Al-Khaser: Public Malware Techniques used in the Wild: Virtual Machine, Emulation, Debuggers, Sandbox detection
Introduction about Al-Khaser
Al-Khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
Download Al-Khaser: You can DOWNLOAD and RUN DIRECTLY the latest release here: for Windows 32-bit and 64-bit.
Possible uses:
* You are making an anti-debug plugin and you want to check its effectiveness.
* You want to ensure that your sandbox solution is hidden enough.
* Or you want to ensure that your malware analysis environment is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.
Features of Al-Khaser
Anti-debugging attacks:
* IsDebuggerPresent
* CheckRemoteDebuggerPresent
* Process Environment Block (BeingDebugged)
* Process Environment Block (NtGlobalFlag)
* ProcessHeap (Flags)
* ProcessHeap (ForceFlags)
* NtQueryInformationProcess (ProcessDebugPort)
* NtQueryInformationProcess (ProcessDebugFlags)
* NtQueryInformationProcess (ProcessDebugObject)
* WudfIsAnyDebuggerPresent
* WudfIsKernelDebuggerPresent
* WudfIsUserDebuggerPresent
* NtSetInformationThread (HideThreadFromDebugger)
* NtQueryObject (ObjectTypeInformation)
* NtQueryObject (ObjectAllTypesInformation)
* CloseHanlde (NtClose) Invalide Handle
* SetHandleInformation (Protected Handle)
* UnhandledExceptionFilter
* OutputDebugString (GetLastError())
* Hardware Breakpoints (SEH / GetThreadContext)
* Software Breakpoints (INT3 / 0xCC)
* Memory Breakpoints (PAGE_GUARD)
* Interrupt 0x2d
* Interrupt 1
* Parent Process (Explorer.exe)
* SeDebugPrivilege (Csrss.exe)
* NtYieldExecution / SwitchToThread
* TLS callbacks
* Process jobs
* Memory write watching
* Page exception breakpoint detection
* API hook detection (module bounds based)
Anti-injection:
* Enumerate modules with EnumProcessModulesEx (32-bit, 64-bit, and all options)
* Enumerate modules with ToolHelp32
* Enumerate the process LDR structures with
* LdrEnumerateLoadedModules
* Enumerate the process LDR structures directly
* Walk memory with GetModuleInformation
* Walk memory for hidden modules
Anti-Dumping: Erase PE header from memory and SizeOfImage.
Timing Attacks [Anti-Sandbox]:
* RDTSC (with CPUID to force a VM Exit)
* RDTSC (Locky version with GetProcessHeap & CloseHandle)
* Sleep -> SleepEx -> NtDelayExecution
* Sleep (in a loop a small delay)
* Sleep and check if time was accelerated (GetTickCount)
* SetTimer (Standard Windows Timers) timeSetEvent (Multimedia Timers)
* WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
* WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
* IcmpSendEcho (CCleaner Malware)
* CreateWaitableTimer
* CreateTimerQueueTimer
* Big crypto loops (todo)
Human Interaction / Generic [Anti-Sandbox]:
* Mouse movement
* Total Physical memory (GlobalMemoryStatusEx)
* Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
* Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
* Mouse (Single click / Double click) (todo)
* DialogBox (todo)
* Scrolling (todo)
* Execution after reboot (todo)
* Count of processors (Win32/Tinba - Win32/Dyre)
* Sandbox known product IDs (todo)
* Color of background pixel (todo)
* Keyboard layout (Win32/Banload) (todo)
Anti-Virtualization / Full-System Emulation:
* Registry key value artifacts
+ HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
+ HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
+ HARDWARE\Description\System (SystemBiosVersion) (VBOX)
+ HARDWARE\Description\System (SystemBiosVersion) (QEMU)
+ HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
+ HARDWARE\Description\System (SystemBiosDate) (06/23/99)
+ HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
+ HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
+ HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
+ SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
+ SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)
* Registry Keys artifacts
+ HARDWARE\ACPI\DSDT\VBOX__ (VBOX)
+ HARDWARE\ACPI\FADT\VBOX__ (VBOX)
+ HARDWARE\ACPI\RSDT\VBOX__ (VBOX)
+ SOFTWARE\Oracle\VirtualBox Guest Additions (VBOX)
+ SYSTEM\ControlSet001\Services\VBoxGuest (VBOX)
+ SYSTEM\ControlSet001\Services\VBoxMouse (VBOX)
+ SYSTEM\ControlSet001\Services\VBoxService (VBOX)
+ SYSTEM\ControlSet001\Services\VBoxSF (VBOX)
+ SYSTEM\ControlSet001\Services\VBoxVideo (VBOX)
+ SOFTWARE\VMware, Inc.\VMware Tools (VMWARE)
+ SOFTWARE\Wine (WINE)
+ SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V)
...And more. You can read details in here.
Contributors
* mrexodia: Main developer of x64dbg
* Mattiwatti: Matthijs Lavrijsen
* gsuberland: Graham Sutherland
References:
* An Anti-Reverse Engineering Guide By Josh Jackson.
* Anti-Unpacker Tricks By Peter Ferrie.
* The Art Of Unpacking By Mark Vincent Yason.
* Walied Assar's blog.
* Pafish tool.
* PafishMacro by JoeSecurity.
