#1
|
|||
|
|||
anti-analysis-tricks
anti-analysis-tricks
Bunch of techniques potentially used by malware to detect analysis environments Content After some years, I decided to release these codes for the community. This material was prepared for training courses given in several security conferences. Namely, NoConName 2011, RootedCON 2013, and Hack in Paris 2013. Preparation There is a toy GUI (baseProject) used to test each of the tricks individually. Each trick is implemented as an ASM macro. At the beginning, this macro is invoked and the value of detection is set to a variable which is later tested. You need to comment/uncomment the include of the trick you wish to test, and then compile the executable each time. Some tricks may need further modifications, you will find required instructions in each file. The main purpose of this project is to test how each anti-analysis trick can be overridden. A brief description of the technique is written in the first lines of each file. Dependencies You will need to install RadASM IDE (https://fbedit.svn.sourceforge.net/svnroot/fbedit/RadASM30/Release/RadASM.zip + MASM dependencies) and MASM32 SDK compiler (http://www.masm32.com/download.htm) PHP Code:
|
#2
|
|||
|
|||
Here is another interesting collection of:
Quote:
Code:
https://github.com/LordNoteworthy/al-khaser Evilcry |
#3
|
|||
|
|||
Collection Of Anti-Debugging Tricks
PHP Code:
PHP Code:
PHP Code:
PHP Code:
|
#4
|
|||
|
|||
ProReversing (originally by eschweiler):
Code:
https://github.com/mrexodia/ProReversing Code:
https://github.com/zer0fl4g/DebugDetector |
#5
|
|||
|
|||
not Source Code but great papers about anti-analysis-tricks Everyone Should Read
Peter Ferrie's Ultimate Anti-Debugging Reference (http://pferrie.host22.com/papers/antidebug.pdf) PDF 147 pages Walied Assar's blog (http://waleedassar.blogspot.com/) he do great researches, which are focused on finding new anti-debugs tricks Daniel Plohmann's AntiRE (https://bitbucket.org/fkie_cd_dare/simplifire.antire) Mark Vincent Yason's Art Of Unpacking (http://www.blackhat.com/presentation...7-yason-WP.pdf) Rodrigo Branco's Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies(http://research.dissect.pe/docs/blackhat2012-paper.pdf) OpenRCE's Anti Reverse Engineering Techniques Database (http://www.openrce.org/reference_library/anti_reversing) Nicolas Falli¨¨re's Windows Anti-Debug reference (http://www.symantec.com/connect/arti...ebug-reference) === http://reverseengineering.stackexchange.com tag related to anti-analysis-tricks http://reverseengineering.stackexcha...anti-debugging http://reverseengineering.stackexcha...d/anti-dumping http://reverseengineering.stackexcha...ed/obfuscation http://reverseengineering.stackexcha.../deobfuscation http://reverseengineering.stackexcha...ged/protection Last edited by sh3dow; 07-09-2016 at 06:21. |
#6
|
|||
|
|||
Also the ScyllaHide document has most of them in a very brief manner: https://bitbucket.org/NtQuery/scylla...ScyllaHide.pdf.
|
#7
|
|||
|
|||
awesome sharing, thank you guys, now I have something to play with and test those network pcs.
|
#8
|
||||
|
||||
I think all of this tricks can bypassed with ScyllaHide
[ I love you mr.exodia ] |
#9
|
|||
|
|||
Just for the record I did not create ScyllaHide, I only contributed some very minor fixes.
|
#10
|
|||
|
|||
Anyone else have something really nasty, but hardly ever seen in use?
|
Tags |
anti-analysis, anti-reverse engineering |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PowerDVD 4.0 & anti-sice tricks | loman | General Discussion | 6 | 03-27-2003 06:16 |