首页
社区
课程
招聘
[推荐]Collection of Anti-Malware Analysis Tricks
发表于: 2016-11-16 20:56 3053

[推荐]Collection of Anti-Malware Analysis Tricks

2016-11-16 20:56
3053


This is a small tool I wrote while reversing some malwares. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. That could be useful if:

You are making an anti-debug plugin and you want to check its effectiveness.
You want to ensure that your sandbox solution is hidden enough..
You want to write behavior rules to detect any attempt to use these tricks.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

List of features supported:

Anti-debugging attacks

IsDebuggerPresent
CheckRemoteDebuggerPresent
Process Environement Block (BeingDebugged)
Process Environement Block (NtGlobalFlag)
ProcessHeap (Flags)
ProcessHeap (ForceFlags)
NtQueryInformationProcess (ProcessDebugPort)
NtQueryInformationProcess (ProcessDebugFlags)
NtQueryInformationProcess (ProcessDebugObject)
NtSetInformationThread (HideThreadFromDebugger)
NtQueryObject (ObjectTypeInformation)
NtQueryObject (ObjectAllTypesInformation)
CloseHanlde (NtClose) Invalide Handle
SetHandleInformation (Protected Handle)
UnhandledExceptionFilter
OutputDebugString (GetLastError())
Hardware Breakpoints (SEH / GetThreadContext)
Software Breakpoints (INT3 / 0xCC)
Memory Breakpoints (PAGE_GUARD)
Interrupt 0x2d
Interrupt 1
Parent Process (Explorer.exe)
SeDebugPrivilege (Csrss.exe)
NtYieldExecution / SwitchToThread
Anti-Dumping

Erase PE header from memory
SizeOfImage
Timing Attacks [Anti-Sandbox]

Sleep -> SleepEx -> NtDelayExecution
Sleep (in a loop a small delay)
SetTimer (Standard Windows Timers)
timeSetEvent (Multimedia Timers)
WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
Human Interaction / Generic [Anti-Sandbox]

Mouse movement
Total Physical memory (GlobalMemoryStatusEx)
Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
Count of processors (Win32/Tinba - Win32/Dyre)
Anti-Virtualization / Full-System Emulation

Registry key value artifacts

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
HARDWARE\Description\System (SystemBiosVersion) (VBOX)
HARDWARE\Description\System (SystemBiosVersion) (QEMU)
HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
HARDWARE\Description\System (SystemBiosDate) (06/23/99)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
Registry Keys artifacts

"HARDWARE\ACPI\DSDT\VBOX__"
"HARDWARE\ACPI\FADT\VBOX__"
"HARDWARE\ACPI\RSDT\VBOX__"
"SOFTWARE\Oracle\VirtualBox Guest Additions"
"SYSTEM\ControlSet001\Services\VBoxGuest"
"SYSTEM\ControlSet001\Services\VBoxMouse"
"SYSTEM\ControlSet001\Services\VBoxService"
"SYSTEM\ControlSet001\Services\VBoxSF"
"SYSTEM\ControlSet001\Services\VBoxVideo"
SOFTWARE\VMware, Inc.\VMware Tools
SOFTWARE\Wine
File system artifacts

"system32\drivers\VBoxMouse.sys"
"system32\drivers\VBoxGuest.sys"
"system32\drivers\VBoxSF.sys"
"system32\drivers\VBoxVideo.sys"
"system32\vboxdisp.dll"
"system32\vboxhook.dll"
"system32\vboxmrxnp.dll"
"system32\vboxogl.dll"
"system32\vboxoglarrayspu.dll"
"system32\vboxoglcrutil.dll"
"system32\vboxoglerrorspu.dll"
"system32\vboxoglfeedbackspu.dll"
"system32\vboxoglpackspu.dll"
"system32\vboxoglpassthroughspu.dll"
"system32\vboxservice.exe"
"system32\vboxtray.exe"
"system32\VBoxControl.exe"
"system32\drivers\vmmouse.sys"
"system32\drivers\vmhgfs.sys"
Directories artifacts

"%PROGRAMFILES%\oracle\virtualbox guest additions\"
"%PROGRAMFILES%\VMWare\"
Memory artifacts - Interupt Descriptor Table (IDT) location - Local Descriptor Table (LDT) location - Global Descriptor Table (GDT) location - Task state segment trick with STR

MAC Address

"\x08\x00\x27" (VBOX)
"\x00\x05\x69" (VMWARE)
"\x00\x0C\x29" (VMWARE)
"\x00\x1C\x14" (VMWARE)
"\x00\x50\x56" (VMWARE)
Virtual devices

"\\.\VBoxMiniRdrDN"
"\\.\VBoxGuest"
"\\.\pipe\VBoxMiniRdDN"
"\\.\VBoxTrayIPC"
"\\.\pipe\VBoxTrayIPC")
"\\.\HGFS"
"\\.\vmci"
Hardware Device information

SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
QEMU
VMWare
VBOX
VIRTUAL HD
Adapter name

VMWare
Windows Class

VBoxTrayToolWndClass
VBoxTrayToolWnd
Network shares

VirtualBox Shared Folders
Processes

vboxservice.exe (VBOX)
vboxtray.exe (VBOX)
vmtoolsd.exe (VMWARE)
vmwaretray.exe (VMWARE)
vmwareuser (VMWARE)
vmsrvc.exe (VirtualPC)
vmusrvc.exe (VirtualPC)
prl_cc.exe (Parallels)
prl_tools.exe (Parallels)
xenservice.exe (Citrix Xen)
WMI

SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
SELECT * FROM Win32_NTEventlogFile (VBOX)
SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
DLL Exports and Loaded DLLs

kernel32.dll!wine_get_unix_file_nameWine (Wine)
sbiedll.dll (Sandboxie)
dbghelp.dll (MS debugging support routines)
api_log.dll (iDefense Labs)
dir_watch.dll (iDefense Labs)
pstorec.dll (SunBelt Sandbox)
vmcheck.dll (Virtual PC)
wpespy.dll (WPE Pro)
Anti-Analysis

Processes
OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
Wireshark / Dumpcap
ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
ImportREC / PETools / LordPE
JoeBox Sandbox
Code/DLL Injections techniques

CreateRemoteThread
SetWindowsHooksEx
NtCreateThreadEx
RtlCreateUserThread
APC (QueueUserAPC / NtQueueApcThread)
RunPE (GetThreadContext / SetThreadContext)
Contributors

mrexodia: Main developer of x64dbg
References

An Anti-Reverse Engineering Guide By Josh Jackson.
Anti-Unpacker Tricks By Peter Ferrie.
The Art Of Unpacking By Mark Vincent Yason.
Walied Assar's blog http://waleedassar.blogspot.de/
Pafish tool: https://github.com/a0rtega/pafish

source: https://github.com/LordNoteworthy/al-khaser

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 2664
活跃值: (3401)
能力值: ( LV13,RANK:1760 )
在线值:
发帖
回帖
粉丝
2
这哥们一直在更新
2016-11-16 21:07
0
雪    币: 346
活跃值: (25)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
3
值得借鉴!
2016-11-17 10:05
0
游客
登录 | 注册 方可回帖
返回
//