6 releases
new 0.2.2 | Nov 26, 2024 |
---|---|
0.2.1 | Nov 18, 2024 |
0.2.0 | Oct 28, 2024 |
0.1.2 | Mar 31, 2024 |
0.1.1 | May 31, 2023 |
#84 in Windows APIs
345 downloads per month
13KB
199 lines
Antilysis
Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows
Features
- Checks for processes of
- common analysis tools (wireshark, process explorer...)
- VM guest (VMware, Virtualbox, QEMU, Xen )
- debuggers (WinDbg, OllyDbg, GDB, Procdump...)
- Detects common antivirus sandbox artifacts
- Reverse Turing test: waits for user to left click
- Checks if the mac address matches patterns of known VM mac addresses
- Detects VM related files
- Anti-debugging:
- Checks the presence of debuggers by reading the Process Environment Block (PEB)
- Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
- Ability to hide thread from debuggers
Inspirations
Malware Dynamic Analysis Evasion Techniques: A Survey
Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts
Dependencies
~2–25MB
~359K SLoC