5 releases
new 0.2.1 | Nov 18, 2024 |
---|---|
0.2.0 | Oct 28, 2024 |
0.1.2 | Mar 31, 2024 |
0.1.1 | May 31, 2023 |
0.1.0 | May 30, 2023 |
#123 in Windows APIs
149 downloads per month
13KB
199 lines
Antilysis
Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows
- Detects VM guest and debugger processes
- Detects common analysis tools like wireshark, process explorer, etc...
- Detects common antivirus sandbox artifacts
- Reverse Turing test: waits for user to left click
- Checks if the mac address matches patterns of known VM mac addresses
- Detects VM related files
- Checks the presence of debuggers by reading the Process Environment Block (PEB)
- Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
- Ability to hide thread from debuggers
Inspirations
Malware Dynamic Analysis Evasion Techniques: A Survey
Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts
lib.rs
:
Antilysis
Library to detect analysis on windows to protect your program from it. Anti-VM, anti-sandbox, anti-analyzing.
Dependencies
~2–24MB
~359K SLoC