NtSetDebugFilterState

Created the Saturday 23 March 2019. Updated 1 year, 11 months ago.

The NtSetDebugFilterState and DbgSetDebugFilterState functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.

When a kernel mode debugger is present, the debug filter will be triggered, and the malware can then take actions to evade detection and continue to operate. This technique is commonly used by malware to avoid analysis by security researchers and avoid being detected by security software. By using these functions, the malware can operate stealthily and evade detection, making it difficult for analysts to reverse engineer the malware and understand its capabilities and behaviors.

Technique Identifier

U0103

Technique Tags

NtSetDebugFilterState DbgSetDebugFilterState Kernel mode debugger detection Debug filter

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

GetProcAddress

Code Snippets

program NtSetDebugFilterState;

{$APPTYPE CONSOLE}

uses
  WinAPI.Windows, System.SysUtils;

var
  NtSetDebugFilterState : function(AComponentId : ULONG; ALevel : ULONG; AState : Boolean) : NTSTATUS; stdcall;

  hNTDLL  : THandle;
  AStatus : NTSTATUS;

begin
  try
    hNTDLL := LoadLibrary('ntdll.dll');
    if (hNTDLL = 0) then
      Exit();
    try
      @NtSetDebugFilterState := GetProcAddress(hNTDLL, 'NtSetDebugFilterState');

      if NOT Assigned(NtSetDebugFilterState) then
        Exit();

      AStatus := NtSetDebugFilterState(0, 0, True);

      writeln(AStatus);

      if (AStatus <> 0) then
        WriteLn('Not Debugged.')
      else
        WriteLn('Debugged.');
    finally
      FreeLibrary(hNTDLL);
    end;
  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
end.

About Author Open Snippet

Author: Jean-Pierre LESUEUR (DarkCoderSc) / Target Platform: Windows

Detection Rules

rule Detect_SetDebugFilterState: AntiDebug {
    meta: 
        description = "Detect SetDebugFilterState as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtSetDebugFilterState" fullword ascii
        $2 = "DbgSetDebugFilterState" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

Additional Resources

Attachments

By downloading or using the attached resources, you are agreeing to be bound by the terms and conditions outlined by the provider of the resources. It is important to review and understand these terms before proceeding with the download or use of the files. If you do not agree to the terms, or are unable to agree to them, please do not download or use the attached resources.

Additionally, it's important to be aware of the potential risks that come with downloading resources from unknown sources, as they may contain malware or other malicious content. It's highly recommended to scan the resources with an up-to-date antivirus software before opening or using them.

Please note that even if you take the necessary precautions to check the resources, it is not possible to guarantee that they are completely safe and risk-free. Use of the attached resources is at your own risk.

NtSetDebugFilterState.pdf (NtSetDebugFilterState as Anti-Debug) - 437.7 kB

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
al-khaser.exe	24	2024-11-13	3 days, 23 hours ago

View All