#windows #analysis #vm #process #dynamic #debugging #wait

antilysis

State-of-the-art dynamic analysis countering techniques on Windows

6 releases

new 0.2.2 Nov 26, 2024
0.2.1 Nov 18, 2024
0.2.0 Oct 28, 2024
0.1.2 Mar 31, 2024
0.1.1 May 31, 2023

#84 in Windows APIs

Download history 10/week @ 2024-09-23 134/week @ 2024-10-28 15/week @ 2024-11-04 174/week @ 2024-11-18 152/week @ 2024-11-25

345 downloads per month

MIT license

13KB
199 lines

Antilysis

Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows

Features

  • Checks for processes of
    • common analysis tools (wireshark, process explorer...)
    • VM guest (VMware, Virtualbox, QEMU, Xen )
    • debuggers (WinDbg, OllyDbg, GDB, Procdump...)
  • Detects common antivirus sandbox artifacts
  • Reverse Turing test: waits for user to left click
  • Checks if the mac address matches patterns of known VM mac addresses
  • Detects VM related files
  • Anti-debugging:
    • Checks the presence of debuggers by reading the Process Environment Block (PEB)
    • Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
    • Ability to hide thread from debuggers

Inspirations

Malware Dynamic Analysis Evasion Techniques: A Survey

Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts

Dependencies

~2–25MB
~359K SLoC