Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   anti-analysis-tricks (https://forum.exetools.com/showthread.php?t=17735)

sh3dow 07-05-2016 19:14

anti-analysis-tricks
 
anti-analysis-tricks

Bunch of techniques potentially used by malware to detect analysis environments
Content

After some years, I decided to release these codes for the community. This material was prepared for training courses given in several security conferences. Namely, NoConName 2011, RootedCON 2013, and Hack in Paris 2013.

Preparation

There is a toy GUI (baseProject) used to test each of the tricks individually. Each trick is implemented as an ASM macro. At the beginning, this macro is invoked and the value of detection is set to a variable which is later tested. You need to comment/uncomment the include of the trick you wish to test, and then compile the executable each time. Some tricks may need further modifications, you will find required instructions in each file.

The main purpose of this project is to test how each anti-analysis trick can be overridden. A brief description of the technique is written in the first lines of each file.

Dependencies

You will need to install RadASM IDE (https://fbedit.svn.sourceforge.net/svnroot/fbedit/RadASM30/Release/RadASM.zip + MASM dependencies) and MASM32 SDK compiler (http://www.masm32.com/download.htm)

PHP Code:

https://github.com/ricardojrdez/anti-analysis-tricks 


Evilcry 07-06-2016 00:00

Here is another interesting collection of:

Quote:

Anti-debugging attacks
Anti-Dumping
Timing Attacks
Human Interaction
Anti-VM
Link:

Code:

https://github.com/LordNoteworthy/al-khaser
Best Regards,
Evilcry

sh3dow 07-06-2016 04:46

Collection Of Anti-Debugging Tricks
PHP Code:

https://github.com/waleedassar/antidebug 

Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
PHP Code:

https://github.com/a0rtega/pafish 

antivm.cpp from hackedteam
PHP Code:

https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp 

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
PHP Code:

https://github.com/ThomasThelen/AntiDebugging 


mr.exodia 07-07-2016 07:31

ProReversing (originally by eschweiler):

Code:

https://github.com/mrexodia/ProReversing
DebugDetector by zer0fl4g:

Code:

https://github.com/zer0fl4g/DebugDetector

sh3dow 07-09-2016 06:15

not Source Code but great papers about anti-analysis-tricks Everyone Should Read
Peter Ferrie's Ultimate Anti-Debugging Reference (http://pferrie.host22.com/papers/antidebug.pdf) PDF 147 pages
Walied Assar's blog (http://waleedassar.blogspot.com/) he do great researches, which are focused on finding new anti-debugs tricks
Daniel Plohmann's AntiRE (https://bitbucket.org/fkie_cd_dare/simplifire.antire)
Mark Vincent Yason's Art Of Unpacking (http://www.blackhat.com/presentation...7-yason-WP.pdf)
Rodrigo Branco's Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-
VM Technologies
(http://research.dissect.pe/docs/blackhat2012-paper.pdf)
OpenRCE's Anti Reverse Engineering Techniques Database (http://www.openrce.org/reference_library/anti_reversing)
Nicolas Falli¨¨re's Windows Anti-Debug reference (http://www.symantec.com/connect/arti...ebug-reference)

===
http://reverseengineering.stackexchange.com tag related to anti-analysis-tricks
http://reverseengineering.stackexcha...anti-debugging
http://reverseengineering.stackexcha...d/anti-dumping
http://reverseengineering.stackexcha...ed/obfuscation
http://reverseengineering.stackexcha.../deobfuscation
http://reverseengineering.stackexcha...ged/protection

mr.exodia 07-09-2016 10:15

Also the ScyllaHide document has most of them in a very brief manner: https://bitbucket.org/NtQuery/scylla...ScyllaHide.pdf.

doingtest 11-28-2016 02:37

awesome sharing, thank you guys, now I have something to play with and test those network pcs.

Gladiyator 12-26-2016 03:14

I think all of this tricks can bypassed with ScyllaHide
[ I love you mr.exodia ]

mr.exodia 12-26-2016 05:30

Just for the record I did not create ScyllaHide, I only contributed some very minor fixes.

n00b 08-19-2017 02:25

Anyone else have something really nasty, but hardly ever seen in use?


All times are GMT +8. The time now is 15:07.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX