Public Malware Techniques Used In The Wild - Al-Khaser
al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.
Possible uses
- You are making an anti-debug plugin and you want to check its effectiveness.
- You want to ensure that your sandbox solution is hidden enough.
- Or you want to ensure that your malware analysis environement is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.
Features
Anti-debugging attacks
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- Process Environement Block (BeingDebugged)
- Process Environement Block (NtGlobalFlag)
- ProcessHeap (Flags)
- ProcessHeap (ForceFlags)
- NtQueryInformationProcess (ProcessDebugPort)
- NtQueryInformationProcess (ProcessDebugFlags)
- NtQueryInformationProcess (ProcessDebugObject)
- NtSetInformationThread (HideThreadFromDebugger)
- NtQueryObject (ObjectTypeInformation)
- NtQueryObject (ObjectAllTypesInformation)
- CloseHanlde (NtClose) Invalide Handle
- UnhandledExceptionFilter
- OutputDebugString (GetLastError())
- Hardware Breakpoints (SEH / GetThreadContext)
- Software Breakpoints (INT3 / 0xCC)
- Memory Breakpoints (PAGE_GUARD)
- Interrupt 0x2d
- Interrupt 1
- Parent Process (Explorer.exe)
- SeDebugPrivilege (Csrss.exe)
- NtYieldExecution / SwitchToThread
Anti-virtualization
- Virtualbox registry key values artifacts:
- "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
- HARDWARE\Description\System (SystemBiosVersion)
- HARDWARE\Description\System (VideoBiosVersion)
- HARDWARE\Description\System (SystemBiosDate)
- Virtualbox registry Keys artifacts
- "HARDWARE\ACPI\RSDT\VBOX__"
- "HARDWARE\ACPI\FADT\VBOX__"
- "HARDWARE\ACPI\RSDT\VBOX__"
- "SOFTWARE\Oracle\VirtualBox Guest Additions"
- "SYSTEM\ControlSet001\Services\VBoxGuest"
- "SYSTEM\ControlSet001\Services\VBoxMouse"
- "SYSTEM\ControlSet001\Services\VBoxService"
- "SYSTEM\ControlSet001\Services\VBoxSF"
- "SYSTEM\ControlSet001\Services\VBoxVideo"
- Virtualbox file system artifacts:
- "system32\drivers\VBoxMouse.sys"
- "system32\drivers\VBoxGuest.sys"
- "system32\drivers\VBoxSF.sys"
- "system32\drivers\VBoxVideo.sys"
- "system32\vboxdisp.dll"
- "system32\vboxhook.dll"
- "system32\vboxmrxnp.dll"
- "system32\vboxogl.dll"
- "system32\vboxoglarrayspu.dll"
- "system32\vboxoglcrutil.dll"
- "system32\vboxoglerrorspu.dll"
- "system32\vboxoglfeedbackspu.dll"
- "system32\vboxoglpackspu.dll"
- "system32\vboxoglpassthroughspu.dll"
- "system32\vboxservice.exe"
- "system32\vboxtray.exe"
- "system32\VBoxControl.exe"
- Virtualbox directories artifacts:
- "oracle\virtualbox guest additions\"
- Virtualbox MAC Address:
- "\x08\x00\x27"
- Virtualbox virtual devices:
- "\\.\VBoxMiniRdrDN"
- "\\.\VBoxGuest"
- "\\.\pipe\VBoxMiniRdDN"
- "\\.\VBoxTrayIPC"
- "\\.\pipe\VBoxTrayIPC")
- Virtualbox Windows Class
- VBoxTrayToolWndClass
- VBoxTrayToolWnd
- Virtualbox network share
- VirtualBox Shared Folders
- Virtualbox process list
- vboxservice.exe
- vboxtray.exe
Anti Dumping
- Erase PE header from memory
Code/DLL Injections techniques
- CreateRemoteThread
- SetWindowsHooksEx
- NtCreateThreadEx
- RtlCreateUserThread
- APC (QueueUserAPC / NtQueueApcThread)
- RunPE (GetThreadContext / SetThreadContext)
Timing Attacks
- Sleep -> SleepEx -> NtDelayExecution
- SetTimer (Standard Windows Timers)
- timeSetEvent (Multimedia Timers)