EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-05-2016, 19:14
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 62
Rept. Given: 71
Rept. Rcvd 76 Times in 21 Posts
Thanks Given: 48
Thanks Rcvd at 59 Times in 21 Posts
sh3dow Reputation: 76
anti-analysis-tricks

anti-analysis-tricks

Bunch of techniques potentially used by malware to detect analysis environments
Content

After some years, I decided to release these codes for the community. This material was prepared for training courses given in several security conferences. Namely, NoConName 2011, RootedCON 2013, and Hack in Paris 2013.

Preparation

There is a toy GUI (baseProject) used to test each of the tricks individually. Each trick is implemented as an ASM macro. At the beginning, this macro is invoked and the value of detection is set to a variable which is later tested. You need to comment/uncomment the include of the trick you wish to test, and then compile the executable each time. Some tricks may need further modifications, you will find required instructions in each file.

The main purpose of this project is to test how each anti-analysis trick can be overridden. A brief description of the technique is written in the first lines of each file.

Dependencies

You will need to install RadASM IDE (https://fbedit.svn.sourceforge.net/svnroot/fbedit/RadASM30/Release/RadASM.zip + MASM dependencies) and MASM32 SDK compiler (http://www.masm32.com/download.htm)

PHP Code:
https://github.com/ricardojrdez/anti-analysis-tricks 
Reply With Quote
The Following 4 Users Say Thank You to sh3dow For This Useful Post:
alephz (08-05-2016), doingtest (11-28-2016), niculaita (07-05-2016), TechLord (07-06-2016)
  #2  
Old 07-06-2016, 00:00
Evilcry Evilcry is offline
Friend
 
Join Date: Jan 2009
Posts: 46
Rept. Given: 4
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 7 Posts
Evilcry Reputation: 15
Here is another interesting collection of:

Quote:
Anti-debugging attacks
Anti-Dumping
Timing Attacks
Human Interaction
Anti-VM
Link:

Code:
https://github.com/LordNoteworthy/al-khaser
Best Regards,
Evilcry
Reply With Quote
The Following 3 Users Say Thank You to Evilcry For This Useful Post:
alephz (08-05-2016), niculaita (07-06-2016), TechLord (07-06-2016)
  #3  
Old 07-06-2016, 04:46
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 62
Rept. Given: 71
Rept. Rcvd 76 Times in 21 Posts
Thanks Given: 48
Thanks Rcvd at 59 Times in 21 Posts
sh3dow Reputation: 76
Collection Of Anti-Debugging Tricks
PHP Code:
https://github.com/waleedassar/antidebug 
Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
PHP Code:
https://github.com/a0rtega/pafish 
antivm.cpp from hackedteam
PHP Code:
https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp 
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
PHP Code:
https://github.com/ThomasThelen/AntiDebugging 
Reply With Quote
The Following 2 Users Say Thank You to sh3dow For This Useful Post:
alephz (08-05-2016), TechLord (07-06-2016)
  #4  
Old 07-07-2016, 07:31
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 813
Rept. Given: 473
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 71
Thanks Rcvd at 397 Times in 164 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
ProReversing (originally by eschweiler):

Code:
https://github.com/mrexodia/ProReversing
DebugDetector by zer0fl4g:

Code:
https://github.com/zer0fl4g/DebugDetector
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 5 Users Say Thank You to mr.exodia For This Useful Post:
alephz (08-05-2016), doingtest (11-28-2016), niculaita (07-07-2016), sh3dow (07-09-2016), TechLord (07-07-2016)
  #5  
Old 07-09-2016, 06:15
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 62
Rept. Given: 71
Rept. Rcvd 76 Times in 21 Posts
Thanks Given: 48
Thanks Rcvd at 59 Times in 21 Posts
sh3dow Reputation: 76
not Source Code but great papers about anti-analysis-tricks Everyone Should Read
Peter Ferrie's Ultimate Anti-Debugging Reference (http://pferrie.host22.com/papers/antidebug.pdf) PDF 147 pages
Walied Assar's blog (http://waleedassar.blogspot.com/) he do great researches, which are focused on finding new anti-debugs tricks
Daniel Plohmann's AntiRE (https://bitbucket.org/fkie_cd_dare/simplifire.antire)
Mark Vincent Yason's Art Of Unpacking (http://www.blackhat.com/presentation...7-yason-WP.pdf)
Rodrigo Branco's Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-
VM Technologies
(http://research.dissect.pe/docs/blackhat2012-paper.pdf)
OpenRCE's Anti Reverse Engineering Techniques Database (http://www.openrce.org/reference_library/anti_reversing)
Nicolas Fallire's Windows Anti-Debug reference (http://www.symantec.com/connect/arti...ebug-reference)

===
http://reverseengineering.stackexchange.com tag related to anti-analysis-tricks
http://reverseengineering.stackexcha...anti-debugging
http://reverseengineering.stackexcha...d/anti-dumping
http://reverseengineering.stackexcha...ed/obfuscation
http://reverseengineering.stackexcha.../deobfuscation
http://reverseengineering.stackexcha...ged/protection

Last edited by sh3dow; 07-09-2016 at 06:21.
Reply With Quote
The Following 3 Users Say Thank You to sh3dow For This Useful Post:
alephz (07-09-2016), doingtest (11-28-2016), TechLord (07-09-2016)
  #6  
Old 07-09-2016, 10:15
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 813
Rept. Given: 473
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 71
Thanks Rcvd at 397 Times in 164 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Also the ScyllaHide document has most of them in a very brief manner: https://bitbucket.org/NtQuery/scylla...ScyllaHide.pdf.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 4 Users Say Thank You to mr.exodia For This Useful Post:
alephz (08-05-2016), doingtest (11-28-2016), sh3dow (07-09-2016), TechLord (07-09-2016)
  #7  
Old 11-28-2016, 02:37
doingtest doingtest is offline
Friend
 
Join Date: May 2016
Location: Algeria
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 15
Thanks Rcvd at 2 Times in 2 Posts
doingtest Reputation: 0
awesome sharing, thank you guys, now I have something to play with and test those network pcs.
Reply With Quote
  #8  
Old 12-26-2016, 03:14
Gladiyator's Avatar
Gladiyator Gladiyator is offline
Family
 
Join Date: Jan 2009
Location: .:: Tehran ::.
Posts: 75
Rept. Given: 72
Rept. Rcvd 51 Times in 15 Posts
Thanks Given: 34
Thanks Rcvd at 23 Times in 6 Posts
Gladiyator Reputation: 51
I think all of this tricks can bypassed with ScyllaHide
[ I love you mr.exodia ]
__________________
Artan Protector
Ultimate Anti-Reversing Tool

Official Website : www.artanprotector.com
Reply With Quote
  #9  
Old 12-26-2016, 05:30
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 813
Rept. Given: 473
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 71
Thanks Rcvd at 397 Times in 164 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Just for the record I did not create ScyllaHide, I only contributed some very minor fixes.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
Reply

Tags
anti-analysis, anti-reverse engineering

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Beginners Guide to Basic Linux Anti Anti Debugging Techniques taos General Discussion 10 07-09-2005 05:55
PowerDVD 4.0 & anti-sice tricks loman General Discussion 6 03-27-2003 06:16


All times are GMT +8. The time now is 14:26.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX