Knowledge base of anti-analysis techniques found during malware analyses.
Uses calls to SetErrorMode to detect changes (hooks) in the default behavior or SetErrorMode windows API call.
- https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-seterrormode
- https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/
[002_ForcedRaceConditionSleep] Forces a race condition in order to detect changes in sleep() call behavior
This method terminates the process if a mutex still exists by spawing the same process twice. The trick is that this mutex will still exist in the second process if the default behavior of sleep() is untouched.
- https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa
- https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-
- https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleep
- http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.
- https://docs.microsoft.com/en-us/windows/win32/sync/using-named-objects
Iterates through the process list checking them against a "blacklist" and terminates analysis tools or the execution of the current process in case of a match.
Sometimes analysis tools and sandboxes injects DLLs in targetted processes in order to inspect their execution behaviour.
This technique searches for specific keys in the Windows Registry regarding device names. Virtual machine technologies leaves a lot of traces if not fine tunned. Malware families use this technique to check if the main executable is running under a virtualized environment.
Usually this technique is used together with technique #007 so this avoids hooks to this specfic API call ("NtQueryInformationProcess").
This technique is used to hide behavioural data in case sandboxes do not propagate hooks.
Checks if any debugger is attached to the current process by inspecting debug flag in PEB. There are many ways to achieve this and one of them is calling the "IsDebuggerPresent" call.
Checks if any debugger is attached to an specific process.
Searches window names according to a list of pre-defined names used by analysis tools.
[011_PhantomMW] Uses a hidden secondary desktop to imitate a user and bypass AVs' behaviour analysis.
Did not see this implemented in any malware family so far.
- https://ieeexplore.ieee.org/abstract/document/9186656
- https://github.com/gnxbr/Fully-Undetectable-Techniques/tree/main/user-imitating
Checks being debugged flag inside PEB structure.