Saturday, January 13, 2018

BlockInput Windows api In malware

In this hybrid analysis sample


https://www.hybrid-analysis.com/sample/775823294439f2c459d1b13dde03091ba79221d2cd9956039b47dfe51832924a?environmentId=120


It lists ability to block user input


Anti-Reverse Engineering

This is a Windows api all, so we search msdn to learn more

https://msdn.microsoft.com/en-us/library/windows/desktop/ms646290(v=vs.85).aspx



It says “keyboard and mouse input events are blocked”

So if you are a malware analyst and you let the malware run that line of code then suddenly your VMs keyboard and mouse literally won’t respond.

The good thing is it also says

The system will unblock input in the following cases: 
  • The user presses CTRL+ALT+DEL 



    No comments:

    Post a Comment