#windows #analysis #dynamic #vm #process #debugging #sandbox

antilysis

State-of-the-art dynamic analysis countering techniques on Windows

5 releases

new 0.2.1 Nov 18, 2024
0.2.0 Oct 28, 2024
0.1.2 Mar 31, 2024
0.1.1 May 31, 2023
0.1.0 May 30, 2023

#123 in Windows APIs

Download history 10/week @ 2024-09-23 134/week @ 2024-10-28 15/week @ 2024-11-04

149 downloads per month

MIT license

13KB
199 lines

Antilysis

Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows

  • Detects VM guest and debugger processes
  • Detects common analysis tools like wireshark, process explorer, etc...
  • Detects common antivirus sandbox artifacts
  • Reverse Turing test: waits for user to left click
  • Checks if the mac address matches patterns of known VM mac addresses
  • Detects VM related files
  • Checks the presence of debuggers by reading the Process Environment Block (PEB)
  • Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
  • Ability to hide thread from debuggers

Inspirations

Malware Dynamic Analysis Evasion Techniques: A Survey

Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts


lib.rs:

Antilysis

Library to detect analysis on windows to protect your program from it. Anti-VM, anti-sandbox, anti-analyzing.

Dependencies

~2–24MB
~359K SLoC