- Introduction
- Possible uses
- Features
- Anti-debugging attacks
- Anti-Dumping
- Timing Attacks
- Human Interaction
- Anti-VM
- Requirements
- License
al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
You can download the latest release here.
- You are making an anti-debug plugin and you want to check its effectiveness.
- You want to ensure that your sandbox solution is hidden enough.
- Or you want to ensure that your malware analysis environment is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- Process Environement Block (BeingDebugged)
- Process Environement Block (NtGlobalFlag)
- ProcessHeap (Flags)
- ProcessHeap (ForceFlags)
- NtQueryInformationProcess (ProcessDebugPort)
- NtQueryInformationProcess (ProcessDebugFlags)
- NtQueryInformationProcess (ProcessDebugObject)
- NtSetInformationThread (HideThreadFromDebugger)
- NtQueryObject (ObjectTypeInformation)
- NtQueryObject (ObjectAllTypesInformation)
- CloseHanlde (NtClose) Invalide Handle
- SetHandleInformation (Protected Handle)
- UnhandledExceptionFilter
- OutputDebugString (GetLastError())
- Hardware Breakpoints (SEH / GetThreadContext)
- Software Breakpoints (INT3 / 0xCC)
- Memory Breakpoints (PAGE_GUARD)
- Interrupt 0x2d
- Interrupt 1
- Parent Process (Explorer.exe)
- SeDebugPrivilege (Csrss.exe)
- NtYieldExecution / SwitchToThread
- TLS callbacks
- Process jobs
- Memory write watching
- Erase PE header from memory
- SizeOfImage
- RDTSC (with CPUID to force a VM Exit)
- RDTSC (Locky version with GetProcessHeap & CloseHandle)
- Sleep -> SleepEx -> NtDelayExecution
- Sleep (in a loop a small delay)
- Sleep and check if time was accelerated (GetTickCount)
- SetTimer (Standard Windows Timers)
- timeSetEvent (Multimedia Timers)
- WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
- WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
- IcmpSendEcho (CCleaner Malware)
- CreateWaitableTimer (todo)
- CreateTimerQueueTimer (todo)
- Big crypto loops (todo)
- Mouse movement
- Total Physical memory (GlobalMemoryStatusEx)
- Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
- Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
- Mouse (Single click / Double click) (todo)
- DialogBox (todo)
- Scrolling (todo)
- Execution after reboot (todo)
- Count of processors (Win32/Tinba - Win32/Dyre)
- Sandbox known product IDs (todo)
- Color of background pixel (todo)
- Keyboard layout (Win32/Banload) (todo)
-
Registry key value artifacts
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
- HARDWARE\Description\System (SystemBiosVersion) (VBOX)
- HARDWARE\Description\System (SystemBiosVersion) (QEMU)
- HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
- HARDWARE\Description\System (SystemBiosDate) (06/23/99)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
- SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)
-
Registry Keys artifacts
- "HARDWARE\ACPI\DSDT\VBOX__"
- "HARDWARE\ACPI\FADT\VBOX__"
- "HARDWARE\ACPI\RSDT\VBOX__"
- "SOFTWARE\Oracle\VirtualBox Guest Additions"
- "SYSTEM\ControlSet001\Services\VBoxGuest"
- "SYSTEM\ControlSet001\Services\VBoxMouse"
- "SYSTEM\ControlSet001\Services\VBoxService"
- "SYSTEM\ControlSet001\Services\VBoxSF"
- "SYSTEM\ControlSet001\Services\VBoxVideo"
- SOFTWARE\VMware, Inc.\VMware Tools
- SOFTWARE\Wine
-
File system artifacts
- "system32\drivers\VBoxMouse.sys"
- "system32\drivers\VBoxGuest.sys"
- "system32\drivers\VBoxSF.sys"
- "system32\drivers\VBoxVideo.sys"
- "system32\vboxdisp.dll"
- "system32\vboxhook.dll"
- "system32\vboxmrxnp.dll"
- "system32\vboxogl.dll"
- "system32\vboxoglarrayspu.dll"
- "system32\vboxoglcrutil.dll"
- "system32\vboxoglerrorspu.dll"
- "system32\vboxoglfeedbackspu.dll"
- "system32\vboxoglpackspu.dll"
- "system32\vboxoglpassthroughspu.dll"
- "system32\vboxservice.exe"
- "system32\vboxtray.exe"
- "system32\VBoxControl.exe"
- "system32\drivers\vmmouse.sys"
- "system32\drivers\vmhgfs.sys"
- "system32\drivers\vm3dmp.sys"
- "system32\drivers\vmci.sys"
- "system32\drivers\vmhgfs.sys"
- "system32\drivers\vmmemctl.sys"
- "system32\drivers\vmmouse.sys"
- "system32\drivers\vmrawdsk.sys"
- "system32\drivers\vmusbmouse.sys"
-
Directories artifacts
- "%PROGRAMFILES%\oracle\virtualbox guest additions\"
- "%PROGRAMFILES%\VMWare\"
-
Memory artifacts
- Interupt Descriptor Table (IDT) location
- Local Descriptor Table (LDT) location
- Global Descriptor Table (GDT) location
- Task state segment trick with STR
-
MAC Address
- "\x08\x00\x27" (VBOX)
- "\x00\x05\x69" (VMWARE)
- "\x00\x0C\x29" (VMWARE)
- "\x00\x1C\x14" (VMWARE)
- "\x00\x50\x56" (VMWARE)
-
Virtual devices
- "\\.\VBoxMiniRdrDN"
- "\\.\VBoxGuest"
- "\\.\pipe\VBoxMiniRdDN"
- "\\.\VBoxTrayIPC"
- "\\.\pipe\VBoxTrayIPC")
- "\\.\HGFS"
- "\\.\vmci"
-
Hardware Device information
- SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
- QEMU
- VMWare
- VBOX
- VIRTUAL HD
- SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
-
System Firmware Tables
- SMBIOS string checks (VirtualBox)
- SMBIOS string checks (VMWare)
- SMBIOS string checks (Qemu)
- ACPI string checks (VirtualBox)
- ACPI string checks (VMWare)
- ACPI string checks (Qemu)
-
Driver Services
- VirtualBox
- VMWare
-
Adapter name
- VMWare
-
Windows Class
- VBoxTrayToolWndClass
- VBoxTrayToolWnd
-
Network shares
- VirtualBox Shared Folders
-
Processes
- vboxservice.exe (VBOX)
- vboxtray.exe (VBOX)
- vmtoolsd.exe(VMWARE)
- vmwaretray.exe(VMWARE)
- vmwareuser(VMWARE)
- VGAuthService.exe (VMWARE)
- vmacthlp.exe (VMWARE)
- vmsrvc.exe(VirtualPC)
- vmusrvc.exe(VirtualPC)
- prl_cc.exe(Parallels)
- prl_tools.exe(Parallels)
- xenservice.exe(Citrix Xen)
- qemu-ga.exe (QEMU)
-
WMI
- SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
- SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
- SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
- SELECT * FROM Win32_NTEventlogFile (VBOX)
- SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
- SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
-
DLL Exports and Loaded DLLs
- avghookx.dll (AVG)
- avghooka.dll (AVG)
- snxhk.dll (Avast)
- kernel32.dll!wine_get_unix_file_nameWine (Wine)
- sbiedll.dll (Sandboxie)
- dbghelp.dll (MS debugging support routines)
- api_log.dll (iDefense Labs)
- dir_watch.dll (iDefense Labs)
- pstorec.dll (SunBelt Sandbox)
- vmcheck.dll (Virtual PC)
- wpespy.dll (WPE Pro)
-
CPU
- Hypervisor presence using (EAX=0x1)
- Hypervisor vendor using (EAX=0x40000000)
-
"KVMKVMKVM\0\0\0" (KVM)
- "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC)
- "VMwareVMware"(VMware)
- "XenVMMXenVMM"(Xen)
- "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox)
-
-
Processes
- OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
- SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
- Wireshark / Dumpcap
- ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
- ImportREC / PETools / LordPE
- JoeBox Sandbox
- Document_Close / Auto_Close.
- Application.RecentFiles.Count
- CreateRemoteThread
- SetWindowsHooksEx
- NtCreateThreadEx
- RtlCreateUserThread
- APC (QueueUserAPC / NtQueueApcThread)
- RunPE (GetThreadContext / SetThreadContext)
- mrexodia: Main developer of x64dbg
- Mattiwatti: Matthijs Lavrijsen
- gsuberland: Graham Sutherland
- An Anti-Reverse Engineering Guide By Josh Jackson.
- Anti-Unpacker Tricks By Peter Ferrie.
- The Art Of Unpacking By Mark Vincent Yason.
- Walied Assar's blog http://waleedassar.blogspot.de/.
- Pafish tool: https://github.com/a0rtega/pafish.
- PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro