Anti Reverse Engineering | How Hackers Make Malware Undetectable & Difficult to Analyze | TryHackMe

In this post, we covered the methods and techniques hackers use to make their malware difficult to analyze by reverse engineers and malware analysts. These methods and techniques encompass anti debugging, VM detection and evasion, packing and code obfuscation. These methods go under the term Anti Reverse Engineering. We used lab material from the room TryHackMe Anti Reverse Engineering and also covered the answers for the tasks’ questions.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Malware Analysis Study Notes

Windows Active Directory Penetration Testing Study Notes

Definition of Reverse Engineering

Reverse engineering is an advanced method to analyze binaries including malware samples. It requires knowledge of the CPU language, that is, Assembly. In reverse engineering, we reverse the binary back to its cpu language to reveal all instructions that it sends to the CPU.

Anti Reverse Engineering

Anti reverse engineering is the process of designing malware code that evades detection and makes it difficult for analysts to analyze it and understand its behaviour.

Anti Debugging

Malware authors use anti-debugging measures to make it difficult for analysts to use debugging tools to analyze the malware’s behaviour.

VM Detection

When malware identifies that it is running on a VM, it may decide to respond differently; for example, it may change its behaviour by:

• Executing only a minimal subset of its functionality
• Self-destructing by deleting itself or overwriting parts of its code
• Cause damage to the system by deleting or encrypting files; or
• Not run at all

Obfuscation & Packing

The most common obfuscation techniques used by malware authors include:

• Using encoding techniques — This involves encoding data (i.e. command line strings, domain names, etc.) using popular encoding techniques like XOR or Base64. You may have seen a Base64 encoded strings that look like this VGhpcyBpcyBhbiBCQVNFNjQgZW5jb2RlZCBzdHJpbmcu==.
• Using encryption techniques — This involves encrypting data such as communications to a command and control server, file formats, and network traffic. The most common types used are symmetric key and public key encryption.
• Code obfuscation — This involves various techniques such as manipulating the code to alter its syntax and structure, renaming functions, or splitting code across multiple files or code segments.

Room Answers | TryHackMe Anti-Reverse Engineering

Room answers can be found here.

Video Walkthrough