GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → LordNoteworthy → Al Khaser

LordNoteworthy / Al Khaser

Licence: gpl-2.0
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

Programming Languages

C++
36643 projects - #6 most used programming language
c
50402 projects - #5 most used programming language
C#
18002 projects

Labels

malwarecode-injectiontiming-attacksanti-debugginganti-analysisanti-sandboxanti-vmanti-emulationav-bypasssandbox-evasionanti-disassembly

Projects that are alternatives of or similar to Al Khaser

Fake-Sandbox-Artifacts
This script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools
Stars: ✭ 138 (-96.14%)
Mutual labels:  anti-analysis, anti-sandbox, anti-vm, anti-emulation
ProTecT
ProTecT is an MS-DOS packer. While this packer is outdated, it uses a number of interesting anti-analysis techniques that are still relevant today.
Stars: ✭ 28 (-99.22%)
Mutual labels:  anti-debugging, anti-analysis
ice9
ice9 - is anticheat based on usermode tricks and undocumented methods , builded as dll for loading trought the shibari framework
Stars: ✭ 16 (-99.55%)
Mutual labels:  anti-debugging, anti-emulation
inceptor
Template-Driven AV/EDR Evasion Framework
Stars: ✭ 730 (-79.57%)
Mutual labels:  code-injection, av-bypass
Anti-Debugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 297 (-91.69%)
Mutual labels:  malware, anti-debugging
VBoxCloak
A PowerShell script that attempts to help malware analysts hide their Windows VirtualBox Windows VM's from malware that may be trying to evade analysis. Guaranteed to bring down your pafish ratings by at least a few points ;)
Stars: ✭ 49 (-98.63%)
Mutual labels:  malware
MalwareDatabase
Malware samples for analysis, researchers, anti-virus and system protection testing.(1300+ Malware-samples!)
Stars: ✭ 21 (-99.41%)
Mutual labels:  malware
MalwareHashDB
Malware hashes for open source projects.
Stars: ✭ 31 (-99.13%)
Mutual labels:  malware
AutoIt-Ripper
Extract AutoIt scripts embedded in PE binaries
Stars: ✭ 101 (-97.17%)
Mutual labels:  malware
Mquery
YARA malware query accelerator (web frontend)
Stars: ✭ 264 (-92.61%)
Mutual labels:  malware
Community
Volatility plugins developed and maintained by the community
Stars: ✭ 252 (-92.95%)
Mutual labels:  malware
Open-source-tools-for-CTI
Public Repository of Open Source Tools for Cyber Threat Intelligence Analysts and Researchers
Stars: ✭ 91 (-97.45%)
Mutual labels:  malware
malware-s2e
Code for my blog post on using S2E for malware analysis
Stars: ✭ 21 (-99.41%)
Mutual labels:  malware
M-Botnet
A C2 project that controls a self-propagating MS17-010 worm.
Stars: ✭ 39 (-98.91%)
Mutual labels:  malware
Simpleator
Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
Stars: ✭ 260 (-92.72%)
Mutual labels:  malware
freki
🐺 Malware analysis platform
Stars: ✭ 327 (-90.85%)
Mutual labels:  malware
TeleShadow2
TeleShadow - Telegram Desktop Session Stealer (Windows)
Stars: ✭ 88 (-97.54%)
Mutual labels:  malware
carrierwave-attachmentscanner
Adds the ability to send CarrierWave uploads to Attachment Scanner for virus and malware prevention.
Stars: ✭ 14 (-99.61%)
Mutual labels:  malware
Ransomware
Crypto Ransomware made with: - Go for encryption and decryption - PHP/MySQL for saving and retrieving keys.
Stars: ✭ 19 (-99.47%)
Mutual labels:  malware
Yobi
Yara Based Detection Engine for web browsers
Stars: ✭ 39 (-98.91%)
Mutual labels:  malware
View All Similar Projects ➔

Al-Khaser v0.81

Logo

Content

Introduction

al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.

Logo

Download

You can download the latest release here: x86 | x64.

Sorry, binaries have been removed for now as they were triggering Google's Safe Browsing heuristics.

Possible uses

  • You are making an anti-debug plugin and you want to check its effectiveness.
  • You want to ensure that your sandbox solution is hidden enough.
  • Or you want to ensure that your malware analysis environment is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environment Block (BeingDebugged)
  • Process Environment Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • Low Fragmentation Heap (LFH)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • WudfIsAnyDebuggerPresent
  • WudfIsKernelDebuggerPresent
  • WudfIsUserDebuggerPresent
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • SetHandleInformation (Protected Handle)
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Trap Flag
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread
  • TLS callbacks
  • Process jobs
  • Memory write watching
  • Page exception breakpoint detection
  • API hook detection (module bounds based)

Anti-injection

  • Enumerate modules with EnumProcessModulesEx (32-bit, 64-bit, and all options)
  • Enumerate modules with ToolHelp32
  • Enumerate the process LDR structures with LdrEnumerateLoadedModules
  • Enumerate the process LDR structures directly
  • Walk memory with GetModuleInformation
  • Walk memory for hidden modules

Anti-Dumping

  • Erase PE header from memory
  • SizeOfImage

Timing Attacks [Anti-Sandbox]

  • RDTSC (with CPUID to force a VM Exit)
  • RDTSC (Locky version with GetProcessHeap & CloseHandle)
  • Sleep -> SleepEx -> NtDelayExecution
  • Sleep (in a loop a small delay)
  • Sleep and check if time was accelerated (GetTickCount)
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)
  • WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
  • WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
  • IcmpSendEcho (CCleaner Malware)
  • CreateWaitableTimer
  • CreateTimerQueueTimer
  • Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

  • Mouse movement
  • File names like sample.exe or sandbox.exe.
  • Total Physical memory (GlobalMemoryStatusEx)
  • Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
  • Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
  • Mouse (Single click / Double click) (todo)
  • DialogBox (todo)
  • Scrolling (todo)
  • Execution after reboot (todo)
  • Count of processors (Win32/Tinba - Win32/Dyre)
  • Sandbox known product IDs (todo)
  • Color of background pixel (todo)
  • Keyboard layout (Win32/Banload) (todo)
  • Genuine Windows installation.
  • Known Sandbox hostnames and usernames

Anti-Virtualization / Full-System Emulation

  • Registry key value artifacts

    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
    • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
    • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
    • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
    • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
    • SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)

  • Registry Keys artifacts

    • HARDWARE\ACPI\DSDT\VBOX__ (VBOX)
    • HARDWARE\ACPI\FADT\VBOX__ (VBOX)
    • HARDWARE\ACPI\RSDT\VBOX__ (VBOX)
    • SOFTWARE\Oracle\VirtualBox Guest Additions (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxGuest (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxMouse (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxService (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxSF (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxVideo (VBOX)
    • SOFTWARE\VMware, Inc.\VMware Tools (VMWARE)
    • SOFTWARE\Wine (WINE)
    • SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V)
    • SYSTEM\CurrentControlSet\Services\Disk\Enum
    • SYSTEM\CurrentControlSet\Enum\IDE
    • SYSTEM\CurrentControlSet\Enum\SCSI

  • File system artifacts

    • "system32\drivers\VBoxMouse.sys"
    • "system32\drivers\VBoxGuest.sys"
    • "system32\drivers\VBoxSF.sys"
    • "system32\drivers\VBoxVideo.sys"
    • "system32\vboxdisp.dll"
    • "system32\vboxhook.dll"
    • "system32\vboxmrxnp.dll"
    • "system32\vboxogl.dll"
    • "system32\vboxoglarrayspu.dll"
    • "system32\vboxoglcrutil.dll"
    • "system32\vboxoglerrorspu.dll"
    • "system32\vboxoglfeedbackspu.dll"
    • "system32\vboxoglpackspu.dll"
    • "system32\vboxoglpassthroughspu.dll"
    • "system32\vboxservice.exe"
    • "system32\vboxtray.exe"
    • "system32\VBoxControl.exe"
    • "system32\drivers\vmmouse.sys"
    • "system32\drivers\vmhgfs.sys"
    • "system32\drivers\vm3dmp.sys"
    • "system32\drivers\vmci.sys"
    • "system32\drivers\vmhgfs.sys"
    • "system32\drivers\vmmemctl.sys"
    • "system32\drivers\vmmouse.sys"
    • "system32\drivers\vmrawdsk.sys"
    • "system32\drivers\vmusbmouse.sys"

  • Directories artifacts

    • "%PROGRAMFILES%\oracle\virtualbox guest additions\"
    • "%PROGRAMFILES%\VMWare\"

  • Memory artifacts

    • Interupt Descriptor Table (IDT) location
    • Local Descriptor Table (LDT) location
    • Global Descriptor Table (GDT) location
    • Task state segment trick with STR

  • MAC Address

    • "\x08\x00\x27" (VBOX)
    • "\x00\x05\x69" (VMWARE)
    • "\x00\x0C\x29" (VMWARE)
    • "\x00\x1C\x14" (VMWARE)
    • "\x00\x50\x56" (VMWARE)
    • "\x00\x1C\x42" (Parallels)
    • "\x00\x16\x3E" (Xen)
    • "\x0A\x00\x27" (Hybrid Analysis)

  • Virtual devices

    • "\\.\VBoxMiniRdrDN"
    • "\\.\VBoxGuest"
    • "\\.\pipe\VBoxMiniRdDN"
    • "\\.\VBoxTrayIPC"
    • "\\.\pipe\VBoxTrayIPC")
    • "\\.\HGFS"
    • "\\.\vmci"

  • Hardware Device information

    • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
      • QEMU
      • VMWare
      • VBOX
      • VIRTUAL HD
    • Power policies (S1-S4 states, thermal control)

  • System Firmware Tables

    • SMBIOS string checks (VirtualBox)
    • SMBIOS string checks (VMWare)
    • SMBIOS string checks (Qemu)
    • ACPI string checks (VirtualBox)
    • ACPI string checks (VMWare)
    • ACPI string checks (Qemu)

  • Driver Services

    • VirtualBox
    • VMWare

  • Adapter name

    • VMWare

  • Windows Class

    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd

  • Network shares

    • VirtualBox Shared Folders

  • Processes

    • vboxservice.exe (VBOX)
    • vboxtray.exe (VBOX)
    • vmtoolsd.exe(VMWARE)
    • vmwaretray.exe(VMWARE)
    • vmwareuser(VMWARE)
    • VGAuthService.exe (VMWARE)
    • vmacthlp.exe (VMWARE)
    • vmsrvc.exe(VirtualPC)
    • vmusrvc.exe(VirtualPC)
    • prl_cc.exe(Parallels)
    • prl_tools.exe(Parallels)
    • xenservice.exe(Citrix Xen)
    • qemu-ga.exe (QEMU)

  • WMI

    • SELECT * FROM Win32_Bios (SerialNumber) (GENERIC)
    • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
    • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
    • SELECT * FROM Win32_NTEventlogFile (VBOX)
    • SELECT * FROM Win32_Processor (NumberOfCores and ProcessorId) (GENERIC)
    • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
    • SELECT * FROM Win32_ComputerSystem (Model and Manufacturer) (GENERIC)
    • SELECT * FROM MSAcpi_ThermalZoneTemperature CurrentTemperature) (GENERIC)
    • SELECT * FROM Win32_Fan (GENERIC)

  • DLL Exports and Loaded DLLs

    • avghookx.dll (AVG)
    • avghooka.dll (AVG)
    • snxhk.dll (Avast)
    • kernel32.dll!wine_get_unix_file_nameWine (Wine)
    • sbiedll.dll (Sandboxie)
    • dbghelp.dll (MS debugging support routines)
    • api_log.dll (iDefense Labs)
    • dir_watch.dll (iDefense Labs)
    • pstorec.dll (SunBelt Sandbox)
    • vmcheck.dll (Virtual PC)
    • wpespy.dll (WPE Pro)
    • cmdvrt32.dll (Comodo Container)
    • cmdvrt64.dll (Comodo Container)

  • CPU

    • Hypervisor presence using (EAX=0x1)
    • Hypervisor vendor using (EAX=0x40000000)
      • "KVMKVMKVM\0\0\0" (KVM)
        • "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC)
        • "VMwareVMware"(VMware)
        • "XenVMMXenVMM"(Xen)
        • "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox)

  • NtQueryLicenseValue with Kernel-VMDetection-Private as license value.

Anti-Analysis

  • Processes
    • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
    • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
    • Wireshark / Dumpcap
    • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
    • ImportREC / PETools / LordPE
    • JoeBox Sandbox

Anti-Disassembly

  • Jump with constant condition
  • Jump instruction with same target
  • Impossible disassembly
  • Function Pointers
  • Return Pointer Abuse

Macro malware attacks

  • Document_Close / Auto_Close.
  • Application.RecentFiles.Count

Code/DLL Injections techniques

  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Authors

Pull requests welcome. Please read the Developer Guidelines on our wiki if you wish to contribute to the project.

References

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].