README - Al Khaser — ContextQMD

Al-Khaser v0.81

Content

Introduction
Possible uses
Features
Anti-debugging attacks
Anti-Dumping
Timing Attacks
Human Interaction
Anti-VM
Anti-Disassembly
Requirements
License

Introduction

al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.

Usage

$ ./al-khaser.exe -h
Usage: al-khaser.exe [OPTIONS]
Options:
  --check <type>      Enable specific check(s). Can be used multiple times. Valid types are:
                        TLS              (Thread Local Storage callback checks)
                        DEBUG            (Anti-debugging checks)
                        INJECTION        (Code injection checks)
                        GEN_SANDBOX      (Generic sandbox checks)
                        VBOX             (VirtualBox detection)
                        VMWARE           (VMware detection)
                        VPC              (Virtual PC detection)
                        QEMU             (QEMU detection)
                        KVM              (KVM detection)
                        XEN              (Xen detection)
                        WINE             (Wine detection)
                        PARALLELS        (Parallels detection)
                        HYPERV           (Hyper-V detection)
                        CODE_INJECTIONS  (Additional code injection techniques)
                        TIMING_ATTACKS   (Timing/sleep-based sandbox evasion)
                        DUMPING_CHECK    (Dumping memory/process checks)
                        ANALYSIS_TOOLS   (Analysis tools detection)
                        ANTI_DISASSM     (Anti-disassembly checks)
  --sleep <seconds>   Set sleep/delay duration in seconds (default: 600).
  --delay <seconds>   Alias for --sleep.
  -h, --help          Show this help message and exit.

Examples:
  al-khaser.exe --check DEBUG --check TIMING_ATTACKS --sleep 30
  al-khaser.exe --check VMWARE --check QEMU
  al-khaser.exe --sleep 30

Download

You can download built binaries (x86, x64) from this project's releases page. The password for the 7zs can be found here.

Possible uses

You are making an anti-debug plugin and you want to check its effectiveness.
You want to ensure that your sandbox solution is hidden enough.
Or you want to ensure that your malware analysis environment is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

IsDebuggerPresent
CheckRemoteDebuggerPresent
Process Environment Block (BeingDebugged)
Process Environment Block (NtGlobalFlag)
ProcessHeap (Flags)
ProcessHeap (ForceFlags)
Low Fragmentation Heap (LFH)
NtQueryInformationProcess (ProcessDebugPort)
NtQueryInformationProcess (ProcessDebugFlags)
NtQueryInformationProcess (ProcessDebugObject)
WudfIsAnyDebuggerPresent
WudfIsKernelDebuggerPresent
WudfIsUserDebuggerPresent
NtSetInformationThread (HideThreadFromDebugger)
NtQueryObject (ObjectTypeInformation)
NtQueryObject (ObjectAllTypesInformation)
CloseHanlde (NtClose) Invalide Handle
SetHandleInformation (Protected Handle)
UnhandledExceptionFilter
OutputDebugString (GetLastError())
Hardware Breakpoints (SEH / GetThreadContext)
Software Breakpoints (INT3 / 0xCC)
Memory Breakpoints (PAGE_GUARD)
Interrupt 0x2d
Interrupt 1
Trap Flag
Parent Process (Explorer.exe)
SeDebugPrivilege (Csrss.exe)
NtYieldExecution / SwitchToThread
TLS callbacks
Process jobs
Memory write watching
Page exception breakpoint detection
API hook detection (module bounds based)

Anti-injection

Enumerate modules with EnumProcessModulesEx (32-bit, 64-bit, and all options)
Enumerate modules with ToolHelp32
Enumerate the process LDR structures with LdrEnumerateLoadedModules
Enumerate the process LDR structures directly
Walk memory with GetModuleInformation
Walk memory for hidden modules

Anti-Dumping

Erase PE header from memory
SizeOfImage

Timing Attacks [Anti-Sandbox]

RDTSC (with CPUID to force a VM Exit)
RDTSC (Locky version with GetProcessHeap & CloseHandle)
Sleep -> SleepEx -> NtDelayExecution
Sleep (in a loop a small delay)
Sleep and check if time was accelerated (GetTickCount)
SetTimer (Standard Windows Timers)
timeSetEvent (Multimedia Timers)
WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects
IcmpSendEcho (CCleaner Malware)
CreateWaitableTimer
CreateTimerQueueTimer
Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

Mouse movement
File names like sample.exe or sandbox.exe.
Total Physical memory (GlobalMemoryStatusEx)
Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
Mouse (Single click / Double click) (todo)
DialogBox (todo)
Scrolling (todo)
Execution after reboot (todo)
Count of processors (Win32/Tinba - Win32/Dyre)
Sandbox known product IDs (todo)
Color of background pixel (todo)
Keyboard layout (Win32/Banload) (todo)
Genuine Windows installation.
Known Sandbox hostnames and usernames

Anti-Virtualization / Full-System Emulation

Registry key value artifacts
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
- HARDWARE\Description\System (SystemBiosVersion) (VBOX)
- HARDWARE\Description\System (SystemBiosVersion) (QEMU)
- HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
- HARDWARE\Description\System (SystemBiosDate) (06/23/99)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
- SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)
Registry Keys artifacts
- HARDWARE\ACPI\DSDT\VBOX__ (VBOX)
- HARDWARE\ACPI\FADT\VBOX__ (VBOX)
- HARDWARE\ACPI\RSDT\VBOX__ (VBOX)
- SOFTWARE\Oracle\VirtualBox Guest Additions (VBOX)
- SYSTEM\ControlSet001\Services\VBoxGuest (VBOX)
- SYSTEM\ControlSet001\Services\VBoxMouse (VBOX)
- SYSTEM\ControlSet001\Services\VBoxService (VBOX)
- SYSTEM\ControlSet001\Services\VBoxSF (VBOX)
- SYSTEM\ControlSet001\Services\VBoxVideo (VBOX)
- SOFTWARE\VMware, Inc.\VMware Tools (VMWARE)
- SOFTWARE\Wine (WINE)
- SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V)
- SYSTEM\CurrentControlSet\Services\Disk\Enum
- SYSTEM\CurrentControlSet\Enum\IDE
- SYSTEM\CurrentControlSet\Enum\SCSI
File system artifacts
- "system32\drivers\VBoxMouse.sys"
- "system32\drivers\VBoxGuest.sys"
- "system32\drivers\VBoxSF.sys"
- "system32\drivers\VBoxVideo.sys"
- "system32\vboxdisp.dll"
- "system32\vboxhook.dll"
- "system32\vboxmrxnp.dll"
- "system32\vboxogl.dll"
- "system32\vboxoglarrayspu.dll"
- "system32\vboxoglcrutil.dll"
- "system32\vboxoglerrorspu.dll"
- "system32\vboxoglfeedbackspu.dll"
- "system32\vboxoglpackspu.dll"
- "system32\vboxoglpassthroughspu.dll"
- "system32\vboxservice.exe"
- "system32\vboxtray.exe"
- "system32\VBoxControl.exe"
- "system32\drivers\vmmouse.sys"
- "system32\drivers\vmhgfs.sys"
- "system32\drivers\vm3dmp.sys"
- "system32\drivers\vmci.sys"
- "system32\drivers\vmhgfs.sys"
- "system32\drivers\vmmemctl.sys"
- "system32\drivers\vmmouse.sys"
- "system32\drivers\vmrawdsk.sys"
- "system32\drivers\vmusbmouse.sys"
Directories artifacts
- "%PROGRAMFILES%\oracle\virtualbox guest additions\"
- "%PROGRAMFILES%\VMWare\"
Memory artifacts
- Interupt Descriptor Table (IDT) location
- Local Descriptor Table (LDT) location
- Global Descriptor Table (GDT) location
- Task state segment trick with STR
MAC Address
- "\x08\x00\x27" (VBOX)
- "\x00\x05\x69" (VMWARE)
- "\x00\x0C\x29" (VMWARE)
- "\x00\x1C\x14" (VMWARE)
- "\x00\x50\x56" (VMWARE)
- "\x00\x1C\x42" (Parallels)
- "\x00\x16\x3E" (Xen)
- "\x0A\x00\x27" (Hybrid Analysis)
Virtual devices
- "\\.\VBoxMiniRdrDN"
- "\\.\VBoxGuest"
- "\\.\pipe\VBoxMiniRdDN"
- "\\.\VBoxTrayIPC"
- "\\.\pipe\VBoxTrayIPC")
- "\\.\HGFS"
- "\\.\vmci"
Hardware Device information
- SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
  - QEMU
  - VMWare
  - VBOX
  - VIRTUAL HD
- Power policies (S1-S4 states, thermal control)
System Firmware Tables
- SMBIOS string checks (VirtualBox)
- SMBIOS string checks (VMWare)
- SMBIOS string checks (Qemu)
- SMBIOS number of tables (Qemu, VirtualBox)
- ACPI string checks (WAET table, PNP devices, PM state with battery checks)
- ACPI string checks (VirtualBox)
- ACPI string checks (VMWare)
- ACPI string checks (Qemu)
Driver Services
- VirtualBox
- VMWare
Adapter name
- VMWare
Windows Class
- VBoxTrayToolWndClass
- VBoxTrayToolWnd
Network shares
- VirtualBox Shared Folders
Processes
- vboxservice.exe (VBOX)
- vboxtray.exe (VBOX)
- vmtoolsd.exe(VMWARE)
- vmwaretray.exe(VMWARE)
- vmwareuser(VMWARE)
- VGAuthService.exe (VMWARE)
- vmacthlp.exe (VMWARE)
- vmsrvc.exe(VirtualPC)
- vmusrvc.exe(VirtualPC)
- prl_cc.exe(Parallels)
- prl_tools.exe(Parallels)
- xenservice.exe(Citrix Xen)
- qemu-ga.exe (QEMU)
- looking-glass-host.exe (GENERIC)
- VDDSysTray.exe (GENERIC)
WMI
- SELECT * FROM Win32_Bios (SerialNumber) (GENERIC)
- SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
- SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
- SELECT * FROM Win32_NTEventlogFile (VBOX)
- SELECT * FROM Win32_Processor (NumberOfCores and ProcessorId) (GENERIC)
- SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
- SELECT * FROM Win32_ComputerSystem (Model and Manufacturer) (GENERIC)
- SELECT * FROM MSAcpi_ThermalZoneTemperature CurrentTemperature) (GENERIC)
- SELECT * FROM Win32_Fan (GENERIC)
DLL Exports and Loaded DLLs
- avghookx.dll (AVG)
- avghooka.dll (AVG)
- snxhk.dll (Avast)
- kernel32.dll!wine_get_unix_file_nameWine (Wine)
- sbiedll.dll (Sandboxie)
- dbghelp.dll (MS debugging support routines)
- api_log.dll (iDefense Labs)
- dir_watch.dll (iDefense Labs)
- pstorec.dll (SunBelt Sandbox)
- vmcheck.dll (Virtual PC)
- wpespy.dll (WPE Pro)
- cmdvrt32.dll (Comodo Container)
- cmdvrt64.dll (Comodo Container)
CPU
- Hypervisor presence using (EAX=0x1)
- Hypervisor vendor using (EAX=0x40000000)
  - "KVMKVMKVM\0\0\0" (KVM)
    - "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC)
    - "VMwareVMware"(VMware)
    - "XenVMMXenVMM"(Xen)
    - "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox)
NtQueryLicenseValue with Kernel-VMDetection-Private as license value.

Anti-Analysis

Processes
- OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine
- SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
- Wireshark / Dumpcap / Fiddler / Http Debugger
- ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
- ImportREC / PETools / LordPE
- JoeBox Sandbox
- Resource Hacker
- Frida

Anti-Disassembly

Jump with constant condition
Jump instruction with same target
Impossible disassembly
Function Pointers
Return Pointer Abuse

Macro malware attacks

Document_Close / Auto_Close.
Application.RecentFiles.Count

Code/DLL Injections techniques

CreateRemoteThread
SetWindowsHooksEx
NtCreateThreadEx
RtlCreateUserThread
APC (QueueUserAPC / NtQueueApcThread)
RunPE (GetThreadContext / SetThreadContext)

Authors

Mattiwatti: Matthijs Lavrijsen
gsuberland: Graham Sutherland
hFireF0x: hfiref0x

Pull requests welcome. Please read the Developer Guidelines on our wiki if you wish to contribute to the project.

References

An Anti-Reverse Engineering Guide By Josh Jackson.
Anti-Unpacker Tricks By Peter Ferrie.
The Art Of Unpacking By Mark Vincent Yason.
Walied Assar's blog http://waleedassar.blogspot.de/.
Pafish tool: https://github.com/a0rtega/pafish.
PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro