KR20210057239A - Apparatus and method for disabling anti-debugging - Google Patents

Abstract

The present invention provides an anti-debugging disabling apparatus to reduce time required for analyzing virus and a method thereof. According to one embodiment of the present invention, an anti-debugging disabling method using an anti-debugging disabling apparatus comprises the following steps: (a) determining whether an anti-debugging disabling target program is a program to which process environment block (PEB) structure- or application program interface (API)-based anti-debugging is applied; and (b) modifying field data or parameter data used for anti-debugging in the program to have a result value not detected by the debugger to disable anti-debugging.

Description

Anti-debugging disabling device and its method {APPARATUS AND METHOD FOR DISABLING ANTI-DEBUGGING}

An apparatus and method for disabling anti-debugging according to the present invention relates to an apparatus and method for disabling anti-debugging in order to perform debugging on a program to which anti-debugging is applied.

Prior to describing the method of disabling anti-debugging according to the present invention, a brief description will be given of the related background technology.

1. Portable Executable (PE) file format

The PE file is a file format that changes the COFF (Common Object File Format) format. Executing a PE file creates an independent process, which means a program that can be executed in the case of a Win32-based system regardless of the platform. Currently, many malicious codes are generated based on the PE file format and are distributed through the network. There are four types of PE files: execution, driver, library, and object. EXE and SCR files are included in the execution series, SYS and VXD files are in the driver series, and DLL and DRV files are in the library series. Lastly, there is an OBJ file as an object series, and FIG. 1A lists types of PE files. Since the operating system needs to know the information of the executable file to execute the PE file, the operating system reads the PE header structure that exists at the beginning to get the necessary information. PE file is composed of IMAGE_DOS_HEADER structure starting with'MZ(0x4D5A)' and Dos Stub containing code for compatibility with DOS. In Fig. 1(b), the overall structure of the PE pile can be seen.

2. Debug

Debug refers to the act of finding and correcting or analyzing malicious codes that may occur during the programming process or analyzing binary files, such as logical errors, abnormal operations, and bugs.This process is called debugging, and can be debugged. The tools/programs that exist are called debuggers. Debugging is used to fix and analyze logical errors, bugs, etc., by executing binary files and tracking code, memory status, registers, etc. However, if debugging is abused, it is a problem because it is easy for hackers to extract passwords or specific keywords or change normal programs without permission, or to change program flow or data in real time. .

3. Anti-Debugging

In order to prevent the debugging behavior of hackers and malicious users, a technology called anti-debugging has emerged. Anti-debugging refers to a method of generating an error or bypassing the program flow in order to protect intellectual property rights, core modules, passwords, or specific keywords when the target software is being debugged. Although this technology allows developers to protect intellectual property rights, core modules, passwords, or certain keywords for their programs. Hackers developing viruses can also use anti-debugging to protect their viruses and increase the lifespan of viruses by delaying analysts' virus analysis time. Therefore, it is necessary to disable anti-debugging for malware analysts at this point.

4. Limitations of anti-debugging technology and conventional anti-debugging technology

In the conventional anti-debugging technique, it was not possible to know whether the target software used the anti-debugging API. Most of the research on anti-debugging is on the way to protect software, but the research on disabling anti-debugging for malicious code analysts has been insignificant. As a representative study on disabling anti-debugging, there is an anti-debugging bypass technology, but since this technology modifies the target software itself, it may affect the program flow, and there is a problem that it cannot cope with anti-debugging using the HEAP structure.

Recently, malicious programs such as viruses and key loggers access the system in various ways and steal personal or financial information, causing fatal damage. In addition, viruses such as Ransomware cause financial damage to victims by encrypting the victim's files and requesting a ransom for the files. The damage caused by viruses is increasing day by day, and according to Symantec's Internet Security Threat Report 2019, for example, the number of financial Trojan horses increased by 16%. In addition, according to Trend Micro's'Unseen Threats, Imminent Losses' report, a vulnerability was found in the SCADA (Supervisory Control And Data Acquisition) system, one of the industrial control systems, and due to this vulnerability, hackers collect sensitive information in the SCADA system. It is said that there is a risk that you can control. Security experts are trying to reduce the damage caused by viruses in various ways, and analysts use debuggers to analyze viruses such as ransomware, keyloggers, and Trojan horses. However, in response to this, hackers who create viruses are using technologies such as anti-debugging to protect their viruses and increase their lifespan. Therefore, there is a need for a way to disable anti-debugging for analysts analyzing viruses.

The present invention proposes a method of disabling the anti-debugging technology loaded in the virus, and specifically relates to a PEB-based anti-debugging disabling method and an API-based anti-debugging disabling method, thereby reducing the analysis time of the virus. do.

In the anti-debugging disabling method using an anti-debugging disabling device according to an embodiment of the present invention, (a) the anti-debugging disabling application target program is a PEB (Process Environment Block) structure or an API (Application Program Interface). ) Determining whether a program based anti-debugging is applied; And (b) disabling anti-debugging by modifying field data or parameter data used for anti-debugging in a program to have a result value that is not detected by a debugger. .

In this embodiment, it is possible to provide a method of disabling anti-debugging, including the step of debugging a program to which anti-debugging has been applied, after steps (c) and (b).

In the present embodiment, step (b) is, when the program is a PEB structure-based anti-debugging program, BeingDebugged field data and NtGlobalFlag field data in the PEB structure, and Flag field data located in the HEAP structure in the PEB structure. It is possible to provide an anti-debugging disabling method including the step of disabling anti-debugging by modifying the data of the and ForceFlag field to have a result value not detected by the debugger.

In this embodiment, the anti-debugging method is disabled by modifying the BeingDebugged field data value to 0x0, the NtGlobalFlag field data value to 0x0, the Flag field data value to 0x2, and the ForceFlag field data value to 0x0. Can provide.

In this embodiment, in step (b), if the program is a program to which API-based anti-debugging is applied, if the API includes an IsDebuggerPresent() function that returns the data of the BeingDebugged field in the PEB structure, IsDebuggerPresent() It is possible to provide a method of disabling anti-debugging, including setting the function return value to be 0x0.

In this embodiment, in step (b), if the program is a program to which API-based anti-debugging is applied, if the API includes a CheeckRemoteDebuggerPresent() function that performs anti-debugging by calling the NtQueryInformationProcoess() function, NtQueryInformationProcoess( ) Before the function is called, the return value of the CheeckRemoteDebuggerPresent() function is set to 0x0 or the NtQueryInformationProcoess() function is bypassed.

In this embodiment, step (b) is, if the program is a program to which API-based anti-debugging is applied, and the API includes the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function, the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function Checking whether the data of the ProcessInformationClass parameter included in the syntax (Syntax) of ProcessDebugPort (0x7); And setting the return value of the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function to be 0x0, if the data of the ProcessInformationClass parameter by the inspection is ProcessDebugPort(0x7).It can provide an anti-debugging disabling method.

In the present embodiment, step (b) is, if the program is a program to which API-based anti-debugging is applied, and if the API includes a FindWindowW() function or a FindWindowA() function, the data of the IpWindowName parameter is modified, and the FindWindowW It is possible to provide a method of disabling anti-debugging, including setting the return value of the () function or the FindWindowA() function to be 0x0.

An anti-debugging disabling device according to an embodiment of the present invention, comprising: a memory storing an anti-debugging disabling program; And a processor that executes a program stored in the memory, wherein the processor determines whether the target program to which anti-debugging is applied is a PEB (Process Environment Block) structure or an API (Application Program Interface)-based anti-debugging program according to the execution of the program. Discriminates and modifies field data or parameter data used for anti-debugging in a program to have a result value that is not detected by a debugger to provide a method of disabling anti-debugging, including the step of disabling anti-debugging.

The anti-debugging disabling methods according to an embodiment of the present invention enable analysis of a file that was impossible to analyze, and a packing technology such as Yoda`s Protector proposed among packing techniques applied to PE files can also be unpacked. There is.

In addition, it is essential to disable anti-debugging in order to collect information that can be obtained through basic analysis of a program, and according to the method of disabling anti-debugging according to an embodiment of the present invention, analysis time of a virus may be reduced.

1 is a diagram for explaining the type and structure of a PE file.
2 is a diagram showing fields used in anti-debugging in a PEB structure-based program.
3 is a flowchart showing a method of disabling API-based anti-debugging.
4 is a diagram showing the configuration of an anti-debugging disabling device according to an embodiment of the present invention.
5 is a diagram showing field information for disabling PEB-based anti-debugging.
6 is a diagram showing the original code and the modified code of the API including the IsDebuggerPresent() function.
7 is a diagram showing the original code and the modified code of the API including the CheckRemoteDebuggerPresent() function.
8 is a diagram showing syntax of an API including a ZwQueryInformationProcess() function.
9 is a view showing the original code and the modified code of the API including the ZwQueryInformationProcess() function.
10 is a diagram showing a code of an API including a FindWindowA() function or a FindWindowW() function.
11 is a diagram showing the original code of the FindWindowW() function.
12 is a diagram showing a modification code of the FindWindowW() function.
13 is a diagram showing codes of respective PEB structures and APIs set to test whether or not the anti-debugging disablement method is operated.
14 is a diagram showing a result of an anti-debugging disablement experiment according to a comparative example and an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art may easily implement the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In addition, in the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are assigned to similar parts throughout the specification.

Throughout the specification, when a part is said to be "connected" with another part, this includes not only "directly connected" but also "electrically connected" with another element interposed therebetween. . In addition, when a part "includes" a certain component, it means that other components may be further included rather than excluding other components unless specifically stated to the contrary.

Hereinafter, an anti-debugging technique according to the present invention and a malicious binary file analysis technique for neutralizing the anti-debugging technique will be described.

2 is a diagram showing fields used in anti-debugging in a PEB structure-based program.

Referring to FIG. 2, anti-debugging typically includes anti-debugging based on a process environment block (PEB) structure and anti-debugging based on API. The TEB (Thread Environment Block) structure has a pointer field pointing to the PEB structure, and the PEB structure can be found by referring to the field. Among the fields of the PEB structure, the BeingDebugged field, the NtGlobalFlag field, and the pointer of the HEAP structure existing in the PEB structure are used to perform anti-debugging.

There are many functions such as IsDebuggerPresent(), CheckRemoteDebugge- rPresent(), BlockInput(), GetCurrentProcessId(), and Nt(Zw)QueryInformationProcess() as the types of functions used for API-based anti-debugging. Because of this variety of functions, it is difficult to find out which anti-debugging technology the virus is loaded with, so all possible anti-debugging should be bypassed.

3 is a flowchart showing a method of disabling API-based anti-debugging.

Referring to FIG. 3, in order to analyze a malicious binary file, loading the target software in the debugger program should be preceded. After that, you must obtain the fields of the PEB structure and HEAP structure used for anti-debugging, and the address of the anti-debugging API. The PEB structure and the HEAP structure are structures that are essentially created when a binary file is loaded into the memory (RAM), so an address can be obtained, and a PEB structure by modifying the data of a specific field of the PEB or HEAP structure using the obtained address. It can bypass the anti-debugging technology based.

However, the anti-debugging API depends on the DLL file provided by the Windows operating system. If the target software does not use a specific DLL file, there may be cases where the address of the API dependent on the DLL file cannot be obtained. . Therefore, if the address of the API cannot be obtained, it can be overlooked because the target software does not use the anti-debugging API. However, when the address of the API is obtained, anti-debugging can be disabled by patching the original code of the corresponding API with new code without interfering with the flow of the program.

Hereinafter, an anti-debugging disabling device 100 according to an embodiment of the present invention will be described.

4 is a diagram showing the configuration of an anti-debugging disabling device 100 according to an embodiment of the present invention.

The anti-debugging disabling device 100 according to an embodiment of the present invention may include a communication module 110, a memory 120, a processor 130, and a database (DB: 140).

The communication module 110 provides a communication interface to the anti-debugging disabling device 100 by interworking with a communication network, and may perform a role of transmitting and receiving data with other electronic devices. Here, the communication module 110 may be a device including hardware and software necessary for transmitting and receiving a signal such as a control signal or a data signal through a wired or wireless connection with another network device.

In the memory 120, a program that disables anti-debugging may be recorded. In addition, the memory 120 may perform a function of temporarily or permanently storing data processed by the processor 130. Here, the memory 120 may include a volatile storage medium or a non-volatile storage medium, but the scope of the present invention is not limited thereto.

The processor 130 may control an entire process performed by a program that disables anti-debugging in the anti-debugging disabling devices 100 and 100. Each step of the process performed by the processor 130 will be described later with reference to FIGS. 5 to 13.

Here, the processor 130 may include all types of devices capable of processing data, such as a processor. Here, the'processor' may refer to a data processing device embedded in hardware having a circuit physically structured to perform a function represented by, for example, a code included in a program or an instruction. As an example of a data processing device built into the hardware as described above, a microprocessor, a central processing unit (CPU), a processor core, a multiprocessor, and an application-specific integrated (ASIC) circuit), a field programmable gate array (FPGA), and the like, but the scope of the present invention is not limited thereto.

The database 140 may store various packer information, PEB structure information, API information, and the like, which are basic information for performing the anti-debugging disabling method to the user.

Hereinafter, a method of disabling anti-debugging by the apparatus 100 for disabling anti-debugging according to an embodiment of the present invention will be described.

First, using an anti-debugging disabling device, a step of determining whether the anti-debugging disabling application target program is a PEB (Process Environment Block) structure or an API (Application Program Interface) based anti-debugging program may be performed. have.

Next, a step of disabling anti-debugging may be performed by modifying field data or parameter data used for anti-debugging in the program to have a result value that is not detected by a debugger.

Next, a step of debugging a program to which anti-debugging has been applied may be performed.

5 is a diagram showing field information for disabling PEB-based anti-debugging.

Referring to FIG. 5, in the anti-debugging step, when the program is a PEB structure-based anti-debugging program, BeingDebugged field data and NtGlobalFlag field data in the PEB structure, and Flag field data located in the HEAP structure in the PEB structure. It is possible to disable anti-debugging by modifying the data of the and ForceFlag fields to have a result value that the debugger does not detect.

Specifically, to disable PEB-based anti-debugging, each PEB structure and HEAP structure are accessed using the Immunity Debugger. The data to be modified are the BeingDebugged field of the PEB structure, the NtGlobalFlag field, the Flags field of the HEAP structure, and the ForceFlags field that each process has, and by modifying these, PEB-based anti-debugging can be disabled.

Referring to FIG. 5, four fields used in PEB-based anti-debugging may be modified to be the same as the field values of Not Debugging and bypassed. Specifically, anti-debugging may be disabled by modifying the BeingDebugged field data value to 0x0, the NtGlobalFlag field data value to 0x0, the Flag field data value to 0x2, and the ForceFlag field data value to 0x0.

6 is a diagram showing the original code and the modified code of the API including the IsDebuggerPresent() function.

Referring to FIG. 6, in the anti-debugging step, when the program is an API-based anti-debugging program, the API may include an IsDebuggerPresent() function that returns data of the BeingDebugged field in the PEB structure.

In this case, anti-debugging can be disabled by setting the return value of the IsDebuggerPresent() function to be 0x0.

Specifically, IsDebuggerPresent() API is a representative API used for anti-debugging, and is a function that returns the data of the BeingDebugged field in the PEB structure. This API returns True (0x1) if a debugger is detected, and False (0x0) if a debugger is not detected. In order to neutralize this, it must be induced to finally return 0x0. Therefore, the original code of the API on the left side of FIG. 6 was modified to the code on the right side, which induces the EAX register to always store and return 0x0 using the SUB instruction, thereby neutralizing anti-debugging.

7 is a diagram showing the original code and the modified code of the API including the CheckRemoteDebuggerPresent() function.

Referring to FIG. 7, in the anti-debugging step, when the program is an API-based anti-debugging program, the API may include a CheeckRemoteDebuggerPresent() function for performing anti-debugging by calling the NtQueryInformationProcoess() function.

In this case, before the NtQueryInformationProcoess() function is called in the process, the return value of the CheeckRemoteDebuggerPresent() function is set to be 0x0, or the NtQueryInformationProcoess() function can be bypassed to disable anti-debugging.

Specifically, the CheeckRemoteDebuggerPresent() API is an API that checks whether a specific process is being debugged. This function returns True (0x1) when debugging is in progress, and False (0x0) when not. In order to determine whether to debug, the NtQueryInformationPrcoess() API is called again inside the API. The code on the left of FIG. 7 is an internal code of a function that is partially omitted, and in order to disable it, 0x0 must be stored in the EAX register before the NtQueryInformationProcess() function is called as in the right code, and then the function must be returned to neutralize it. In this embodiment, as shown in the code on the right side of FIG. 7, 0x0 is stored on the stack with a PUSH instruction, and 0x0 is stored in the EAX register with a POP instruction, and the function is terminated with a RETN instruction to neutralize it. At this time, it is important to terminate the function after storing the return address stored in the stack in the EBP register with the POP instruction.

8 is a diagram showing syntax of an API including a ZwQueryInformationProcess() function. 9 is a view showing the original code and the modified code of the API including the ZwQueryInformationProcess() function.

8 and 9, in the anti-debugging disabling step, when the program is a program to which API-based anti-debugging is applied, the API may include a NtZwQueryInformationProcess() function or a ZwQueryInformationProcess() function.

In this case, a step of checking whether the data of the ProcessInformationClass parameter included in the syntax of the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function is ProcessDebugPort (0x7) may be performed.

Next, if the data of the ProcessInformationClass parameter is ProcessDebugPort(0x7) by the above inspection, the steps of setting the return value of the NtZwQueryInformationProcess() function or ZwQueryInformationProcess() function to be 0x0 are performed sequentially to disable anti-debugging. can do.

Specifically, since the Nt(Zw)QueryInformationProcess() API is an API that allows you to check information about processes other than anti-debugging, it must be neutralized without interfering with the program flow. Referring to FIG. 8 to understand how to disable these APIs, this shows the syntax of the Nt(Zw)QueryInformationProcess() API. When calling this function, ProcessDebugPort(0x7) is in the ProcessInformationClass parameter. If used, you can see that anti-debugging is done.

Therefore, in order to disable this function, it is necessary to check whether the data of the ProcessInformationClass parameter is ProcessDebugPort(0x7) in the original code on the left of FIG. 9 as in the code on the right. If ProcessDebugPort is correct, 0x0 is written to the stack using the PUSH command. Save and return by storing 0x0 in the EAX register by using the POP instruction again. If it is not PorcessDebugPort(0x7), you can induce it not to interfere with the program flow by executing the original code on the left.

10 is a diagram showing a code of an API including a FindWindowA() function or a FindWindowW() function. 11 is a diagram showing the original code of the FindWindowW() function. 12 is a diagram showing a modification code of the FindWindowW() function.

Referring to FIGS. 10 to 12, in the step of disabling anti-debugging, when the program is a program to which API-based anti-debugging is applied, the API may include a FindWindowW() function or a FindWindowA() function.

In this case, it is possible to disable anti-debugging by modifying the data of the IpWindowName parameter and setting the return value of the FindWindowW() function or the FindWindowA() function to 0x0.

Specifically, the two functions FindWindowW() and FindWindowA() are not functions that determine whether debugging is detected or not. These functions obtain the window handle of another program, and anti-debugging can be performed by checking whether there is a debugger program in the same operating system. Referring to FIG. 10, parameters of the FindWindowA() and FindWindowW() functions can be viewed, and it can be seen that the function is called by passing a specific class name for lpClassName and a specific window name for lpWindowName. If the window is found, the window handle is returned. If not, 0x0 is returned.

When calling these functions, anti-debugging is possible by entering the window name of a specific debugger in the lpWindowName parameter. To bypass this function, it is possible to return 0x0. The code in FIG. 11 is the original machine code of FindWindowW(), and the code in FIG. 12 is a modified function code. In this embodiment, in order to return 0x0, a virtual address (0x00520000) was allocated and a new code was written to disable anti-debugging. After executing the existing CALL instruction in the following order, you can bypass anti-debugging by storing 0x0 in the register using the XOR instruction, storing the return address in the EBP register using the POP instruction, and calling the function. .

Hereinafter, a method of experimenting by dividing whether or not the anti-debugging disablement method described above operates in two ways, and a result thereof will be described.

13 is a diagram showing codes of respective PEB structures and APIs set to test whether the anti-debugging disablement method is operated.

First, in the first experiment, a simple example program including an anti-debugging method was implemented, and in order to accurately verify whether anti-debugging was disabled, it was checked whether the value returned by the API including the PEB structure and the anti-debugging function is output. In the second experiment, an experiment was performed to confirm the result of the anti-debugging disablement function proposed in the present embodiment using a file packed for the unpacking system.

The example program to be used in the first experiment was implemented in the same way as the code of FIG. 13. Specifically, it was implemented using functions related to the PEB structure used in the anti-debugging method, and the output contents were configured differently depending on whether or not the debugger was detected. The data for the second experiment were packed with the Windows 7 calculator program (calc.exe) with 5 types of packers. The common feature of the packers used at this time is that the software is protected by applying anti-debugging functions.

14 is a diagram showing results of an anti-debugging disablement experiment according to a comparative example and an embodiment of the present invention.

As a result of analysis in the user-level debugger without using the method proposed in the first experiment, it can be confirmed that the anti-debugging methods used in the experimental program as shown in FIG. 14A detect the debugger. Next, as a result of re-analysis using the proposed anti-debugging disabling method, it was verified that the proposed anti-debugging disabling method was properly operated because all of the anti-debugging techniques used in the example program were not detected as shown in FIG. 14B.

The packers used in the second experiment were'Yoda's Protector','Themida','ACprotect','Armadilo', and'PECompact'. Each packer has one or more anti-debugging APIs, and among the techniques in Table 1, you can check the anti-debugging techniques each packer has. Tables 2 and 3 show the Yoda's Protector packer, and Tables 4 and 5 show the anti-debugging technique used in the ACprotect packer and the new code to which the anti-debugging disabling method was applied.

[Table 1]

[Table 2]

[Table 3]

[Table 4]

[Table 5]

As described above, the anti-debugging disabling methods according to an embodiment of the present invention enable analysis of files that could not be analyzed, and unpacking techniques such as Yoda`s Protector suggested among packing techniques applied to PE files are also unpacked. In addition, it is essential to disable anti-debugging in order to collect information that can be obtained through basic analysis of a program, and analysis time of virus according to the method of disabling anti-debugging according to an embodiment of the present invention. Can be reduced.

Meanwhile, the anti-debugging disabling method according to an embodiment of the present invention may be implemented in the form of a recording medium including instructions executable by a computer, such as a program module executed by a computer. Computer-readable media can be any available media that can be accessed by a computer, and includes both volatile and nonvolatile media, removable and non-removable media. Further, the computer-readable medium may include a computer storage medium. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Although the methods and systems of the present invention have been described in connection with specific embodiments, some or all of their components or operations may be implemented using a computer system having a general-purpose hardware architecture.

The above description is merely illustrative of the technical idea of the present invention, and those of ordinary skill in the art to which the present invention pertains will be able to make various modifications and variations without departing from the essential characteristics of the present invention. Accordingly, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain the technical idea, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

100: anti-debugging disabled device
110: communication module
120: memory
130: processor
140: database

Claims (10)

In the anti-debugging disabling method using an anti-debugging disabling device,
(a) determining whether the anti-debugging neutralization application target program is a PEB (Process Environment Block) structure or an API (Application Program Interface) based anti-debugging program; And
(b) disabling anti-debugging by modifying field data or parameter data used for anti-debugging in the program to have a result value that is not detected by a debugger. The method of claim 1,
(c) after the step (b), including the step of debugging the program to which the anti-debugging has been applied. The method of claim 1,
The step (b),
When the program is a PEB structure-based anti-debugging program, the BeingDebugged field data and NtGlobalFlag field data in the PEB structure, and the Flag field data and ForceFlag field data located in the HEAP structure in the PEB structure are not detected by the debugger. A method of disabling anti-debugging, comprising the step of disabling anti-debugging by modifying to have a result that is not a result. The method of claim 3,
A method of disabling anti-debugging by modifying the BeingDebugged field data value to 0x0, the NtGlobalFlag field data value to 0x0, the Flag field data value to 0x2, and the ForceFlag field data value to 0x0. The method of claim 1,
The step (b),
When the program is a program to which the API-based anti-debugging is applied, if the API includes the IsDebuggerPresent() function that returns the data of the BeingDebugged field in the PEB structure, the return value of the IsDebuggerPresent() function is set to be 0x0. A method of disabling anti-debugging comprising the step of. The method of claim 1,
The step (b),
If the program is a program to which API-based anti-debugging is applied, and the API includes a CheeckRemoteDebuggerPresent() function that performs anti-debugging by calling the NtQueryInformationProcoess() function, before the NtQueryInformationProcoess() function is called, CheeckRemoteDebuggerPresent() A method of disabling anti-debugging, comprising setting the return value of the function to be 0x0 or bypassing the NtQueryInformationProcoess() function. The method of claim 1,
The step (b),
When the program is a program to which API-based anti-debugging is applied, if the API includes the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function, the processInformationClass included in the syntax of the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function Checking whether the parameter data is ProcessDebugPort (0x7); And
If the data of the ProcessInformationClass parameter by the check is ProcessDebugPort(0x7), then setting the return value of the NtZwQueryInformationProcess() function or the ZwQueryInformationProcess() function to be 0x0. The method of claim 1,
The step (b),
If the program is a program to which API-based anti-debugging has been applied, and the API includes the FindWindowW() function or the FindWindowA() function, the data of the IpWindowName parameter is modified and the FindWindowW() function or the FindWindowA() function is returned. A method of disabling anti-debugging comprising setting the value to be 0x0. In the anti-debugging disabling device,
Memory in which the anti-debugging disable program is stored; And
A processor that executes a program stored in the memory,
According to the execution of the program, the processor,
Determining whether the target program to which anti-debugging is applied is a PEB (Process Environment Block) structure or API (Application Program Interface)-based anti-debugging program, and debug field data or parameter data used for anti-debugging in the program A method of disabling anti-debugging comprising the step of disabling anti-debugging by modifying to have a result value that is not detected. A computer-readable recording medium on which a program for implementing the method of claim 1 is recorded.

Images