;

We get This message. So we successfully bypassed Control.

Please How do I contact you
Can I get your WhatsApp number...

Akanimoh113:


Please How do I contact you
Can I get your WhatsApp number...

You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.

EvilSec:

You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.

I wanted you to help me out, I really need a smartphone Lumia640 LTE is ancient history and a total headache for me.

Forgive Me If My Questions May Sound Stupid

First Question
So... I came up with an Idea, can you created a software that's able to predict the outcome of matches at mostly 99.9%. So that people could earn profit from betting.


Second Question
Can you find a Loop hole for Zoom Soccer on Bet9ja where you can know which games to pick that is a Guaranteed Win


Third Question
In the photo below, is it possible to reveal the hidden features on the ticket that is covered with '400 Shares' and '200 Likes' .

EvilSec:

You've been tailing me for quite a while. Ask me what you want here, if your request is not irrational, then maybe we'll take the chat to somewhere else.

Hello

Akanimoh113:


I wanted you to help me out, I really need a smartphone Lumia640 LTE is ancient history and a total headache for me.

Forgive Me If My Questions May Sound Stupid

First Question
So... I came up with an Idea, can you created a software that's able to predict the outcome of matches at mostly 99.9%. So that people could earn profit from betting.


Second Question
Can you find a Loop hole for Zoom Soccer on Bet9ja where you can know which games to pick that is a Guaranteed Win


Third Question
In the photo below, is it possible to reveal the hidden features on the ticket that is covered with '400 Shares' and '200 Likes' .

Well this looks interesting...

Bahat:


Well this looks interesting...

Ya

Akanimoh113:

Ya

You want to give it a trial, you have those soft copies of said software?

If yes, you will fund the project. Am talking about option 2

For the first option there must be an algorithm for that which I don’t know except you want a bad rating(feedback) for the software . 99.9% couldn’t be earned except you owned the platform and this is a worldwide game doing the prediction will be like next to impossible. Bust based on their previous games and ratings you should get a 50/50 chance.

Question 3, will also need the soft copy of the product.
These are works of reversers not just Devs and am not sure we have such pple around that’s because I haven’t met with one. I confirm we have such pple when I clearly meet and work side by side with one of them.

My conclusion is before you can do anything about this there must be serious reversers on ground. Who has the toolset to make it possible after discussing on it.

Cc EvilSec what you say about those points i outlined?

Wow this is very informative. I recently started following this YouTuber named John Hammond. I think there's another one I'm also following named LiveOverflow.

Once again this post is quite informative for me (as I'm a noob in the sector). One thing I just want to ask is this. Some time ago, while going through one of the rooms in a KOTH match in TryHackMe, I stumbled upon this binary called "lucky_shell". It turns out that there's like a 1 in 25 chance of you escalating to root of you run it but the catch is this, there is an even higher chance that your shell session gets terminated if you run the same binary. So it's kinda like a high risk, right reward operation. I did some research and got to find out that one can actually compile a custom ld.preload.so binary which would basically overwrite the functions with a corresponding name in the binary running with the environment variable, "LD_PRELOAD" set to the path of the custom ld.preload.so.

TL;DR
If the person debugging the binary runs it using a custom "LD_PRELOAD" environment variable, say it is set to the path of a custom ld.preload.so binary, and the "ptrace" function is overridden in the ld.preload.so binary to always return 1 won't the malwar3 run without realizing that it's being debugged?

Bahat:


You want to give it a trial, you have those soft copies of said software?

If yes, you will fund the project. Am talking about option 2

For the first option there must be an algorithm for that which I don’t know except you want a bad rating(feedback) for the software . 99.9% couldn’t be earned except you owned the platform and this is a worldwide game doing the prediction will be like next to impossible. Bust based on their previous games and ratings you should get a 50/50 chance.

Question 3, will also need the soft copy of the product.
These are works of reversers not just Devs and am not sure we have such pple around that’s because I haven’t met with one. I confirm we have such pple when I clearly meet and work side by side with one of them.

My conclusion is before you can do anything about this there must be serious reversers on ground. Who has the toolset to make it possible after discussing on it.

Cc EvilSec what you say about those points i outlined?

Yes, you're right.

EvilSec:

Yes, you're right.

Yes sir. How have you been doing? Great I guess

Bahat:


Yes sir. How have you been doing? Great I guess

Yeah I'm good. Looking to finally publish a writeup on an app I hacked so bad it's going to start advertising as shitapp on steroid.
How are you?

EvilSec:

Yeah I'm good. Looking to finally publish a writeup on an app I hacked so bad it's going to start advertising as shitapp on steroid.
How are you?

Doing great. Glad to hear from you, been up and doing.