Dissecting ZeroAccess: Int 2d Anti-Debugging Technique

Source: fumalwareanalysis.blogspot.com

Learning Goals:

  • Understand the general interrupt handling mechanism on x86 platform;
  • Understand the byte scission anti-debugging technique; and,
  • Know how to use a binary debugger to patch an executable program

The general anti-debugging techniques are as follows:
(1) to detect the existence of a debugger, and behave differently when a debugger is attached to the current process; and,
(2) to disrupt or crash a debugger.

The instruction we are trying to analyze is the “INT 2D” instruction located at 0x00413BD5 (as shown in Figure 1). By single-stepping the malware, you might notice that the program’s entry point is 0x00413BC8. After the execution of the first 8 instructions, right before the “INT 2D” instruction, the value of EAX is 0x1. This is an important fact you should remember in the later analysis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: