| ID | B0012 |
| Objective(s) | Anti-Static Analysis |
| Related ATT&CK Techniques | None |
| Anti-Analysis Type | Evasion |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 22 August 2024 |
Anti-disassembly techniques take advantage of weaknesses in either flow-oriented (also referred to as recursive) or linear disassembler algorithms, resulting in inaccurate or incomplete disassembly or the disassembly process halting with an error. Reportedly, the most common anti-disassembly technique is one that employs two consecutive conditional jump instructions (jz followed by jnz) that point to the same target address [1].
| Name | ID | Description |
|---|---|---|
| Argument Obfuscation | B0012.001 | Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult. |
| Conditional Misdirection | B0012.002 | Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; may be identified by instructions jmp/jcc to a label+# (e.g., JNE loc_401345fe+2). |
| Desynchronizing Opaque Predicates | B0012.006 | Opaque predicates inject superfluous branches into the disassembly, resulting in disassembly desynchronization, as well as code bloat. The junk bytes introduced damage the disassembly process when the bytes are treated as code. [6] This method is related to Unprotect technique U0201. |
| Fake Function | B0012.007 | A fake function call is used to call an address which confuses a disassembler and results in incorrect disassembly. Manually undefining the function call can enable the disassembler to produce the true code. |
| VBA Stomping | B0012.005 | Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See [4] for an analysis of a VBA-Stomped malicious VBA Office document. See [5] for information on Evil Clippy, a tool that creates malicious MS Office documents. |
| Value Dependent Jumps | B0012.003 | Explicit use of computed values for control flow, often in the same basic block or function. |
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | B0012.001 | BlackEnergy contains obfuscated stack strings. [2] [7] |
| Hupigon | 2013 | B0012.001 | Hupigon contains obfuscated stack strings. [7] |
| Rombertik | 2015 | B0012.001 | Rombertik contains obfuscated stack strings. [7] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| contain anti-disasm techniques | Disassembler Evasion (B0012) | -- |
[1] M. Sikorski and A. Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, No Starch Press, 2012.
[2] https://web.archive.org/web/20220814013655/http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf
[3] https://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf
[4] https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870
[5] https://boingboing.net/2019/05/05/p-code-r-us.html
[6] https://www.ndss-symposium.org/wp-content/uploads/2020/04/bar2020-23004-paper.pdf
[7] capa v4.0, analyzed at MITRE on 10/12/2022