Contents

Dump String Data 339

Inspect File Headers 340

Disassembly and Decompilation 341

8.2 Subverting Static Analy sis 343

Data Transformation: Armoring 344

Armoring: Cryptors 344

Key Management 352

Armoring: Packers 353

Armoring: Metamorphic Code 355

The Need for Custom Tool s 359

The Argument Against Armoring 360

Data Fabrication 360

False-Flag Attacks 363

Data Source Elimination: Multistage Loaders 364

Defense In-depth 365

8.3 Runtime Analysis 366

The Working Environment 366

Manual Versus Automated Runtime Analysis 369

Manual Analysis: Basic Outline 370

Manual Analysis: Tracing 371

Manual Analysis: Memory Dumping 373

Manual Analysis: Capturing Network Activity 375

Automated Analysis 376

Composition Analysis at Runtime 377

8.4 Subverting Runtime Analysis 378

Tracing Countermeasures 379

API Tracing: Evading Detour Patches 380

API Tracing: Multistage Loaders . 386

Instruction-Level Tracing: Attacking the Debugger 386

Break Points 386

Detecting a User-Mode Debugger 387

Detecting a Kernel-Mode Debugger 390

Detecting a User-Mode or a Kernel-Mode Debugger 391

Detecting Debuggers via Code Checksums 392

The Argument Against Anti-Debugger Techniques 392

Instruction-Level Tracing: Obfuscation 393

Obfuscating Application Data 394

xii