#windows #analysis #dynamic #vm #process #debugging #sandbox

antilysis

State-of-the-art dynamic analysis countering techniques on Windows

4 releases

new 0.2.0 Oct 28, 2024
0.1.2 Mar 31, 2024
0.1.1 May 31, 2023
0.1.0 May 30, 2023

#119 in Windows APIs

Download history 1/week @ 2024-07-12 9/week @ 2024-09-20 1/week @ 2024-09-27 121/week @ 2024-10-25

121 downloads per month

MIT license

13KB
199 lines

Antilysis

Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows

  • Detects VM guest and debugger processes
  • Detects common analysis tools like wireshark, process explorer, etc...
  • Detects common antivirus sandbox artifacts
  • Reverse Turing test: waits for user to left click
  • Checks if the mac address matches patterns of known VM mac addresses
  • Detects VM related files
  • Checks the presence of debuggers by reading the Process Environment Block (PEB)
  • Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
  • Ability to hide thread from debuggers

Inspirations

Malware Dynamic Analysis Evasion Techniques: A Survey

Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts


lib.rs:

Antilysis

Library to detect analysis on windows to protect your program from it. Anti-VM, anti-sandbox, anti-analyzing.

Dependencies

~2–25MB
~359K SLoC