Results 1 to 8 of 8

Thread: Anti-Emulation Tricks

  1. #1
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31

    Anti-Emulation Tricks

    Hi,

    Thanks to Gunther for ARTeam here we have some new Anti-Emulation open source functions, Iíve uploaded these on my OffensiveCOding section:

    here a quick list of the functions:

    Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized.
    Anti-NOD32 -> sse1 instruction which nod32 cannot emulate.
    IsEmulator -> Timings Attack to Emulator Environement.
    IsCWSandBox -> Check if CreateProcess is hooked.
    IsAnubis -> Check whether it is running within Anubis.
    IsAnubis2 -> Check whether it is running within Anubis.
    IsNormanSandBox -> NormanSandBox Awareness.
    IsSunbeltSandBox -> Sunbelt Awareness.
    IsVirtualPC -> VirtualPC Awareness.
    IsVMware -> VMware Awareness.
    DetectVM -> Check whether it is running in VMWare, VirtualBox using registry.
    IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle.

    Here the link:

    http://evilcry.netsons.org/OC0/code/EmulationAwareness.c

    See you to the next post..

  2. #2
    wouldn't anti_kav trigger dep?

  3. #3
    IsCWSandBox(void) is pretty weak and not guaranteed to be CWSandBox either, and why use ReadProcessMemory when you can just read from the area already, considering its within the process..

    regmon check is also pretty weak too, pretty sure regmon and filemon have different names in 2k or higher as well (definately not vxd)

    and yep anti_kav would definately trip dep

  4. #4
    Hi,

    First of all, thanks for sharing ;> I find your library very interesting and usable ;>

    I have some questions about the mechanics and their behavior:

    1) IsAnubis2 - how does that it work ?
    Code:
    BOOL IsAnubis2(void){
    	char cFile[MAX_PATH];
    	
        BOOL dwRes= FALSE;
    
        if( strstr(cFile, "C:\\InsideTm\\") ){
            dwRes= TRUE;
    	}
        return dwRes;
    }
    It seems to me that cFile is a local variable that you do not initialize, and then you search for a string inside it. Is the stack filed with "C:\\InsideTm\\" string or sth ?

    2) InAnubis - will this work if I use either Total Commander (totalcmd.exe) or LiteStep (litestep.exe) or any other program to launch files?

    Thanks in advance ;>
    gynvael.coldwind//vx

  5. #5
    what i didi in the past (2006) for nod32
    /anti emulation
    push edx
    push eax
    mov eax, fs:[0x30]
    mov edx, [eax + 0x04] //+0x004 Mutant : Ptr32 Void seems to be always 0xffffffff
    cmp edx,0xffffffff
    je notemu
    mov eax,0x11223344// crash the host
    jmp eax
    notemu:
    pop eax
    pop edx

  6. #6
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hi,

    Gynvael, code is not mine, this is just a collection of tricks
    IsnAnubis i don'think that will work with totalcmd

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    have idea about NOT trigger DEP when "call esp"..
    this can be done, if tempo-change ESP to "good" mem

  8. #8
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Nice contribution evaluator, if you have concrete code we can add it

    Regards,
    Giuseppe 'Evilcry' Bonfa'

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

Similar Threads

  1. Anti-Unpacker Tricks
    By Plazmic in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 22nd, 2010, 18:00
  2. Linux Anti Anti Debugging Techniques
    By JMI in forum Linux RCE
    Replies: 2
    Last Post: July 17th, 2005, 12:10
  3. Anti-trace/Anti-debug techniques
    By foxthree in forum Advanced Reversing and Programming
    Replies: 30
    Last Post: September 4th, 2002, 11:15
  4. Remove Anti-Disassembling-Tricks
    By Mefeus in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: June 5th, 2002, 09:33
  5. Strong Anti-debugging, Anti-FrogsIce
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: November 30th, 2000, 04:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •