Collection of Anti-Malware Analysis Tricks.

[Noteworthy]

Hi SnD,

This is a small tool I wrote while reversing some malwares. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. That could be useful if:

• You are making an anti-debug plugin and you want to check its effectiveness.
• You want to ensure that your sandbox solution is hidden enough..
• You want to write behavior rules to detect any attempt to use these tricks.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

List of features supported:

Anti-debugging attacks

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• SetHandleInformation (Protected Handle)
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread

Anti-Dumping

• Erase PE header from memory
• SizeOfImage

Timing Attacks [Anti-Sandbox]

• Sleep -> SleepEx -> NtDelayExecution
• Sleep (in a loop a small delay)
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)
• WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject

Human Interaction / Generic [Anti-Sandbox]

• Mouse movement
• Total Physical memory (GlobalMemoryStatusEx)
• Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
• Count of processors (Win32/Tinba - Win32/Dyre)

Anti-Virtualization / Full-System Emulation

• Registry key value artifacts

  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
  • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
  • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
  • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
  • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)

• Registry Keys artifacts

  • "HARDWARE\ACPI\DSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
  • SOFTWARE\VMware, Inc.\VMware Tools
  • SOFTWARE\Wine

• File system artifacts

  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
  • "system32\drivers\vmmouse.sys"
  • "system32\drivers\vmhgfs.sys"

• Directories artifacts

  • "%PROGRAMFILES%\oracle\virtualbox guest additions\"
  • "%PROGRAMFILES%\VMWare\"

Memory artifacts - Interupt Descriptor Table (IDT) location - Local Descriptor Table (LDT) location - Global Descriptor Table (GDT) location - Task state segment trick with STR

• MAC Address

  • "\x08\x00\x27" (VBOX)
  • "\x00\x05\x69" (VMWARE)
  • "\x00\x0C\x29" (VMWARE)
  • "\x00\x1C\x14" (VMWARE)
  • "\x00\x50\x56" (VMWARE)

• Virtual devices

  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
  • "\\.\HGFS"
  • "\\.\vmci"

• Hardware Device information

  • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
    • QEMU
    • VMWare
    • VBOX
    • VIRTUAL HD

• Adapter name

  • VMWare

• Windows Class

  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd

• Network shares

  • VirtualBox Shared Folders

• Processes

  • vboxservice.exe (VBOX)
  • vboxtray.exe (VBOX)
  • vmtoolsd.exe (VMWARE)
  • vmwaretray.exe (VMWARE)
  • vmwareuser (VMWARE)
  • vmsrvc.exe (VirtualPC)
  • vmusrvc.exe (VirtualPC)
  • prl_cc.exe (Parallels)
  • prl_tools.exe (Parallels)
  • xenservice.exe (Citrix Xen)

• WMI

  • SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
  • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
  • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
  • SELECT * FROM Win32_NTEventlogFile (VBOX)
  • SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
  • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)

• DLL Exports and Loaded DLLs

  • kernel32.dll!wine_get_unix_file_nameWine (Wine)
  • sbiedll.dll (Sandboxie)
  • dbghelp.dll (MS debugging support routines)
  • api_log.dll (iDefense Labs)
  • dir_watch.dll (iDefense Labs)
  • pstorec.dll (SunBelt Sandbox)
  • vmcheck.dll (Virtual PC)
  • wpespy.dll (WPE Pro)

Anti-Analysis

• Processes
  • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
  • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
  • Wireshark / Dumpcap
  • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
  • ImportREC / PETools / LordPE
  • JoeBox Sandbox

Code/DLL Injections techniques

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

Contributors

• mrexodia: Main developer of x64dbg

References

• An Anti-Reverse Engineering Guide By Josh Jackson.
• Anti-Unpacker Tricks By Peter Ferrie.
• The Art Of Unpacking By Mark Vincent Yason.
• Walied Assar's blog http://waleedassar.blogspot.de/
• Pafish tool: https://github.com/a0rtega/pafish

 

source: https://github.com/LordNoteworthy/al-khaser

[b0210]

Nice contribution. Thanks !

[Arc]

nice.  Thanks

[yano65bis]

A good job man .it is nicely implemented .

CHOKRAN KHAY

Thanks

[Strix]

Great article, thanks!