Anti-Emulation Tricks [Archive] - RCE Messageboard's Regroupment

View Full Version : Anti-Emulation Tricks

evilcry

March 21st, 2009, 09:17

Hi,

Thanks to Gunther for ARTeam here we have some new Anti-Emulation open source functions, I’ve uploaded these on my OffensiveCOding section:

here a quick list of the functions:

Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized.
Anti-NOD32 -> sse1 instruction which nod32 cannot emulate.
IsEmulator -> Timings Attack to Emulator Environement.
IsCWSandBox -> Check if CreateProcess is hooked.
IsAnubis -> Check whether it is running within Anubis.
IsAnubis2 -> Check whether it is running within Anubis.
IsNormanSandBox -> NormanSandBox Awareness.
IsSunbeltSandBox -> Sunbelt Awareness.
IsVirtualPC -> VirtualPC Awareness.
IsVMware -> VMware Awareness.
DetectVM -> Check whether it is running in VMWare, VirtualBox using registry.
IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle.

Here the link:

http://evilcry.netsons.org/OC0/code/EmulationAwareness.c

See you to the next post..

tofu-sensei

March 21st, 2009, 10:26

wouldn't anti_kav trigger dep?

evlncrn8

March 21st, 2009, 14:03

IsCWSandBox(void) is pretty weak and not guaranteed to be CWSandBox either, and why use ReadProcessMemory when you can just read from the area already, considering its within the process..

regmon check is also pretty weak too, pretty sure regmon and filemon have different names in 2k or higher as well (definately not vxd)

and yep anti_kav would definately trip dep

Gynvael

March 24th, 2009, 03:08

Hi,

First of all, thanks for sharing ;> I find your library very interesting and usable ;>

I have some questions about the mechanics and their behavior:

1) IsAnubis2 - how does that it work ?

Code:



BOOL IsAnubis2(void){

	char cFile[MAX_PATH];

	

    BOOL dwRes= FALSE;



    if( strstr(cFile, "C:\\InsideTm\\" ){

        dwRes= TRUE;

	}

    return dwRes;

}

It seems to me that cFile is a local variable that you do not initialize, and then you search for a string inside it. Is the stack filed with "C:\\InsideTm\\" string or sth ?

2) InAnubis - will this work if I use either Total Commander (totalcmd.exe) or LiteStep (litestep.exe) or any other program to launch files?

Thanks in advance ;>

_wh_

March 24th, 2009, 03:17

what i didi in the past (2006) for nod32

Quote:

/anti emulation
push edx
push eax
mov eax, fs:[0x30]
mov edx, [eax + 0x04] //+0x004 Mutant : Ptr32 Void seems to be always 0xffffffff
cmp edx,0xffffffff
je notemu
mov eax,0x11223344// crash the host
jmp eax
notemu:
pop eax
pop edx

evilcry

March 27th, 2009, 11:35

Hi,

Gynvael, code is not mine, this is just a collection of tricks

IsnAnubis i don'think that will work with totalcmd

evaluator

March 28th, 2009, 09:02

have idea about NOT trigger DEP when "call esp"..
this can be done, if tempo-change ESP to "good" mem

evilcry

March 30th, 2009, 02:36

Nice contribution evaluator, if you have concrete code we can add it

Regards,
Giuseppe 'Evilcry' Bonfa'