al-khaser is a PoC malware application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.

Features

Anti-debugging attacks

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environement Block (BeingDebugged)
  • Process Environement Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • SetHandleInformation (Protected Handle)
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread
  • TLS callbacks
  • Process jobs

Anti-Dumping

  • Erase PE header from memory
  • SizeOfImage

Timing Attacks [Anti-Sandbox]

  • RDTSC (with CPUID to force a VM Exit)
  • RDTSC (Locky version with GetProcessHeap & CloseHandle)
  • Sleep -> SleepEx -> NtDelayExecution
  • Sleep (in a loop a small delay)
  • Sleep and check if time was accelerated (GetTickCount)
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)
  • WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
  • WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
  • IcmpSendEcho (CCleaner Malware)
  • CreateWaitableTimer (todo)
  • CreateTimerQueueTimer (todo)
  • Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

  • Mouse movement
  • Total Physical memory (GlobalMemoryStatusEx)
  • Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
  • Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
  • Mouse (Single click / Double click) (todo)
  • DialogBox (todo)
  • Scrolling (todo)
  • Execution after reboot (todo)
  • Count of processors (Win32/Tinba – Win32/Dyre)
  • Sandbox known product IDs (todo)
  • Color of background pixel (todo)
  • Keyboard layout (Win32/Banload) (todo)

Anti-Virtualization / Full-System Emulation

Registry key value artifacts

  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
  • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
  • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
  • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
  • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)

Registry Keys artifacts

  • “HARDWARE\ACPI\DSDT\VBOX__”
  • “HARDWARE\ACPI\FADT\VBOX__”
  • “HARDWARE\ACPI\RSDT\VBOX__”
  • “SOFTWARE\Oracle\VirtualBox Guest Additions”
  • “SYSTEM\ControlSet001\Services\VBoxGuest”
  • “SYSTEM\ControlSet001\Services\VBoxMouse”
  • “SYSTEM\ControlSet001\Services\VBoxService”
  • “SYSTEM\ControlSet001\Services\VBoxSF”
  • “SYSTEM\ControlSet001\Services\VBoxVideo”
  • SOFTWARE\VMware, Inc.\VMware Tools
  • SOFTWARE\Wine

File system artifacts

  • “system32\drivers\VBoxMouse.sys”
  • “system32\drivers\VBoxGuest.sys”
  • “system32\drivers\VBoxSF.sys”
  • “system32\drivers\VBoxVideo.sys”
  • “system32\vboxdisp.dll”
  • “system32\vboxhook.dll”
  • “system32\vboxmrxnp.dll”
  • “system32\vboxogl.dll”
  • “system32\vboxoglarrayspu.dll”
  • “system32\vboxoglcrutil.dll”
  • “system32\vboxoglerrorspu.dll”
  • “system32\vboxoglfeedbackspu.dll”
  • “system32\vboxoglpackspu.dll”
  • “system32\vboxoglpassthroughspu.dll”
  • “system32\vboxservice.exe”
  • “system32\vboxtray.exe”
  • “system32\VBoxControl.exe”
  • “system32\drivers\vmmouse.sys”
  • “system32\drivers\vmhgfs.sys”

Directories artifacts

  • “%PROGRAMFILES%\oracle\virtualbox guest additions\”
  • “%PROGRAMFILES%\VMWare\”

Memory artifacts

  • Interupt Descriptor Table (IDT) location
  • Local Descriptor Table (LDT) location
  • Global Descriptor Table (GDT) location
  • Task state segment trick with STR

MAC Address

  • “\x08\x00\x27” (VBOX)
  • “\x00\x05\x69” (VMWARE)
  • “\x00\x0C\x29” (VMWARE)
  • “\x00\x1C\x14” (VMWARE)
  • “\x00\x50\x56” (VMWARE)

Virtual devices

  • “\\.\VBoxMiniRdrDN”
  • “\\.\VBoxGuest”
  • “\\.\pipe\VBoxMiniRdDN”
  • “\\.\VBoxTrayIPC”
  • “\\.\pipe\VBoxTrayIPC”)
  • “\\.\HGFS”
  • “\\.\vmci”

Hardware Device information

  • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
  • QEMU
  • VMWare
  • VBOX
  • VIRTUAL HD

System Firmware Tables

  • SMBIOS string checks (VirtualBox)
  • ACPI string checks (VirtualBox)

Adapter name

  • VMWare

Windows Class

  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd

Network shares

  • VirtualBox Shared Folders

Processes

  • vboxservice.exe (VBOX)
  • vboxtray.exe (VBOX)
  • vmtoolsd.exe(VMWARE)
  • vmwaretray.exe(VMWARE)
  • vmwareuser(VMWARE)
  • vmsrvc.exe(VirtualPC)
  • vmusrvc.exe(VirtualPC)
  • prl_cc.exe(Parallels)
  • prl_tools.exe(Parallels)
  • xenservice.exe(Citrix Xen)

WMI

  • SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
  • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
  • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
  • SELECT * FROM Win32_NTEventlogFile (VBOX)
  • SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
  • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)

DLL Exports and Loaded DLLs

  • kernel32.dll!wine_get_unix_file_nameWine (Wine)
  • sbiedll.dll (Sandboxie)
  • dbghelp.dll (MS debugging support routines)
  • api_log.dll (iDefense Labs)
  • dir_watch.dll (iDefense Labs)
  • pstorec.dll (SunBelt Sandbox)
  • vmcheck.dll (Virtual PC)
  • wpespy.dll (WPE Pro)

CPU

  • Hypervisor presence using (EAX=0x1)
  • Hypervisor vendor using (EAX=0x40000000)
  • “KVMKVMKVM\0\0\0” (KVM)
  • “Microsoft Hv”(Microsoft Hyper-V or Windows Virtual PC)
  • “VMwareVMware”(VMware)
  • “XenVMMXenVMM”(Xen)
  • “prl hyperv “( Parallels) -“VBoxVBoxVBox”( VirtualBox)

Anti-Analysis

Processes

  • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
  • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
  • Wireshark / Dumpcap
  • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
  • ImportREC / PETools / LordPE
  • JoeBox Sandbox

Macro malware attacks

Document_Close / Auto_Close.
Application.RecentFiles.Count

Code/DLL Injections techniques

  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Contributors

  • mrexodia: Main developer of x64dbg
  • Mattiwatti: Matthijs Lavrijsen
  • gsuberland: Graham Sutherland

References

  • An Anti-Reverse Engineering Guide By Josh Jackson.
  • Anti-Unpacker Tricks By Peter Ferrie.
  • The Art Of Unpacking By Mark Vincent Yason.
  • Walied Assar’s blog http://waleedassar.blogspot.de/.
  • Pafish tool: https://github.com/a0rtega/pafish.
  • PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro

Download al-khaser