PEB-Process-Environment-Block/NtGlobalFlag

From aldeid
Jump to navigation Jump to search
You are here
BeingDebugged

Description

The PEB has a field called NtGlobalFlag (offset 0x68) which programs can challenge to identify whether they are being debugged. Normally, when a process is not being debugged, the NtGlobalFlag field contains the value 0x0. When the process is being debugged, the field will usually contain the value 0x70 which indicates that the following flags are set:

Flag Value
FLG_HEAP_ENABLE_TAIL_CHECK 0x10
FLG_HEAP_ENABLE_FREE_CHECK 0x20
FLG_HEAP_VALIDATE_PARAMETERS 0x40
Total 0x70

Here is an example of such detection:

Overcome the NtGlobalFlag detection

Are are some ways to thwart the detection:

  • Manually change the value of the flags (FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK, FLG_HEAP_VALIDATE_PARAMETERS)
  • In OllyDbg, use a hide-debug plugin
  • In WinDbg, start the program with the debug heap disabled (windbg -hd program.exe)

Below is an example that depicts how to overcome this check manually. Given the below code:

.text:00403594     64 A1 30 00 00 00          mov     eax, large fs:30h   ; PEB struct loaded into EAX
.text:0040359A                                db      3Eh                 ; IDA Pro display error (the byte is actually used in the next instruction)
.text:0040359A     3E 8B 40 68                mov     eax, [eax+68h]      ; NtGlobalFlag (offset 0x68 relative to PEB) saved to EAX
.text:0040359E     83 E8 70                   sub     eax, 70h            ; Value 0x70 corresponds to all flags on (FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK, FLG_HEAP_VALIDATE_PARAMETERS)
.text:004035A1     89 85 D8 E7 FF FF          mov     [ebp+var_1828], eax
.text:004035A7     83 BD D8 E7 FF FF 00       cmp     [ebp+var_1828], 0   ; Check whether 3 debug flags were on (result of substraction should be 0 if debugged)
.text:004035AE     75 05                      jnz     short loc_4035B5    ; No debugger, program continues...
.text:004035B0     E8 4B DA FF FF             call    s_selfDelete        ; ...else, malware deleted

In OllyDbg, set a breakpoint at offset 0x40359A and run the malware until it reaches the breakpoint. Then open the CommandLine plugin and dump the content of the NtGlobalFlag with dump fs:[30]+0x68:

Replace the initial value (0x70 means that the process is being debugged) with 0x00 by right clicking on the byte and selecting Binary > Fill with 00's.

Comments

Keywords: anti-reverse anti-debug