{"id":13611449,"url":"https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker","last_synced_at":"2025-04-13T04:34:40.870Z","repository":{"id":196420668,"uuid":"689837979","full_name":"LAC-Japan/IDA_Plugin_AntiDebugSeeker","owner":"LAC-Japan","description":"Automatically identify and extract potential anti-debugging techniques used by malware.","archived":false,"fork":false,"pushed_at":"2024-11-22T03:45:20.000Z","size":13142,"stargazers_count":133,"open_issues_count":0,"forks_count":13,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-22T04:24:50.640Z","etag":null,"topics":["anti-debugging","ida","ida-plugin","idapython-plugin","malware-analysis","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LAC-Japan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-11T02:29:26.000Z","updated_at":"2024-11-22T03:45:24.000Z","dependencies_parsed_at":"2023-09-29T07:23:26.930Z","dependency_job_id":"52f959ce-f6a3-4b00-aeec-dad1b0192136","html_url":"https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker","commit_stats":null,"previous_names":["lac-japan/ida_plugin_antidebugseeker"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LAC-Japan%2FIDA_Plugin_AntiDebugSeeker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LAC-Japan%2FIDA_Plugin_AntiDebugSeeker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LAC-Japan%2FIDA_Plugin_AntiDebugSeeker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LAC-Japan%2FIDA_Plugin_AntiDebugSeeker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LAC-Japan","download_url":"https://codeload.github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248665157,"owners_count":21142118,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-debugging","ida","ida-plugin","idapython-plugin","malware-analysis","reverse-engineering"],"created_at":"2024-08-01T19:01:55.492Z","updated_at":"2025-04-13T04:34:40.847Z","avatar_url":"https://github.com/LAC-Japan.png","language":"Python","readme":"# IDA_Plugin_AntiDebugSeeker\n\n[Version of Ghidra](https://github.com/LAC-Japan/Ghidra_AntiDebugSeeker)  \n\n## Introduction\n\nThrough this tool, users can automatically extract potential anti-debugging methods used by malware, making it easier for analysts to take appropriate action.  \n\nThe main functionalities of this plugin are as follows:\n\n- Extraction of Windows API that are potentially being used for anti-debugging by the malware  \n  (All subsequent API represent the Windows API)  \n- Extraction of anti-debugging techniques based on key phrases that serve as triggers, as some anti-debugging methods cannot be comprehensively identified by API calls alone.\n\nAdditionally, the file that defines the detection rules is designed to easily add keywords you want to detect.  \nThis allows analysts to easily add new detection rules or make changes.  \n  \nFor packed malware, running this plugin after unpacking and fixing the Import Address Table is more effective.  \n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"picture/IDA_AntiDebugSeeker.gif\" alt=\"AntiDebugSeeker\" width=\"600\"/\u003e\n\u003c/p\u003e\n\n## Requirements\n\nFrom Ver1.1, PyQt5 installation is required:\n```\npip install PyQt5\n```\n\n## Installation\n\nPlace the following three files under the plugin directory of IDA :\n\n1. **anti_debug.config** (A file containing rules for detecting anti-debugging techniques)  \n2. **anti_debug_techniques_descriptions.json** (A file containing descriptions of the detected rules)  \n3. **AntiDebugSeeker.py** (The anti-debugging detection program)\n\n## Usage\n\n**Ctrl + Shift + D (To launch the plugin)**    \nA screen named “Anti Debug Detection Results” will appear after the analysis is complete.\n\nAnti Debug Detection Results\n\n- Category Name:  \nAPI category name defined in the Anti_Debug_API as listed in anti_debug.config.  \n\n- Possible Anti-Debug API:  \nList of detected APIs displayed.  \n\n- Address:  \nAddress where the detected API is being used.  \n\n- Possible Anti-Debug Technique:  \nDetection name identified by the keyword defined in Anti_Debug_Technique as listed in anti_debug.config.  \n\n- Address:  \nAddress of the first detected keyword.  \n\n(Address Transition)  \nBy double-clicking on the detected line, you will jump to the address specified.  \n\n![Anti-Debug-Detection-Results-Display](picture/Anti-Debug-Detection-Results-Display.png)\n\n**Ctrl + Shift + E (Config File Editing)**  \nFunctionality for checking and editing the contents of anti_debug.config.  \n\nAfter making changes,  \nclick the 'Save' button to save the modifications.  \n\n![Edit-antidebug.config](picture/EditConfig.png)\n\n## Support Functions\n\nAfter running the plugin, detected APIs and keywords are highlighted in different colors.  \nAdditionally, if an API specified in Anti_Debug_API is detected, the category name is added as a comment. Likewise, if a rule name is detected in Anti_Debug_Technique, a description of that rule is added as a comment to the first detected keyword.\n\n![AntiDebugAPI_Technique_Detect](picture/AntiDebugAPI_Technique_Detect.png)\n\n## anti_debug.config and anti_debug_techniques_descriptions.json\n\nThis config file contains the detection rules that are utilized by AntiDebugSeeker.py.  \nThere are sections named Anti_Debug_API and Anti_Debug_Technique.  \n\n**Anti_Debug_API**  \n\n **(exact match)** You can freely create categories and add APIs that you wish to detect.\n\n\u003cimg src=\"picture/HowToWriteAnti_Debug_API_Section.png\" alt=\"HowToWriteAnti_Debug_API_Section\" width=\"380\"/\u003e\n\n**Anti_Debug_Technique**  \n\n**(partial match)** You can set between one to three keywords. \n\nThe basic flow of the search is as follows:  \n1. First, search for the first keyword.\n2. If it is found, search within the specified number of bytes (default is 80 bytes) for the second keyword.  \n3. The same process is then applied for searching for the third keyword.  \n\n\u003cimg src=\"picture/HowToWriteAnti_Debug_Technique_Section.png\" alt=\"HowToWriteAnti_Debug_Technique_Section\" width=\"430\"/\u003e\n\nIf you want to set a **custom search range** instead of using the default value, you can specify 'search_range=value' at the end of the keyword you've set.  \nThis allows you to change the search range for each rule you've configured.\n\n\u003cimg src=\"picture/Custom_SearchRange.png\" alt=\"AntiDebugTechnique_Search_Range\" width=\"380\"/\u003e  \n\nanti_debug_techniques_descriptions.json contains the descriptions of the rules defined in the Anti_Debug_Technique section.  \nThe values defined in this file can be referenced on the disassembly screen, allowing you to check the descriptions of the rules.  \n\n\u003cimg src=\"picture/anti_debug_techniques_descriptions.png\" alt=\"anti_debug_techniques_descriptions\" width=\"600\"/\u003e  \n\n## List of detectable anti-debugging techniques (Ver1.0)  \n\nThe following is a list of rule names defined in the Anti_Debug_Technique section of the antidebug.config.  \n\n```\nHeapTailMarker  \nKernelDebuggerMarker  \nDbgBreakPoint_RET  \nDbgUiRemoteBreakin_Debugger_Terminate  \nPMCCheck_RDPMC  \nTimingCheck_RDTSC  \nSkipPrefixes_INT1  \nINT2D_interrupt_check  \nINT3_interrupt_check  \nEXCEPTION_BREAKPOINT  \nICE_interrupt_check  \nDBG_PRINTEXCEPTION_C  \nTrapFlag_SingleStepException  \nBeingDebugged_check  \nNtGlobalFlag_check  \nNtGlobalFlag_check_2  \nHeapFlags  \nHeapForceFlags  \nCombination_of_HEAP_Flags  \nCombination_of_HEAP_Flags_2  \nReadHeapFlags  \nReadHeapFlags_2  \nDebugPrivileges_Check  \nOpened_Exclusively_Check  \nEXCEPTION_INVALID_HANDLE_1  \nEXCEPTION_INVALID_HANDLE_2  \nMemory_EXECUTE_READWRITE_1  \nMemory_EXECUTE_READWRITE_2  \nMemory_Region_Tracking  \nCheck_BreakPoint_Memory_1  \nCheck_BreakPoint_Memory_2  \nSoftware_Breakpoints_Check  \nHardware_Breakpoints_Check  \nEnumerate_Running_Processes  \nThreadHideFromDebugger  \nNtQueryInformationProcess_PDPort  \nNtQueryInformationProcess_PDFlags  \nNtQueryInformationProcess_PDObjectHandle  \nNtQuerySystemInformation_KD_Check  \n```\n\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLAC-Japan%2FIDA_Plugin_AntiDebugSeeker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FLAC-Japan%2FIDA_Plugin_AntiDebugSeeker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLAC-Japan%2FIDA_Plugin_AntiDebugSeeker/lists"}