The reverse engineering technique mainly relies on its attempt to understand how a system works without having any insights into how exactly the tasks are accomplished. Anti reverse engineering is exquisitely an art in itself. Unfortunately, these techniques are exploited by hackers to prevent any type of detection. Let us consider the factors in detail:
Usually, executing a section code takes a certain amount of time. For smaller sections, the time taken will be far lesser than the bigger ones.
Some of the principal functions of windows internals are:
1. Process Debug Flags:
This is passed to the function that returns the inverse of EPROCESS->NoDebugInherit. When a debugger is present in the system, the function will return as ‘FALSE’.
2. Debug Object Handle:
When a process is debugged, a debug object is created as a rule of the system.
3. Thread hiding:
It is also known as HideThreadFromDebugger, the class prevents debuggers from receiving events from threads.
4. Output Debug String:
This one looks for errors in the system, which occur only if there are no active debuggers.
5. Block Input:
This simply blocks and prevents the mouse and keyboard (the necessary hardware) messages from interacting with a said application.
Some of the techniques of process exploitations are:
- Open Process: The open process mainly exploits process privileges to detect a debugger in the system.
- Parent process: The parent process’s (Explorer.exe) process ID is extracted and compared with the child process.
- Unhandled Exception Filter: This is mainly used when no other handlers are present. If a debugger is found, then the process exits itself instead of resuming the operation.
- NtQuery Object: This returns a slew of crucial information to the system about the host system and the running process that could harm them.
The prevention of dumping can take place via numerous methods listed below:
- Nanomites: Nanomites have the task to replace branch instructions and JCC instructions with INT 3 breakpoints while storing information like jump destination, CPU flags, and size of the jump in an encrypted table.
- Size Of Image: The size of the field in PEB is increased at runtime, and is defeated by reversing applications through the process of enumerating all pages with the MEM_IMAGE flag, starting at the application’s ImageBase page.
- Stolen Bytes (Stolen Code): Here, codes or bytes from the original process are extracted and encrypted in random places in the packing code.
- Virtual machines: This technique has a target to focus on creating a unique virtual machine for every executable, thereby preventing generic attacks.
IA-32 Instruction Exploits
A list of some of the techniques for these exploits are:
- Interrupt 2D feature: This is a general purpose of the debugger where no exception will occur if a debugger is present in the system.
- Stack segment feature: This manipulates the stack segment through push ss and pop ss that are available.
- Instruction Prefixes: The debugger skips the try prefix and handles the INT 1.
As is seen above, anti-reverse engineering techniques are useful to limit hackers from gaining access to any application. They learn the tricks of trade far quicker even before any company can realize how to react. Hence, a robust and proactive approach toward cyber security is more crucial than a passive one.