/anti

Automated Integration of anti-Reversing methods in PE executables

Primary LanguageC++MIT LicenseMIT

ANTI

Automated Integration of Anti-Reversing methods in PE executables

only x86 support

Currently using the following techniques:

Unhooking:

  • Disables user-mode function hooks by manually loading ntdll.dll from disk and check for modifications.
  • If modifications exist it overwrites with the valid ntdll and calls anti-debug functions based on ntdll from there.
  • Todo:Unhooking for every loaded dll

Anti-debugging:

  • IsDebuggerPresent()
  • PEB.BeingDebugged flag using speculative execution
  • PEB.NtGlobalFlag
  • Heap Flags
  • Self-Debugging
  • Anti-Step-Over
  • NtSetInformationThread()
  • Dynamic TlsCallbacks
  • NtQueryInformationProcess()
  • RDTSC
  • RtlQueryProcessDebugInformation()
  • Selectors
  • Uses NtTerminateProcess() or SwitchDesktop() or NtShutdownSystem() to terminate/crash the debugging/VM session

Anti-VM:

  • CPUID (Hypervisor presence)
  • CPUID (Hypervisor vendor)
  • Number of Processors
  • Device Drivers
  • NtGetTickCount

Process Injection:

  • ANTI automatically migrates in a remote process when it detects a debugger using NtCreateThreadEx technique.

An overview of how ANTI works:

Overview

ANTI bypasses the following debuggers and antidebug solutions:

  • Idapro, Version 7, 5
  • Immunity Debugger, Version 1.85
  • OllyDebugger v1.10, v.2
  • CheatEngine
  • x64dbg, Build Aprl 5 2018
  • Windbg 10
  • Obsidian debugger, Version 0.11
  • Microsoft Visual Studio Debugger, Version 15.4.0
  • PhantOm v1.85
  • StrongOD v0.4.8.892
  • OllyAdvanced v1.27
  • SharpOD v0.6
  • aadp v0.2
  • HideDebugger v1.2.4
  • IDA Stealth
  • OllyExt
  • makin
  • ScyllaHide
  • Apate
  • ApiMonitor v2

Usage:

  • anti.exe <target file> <section name> <pid>

POC: Bypassing ScyllaHide on x32dbg

alt text alt text

License

ANTI is licensed under the MIT License.

Credits to Peter Ferrie for his “Ultimate”Anti-Debugging Reference