Skip to content

percept-denigrate/antilysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
examples
examples
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Antilysis

Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows

Features

  • Checks for processes of
    • common analysis tools (wireshark, process explorer...)
    • VM guest (VMware, Virtualbox, QEMU, Xen )
    • debuggers (WinDbg, OllyDbg, GDB, Procdump...)
  • Detects common antivirus sandbox artifacts
  • Reverse Turing test: waits for user to left click
  • Checks if the mac address matches patterns of known VM mac addresses
  • Detects VM related files
  • Anti-debugging:
    • Checks the presence of debuggers by reading the Process Environment Block (PEB)
    • Checks the presence of the "\.\NTICE" device (named pipe) which is used to communicate with SoftIce, a Windows kernel debugger
    • Ability to hide thread from debuggers

Inspirations

Malware Dynamic Analysis Evasion Techniques: A Survey

Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts

About

Rust library implementing state-of-the-art dynamic analysis countering techniques on Windows

crates.io/crates/antilysis

Resources

Readme

License

MIT license
Activity

Stars

9 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages