{"id":21541490,"url":"https://github.com/ayoubfaouzi/al-khaser","last_synced_at":"2025-05-13T00:14:29.699Z","repository":{"id":37306370,"uuid":"46072655","full_name":"ayoubfaouzi/al-khaser","owner":"ayoubfaouzi","description":"Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. ","archived":false,"fork":false,"pushed_at":"2025-04-23T19:26:34.000Z","size":2608,"stargazers_count":6305,"open_issues_count":39,"forks_count":1201,"subscribers_count":239,"default_branch":"master","last_synced_at":"2025-05-13T00:14:23.463Z","etag":null,"topics":["anti-analysis","anti-debugging","anti-disassembly","anti-emulation","anti-sandbox","anti-vm","av-bypass","code-injection","malware","sandbox-evasion","timing-attacks"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ayoubfaouzi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-11-12T18:35:16.000Z","updated_at":"2025-05-12T23:46:48.000Z","dependencies_parsed_at":"2023-01-31T20:46:32.325Z","dependency_job_id":"8aea5098-5c71-4161-91a6-1eef79e833ef","html_url":"https://github.com/ayoubfaouzi/al-khaser","commit_stats":null,"previous_names":["ayoubfaouzi/al-khaser"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fal-khaser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fal-khaser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fal-khaser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fal-khaser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ayoubfaouzi","download_url":"https://codeload.github.com/ayoubfaouzi/al-khaser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253843225,"owners_count":21972874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-analysis","anti-debugging","anti-disassembly","anti-emulation","anti-sandbox","anti-vm","av-bypass","code-injection","malware","sandbox-evasion","timing-attacks"],"created_at":"2024-11-24T05:02:51.901Z","updated_at":"2025-05-13T00:14:29.674Z","avatar_url":"https://github.com/ayoubfaouzi.png","language":"C++","readme":"## Al-Khaser v0.81\r\n\r\n![Logo](https://www.mindmeister.com/files/avatars/0035/8332/original/avatar.jpg)\r\n\r\n## Content\r\n\r\n- [Introduction](#introduction)\r\n- [Possible uses](#uses)\r\n- [Features](#features)\r\n - [Anti-debugging attacks](#antidebug)\r\n - [Anti-Dumping](#antidump)\r\n - [Timing Attacks](#timingattack)\r\n - [Human Interaction](#antidump)\r\n - [Anti-VM](#antivm)\r\n - [Anti-Disassembly](#antidisassm)\r\n- [Requirements](#requirements)\r\n- [License](#license)\r\n\r\n\r\n## Introduction\r\n\r\nal-khaser is a PoC \"malware\" application with good intentions that aims to stress your anti-malware system.\r\nIt performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.\r\n\r\n![Logo](https://i.imgur.com/jEFhsJT.png)\r\n\r\n\r\n## Download\r\n\r\nYou can download built binaries (x86, x64) from this project's [releases page](https://github.com/LordNoteworthy/al-khaser/releases). The password for the 7zs can be found [here](https://github.com/LordNoteworthy/al-khaser/blob/master/.github/workflows/release.yml#L25).\r\n\r\n\r\n## Possible uses\r\n\r\n- You are making an anti-debug plugin and you want to check its effectiveness.\r\n- You want to ensure that your sandbox solution is hidden enough.\r\n- Or you want to ensure that your malware analysis environment is well hidden.\r\n\r\nPlease, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.\r\n\r\n\r\n## Features\r\n### Anti-debugging attacks\r\n- IsDebuggerPresent\r\n- CheckRemoteDebuggerPresent\r\n- Process Environment Block (BeingDebugged)\r\n- Process Environment Block (NtGlobalFlag)\r\n- ProcessHeap (Flags)\r\n- ProcessHeap (ForceFlags)\r\n- Low Fragmentation Heap (LFH)\r\n- NtQueryInformationProcess (ProcessDebugPort)\r\n- NtQueryInformationProcess (ProcessDebugFlags)\r\n- NtQueryInformationProcess (ProcessDebugObject)\r\n- WudfIsAnyDebuggerPresent\r\n- WudfIsKernelDebuggerPresent\r\n- WudfIsUserDebuggerPresent\r\n- NtSetInformationThread (HideThreadFromDebugger)\r\n- NtQueryObject (ObjectTypeInformation)\r\n- NtQueryObject (ObjectAllTypesInformation)\r\n- CloseHanlde (NtClose) Invalide Handle\r\n- SetHandleInformation (Protected Handle)\r\n- UnhandledExceptionFilter\r\n- OutputDebugString (GetLastError())\r\n- Hardware Breakpoints (SEH / GetThreadContext)\r\n- Software Breakpoints (INT3 / 0xCC)\r\n- Memory Breakpoints (PAGE_GUARD)\r\n- Interrupt 0x2d\r\n- Interrupt 1\r\n- Trap Flag\r\n- Parent Process (Explorer.exe)\r\n- SeDebugPrivilege (Csrss.exe)\r\n- NtYieldExecution / SwitchToThread\r\n- TLS callbacks\r\n- Process jobs\r\n- Memory write watching\r\n- Page exception breakpoint detection\r\n- API hook detection (module bounds based)\r\n\r\n### Anti-injection\r\n- Enumerate modules with EnumProcessModulesEx (32-bit, 64-bit, and all options)\r\n- Enumerate modules with ToolHelp32  \r\n- Enumerate the process LDR structures with LdrEnumerateLoadedModules\r\n- Enumerate the process LDR structures directly\r\n- Walk memory with GetModuleInformation\r\n- Walk memory for hidden modules\r\n\r\n### Anti-Dumping\r\n- Erase PE header from memory\r\n- SizeOfImage\r\n\r\n### Timing Attacks [Anti-Sandbox]\r\n- RDTSC (with CPUID to force a VM Exit)\r\n- RDTSC (Locky version with GetProcessHeap \u0026 CloseHandle)\r\n- Sleep -\u003e SleepEx -\u003e NtDelayExecution\r\n- Sleep (in a loop a small delay)\r\n- Sleep and check if time was accelerated (GetTickCount)\r\n- SetTimer (Standard Windows Timers)\r\n- timeSetEvent (Multimedia Timers)\r\n- WaitForSingleObject -\u003e WaitForSingleObjectEx -\u003e NtWaitForSingleObject\r\n- WaitForMultipleObjects -\u003e WaitForMultipleObjectsEx -\u003e NtWaitForMultipleObjects\r\n- IcmpSendEcho (CCleaner Malware)\r\n- CreateWaitableTimer\r\n- CreateTimerQueueTimer\r\n- Big crypto loops (todo)\r\n\r\n### Human Interaction / Generic [Anti-Sandbox]\r\n- Mouse movement\r\n- File names like `sample.exe` or `sandbox.exe`.\r\n- Total Physical memory (GlobalMemoryStatusEx)\r\n- Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)\r\n- Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)\r\n- Mouse (Single click / Double click) (todo)\r\n- DialogBox (todo)\r\n- Scrolling (todo)\r\n- Execution after reboot (todo)\r\n- Count of processors (Win32/Tinba - Win32/Dyre)\r\n- Sandbox known product IDs (todo)\r\n- Color of background pixel (todo)\r\n- Keyboard layout (Win32/Banload) (todo)\r\n- Genuine Windows installation.\r\n- Known Sandbox hostnames and usernames\r\n\r\n### Anti-Virtualization / Full-System Emulation\r\n- **Registry key value artifacts**\r\n  - HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 (Identifier) (VBOX)\r\n  - HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 (Identifier) (QEMU)\r\n  - HARDWARE\\\\Description\\\\System (SystemBiosVersion) (VBOX)\r\n  - HARDWARE\\\\Description\\\\System (SystemBiosVersion) (QEMU)\r\n  - HARDWARE\\\\Description\\\\System (VideoBiosVersion) (VIRTUALBOX)\r\n  - HARDWARE\\\\Description\\\\System (SystemBiosDate) (06/23/99)\r\n  - HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 (Identifier) (VMWARE)\r\n  - HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 (Identifier) (VMWARE)\r\n  - HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 (Identifier) (VMWARE)\r\n  - SYSTEM\\\\ControlSet001\\\\Control\\\\SystemInformation (SystemManufacturer) (VMWARE)\r\n  - SYSTEM\\\\ControlSet001\\\\Control\\\\SystemInformation (SystemProductName) (VMWARE)\r\n- **Registry Keys artifacts**\r\n  - HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__ (VBOX)\r\n  - HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__ (VBOX)\r\n  - HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__ (VBOX)\r\n  - SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions (VBOX)\r\n  - SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest (VBOX)\r\n  - SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse (VBOX)\r\n  - SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService (VBOX)\r\n  - SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxSF (VBOX)\r\n  - SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo (VBOX)\r\n  - SOFTWARE\\\\VMware, Inc.\\\\VMware Tools (VMWARE)\r\n  - SOFTWARE\\\\Wine (WINE)\r\n  - SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters (HYPER-V)\r\n  - SYSTEM\\\\CurrentControlSet\\\\Services\\\\Disk\\\\Enum\r\n  - SYSTEM\\\\CurrentControlSet\\\\Enum\\\\IDE\r\n  - SYSTEM\\\\CurrentControlSet\\\\Enum\\\\SCSI\r\n- **File system artifacts**\r\n  - \"system32\\\\drivers\\\\VBoxMouse.sys\"\r\n  - \"system32\\\\drivers\\\\VBoxGuest.sys\"\r\n  - \"system32\\\\drivers\\\\VBoxSF.sys\"\r\n  - \"system32\\\\drivers\\\\VBoxVideo.sys\"\r\n  - \"system32\\\\vboxdisp.dll\"\r\n  - \"system32\\\\vboxhook.dll\"\r\n  - \"system32\\\\vboxmrxnp.dll\"\r\n  - \"system32\\\\vboxogl.dll\"\r\n  - \"system32\\\\vboxoglarrayspu.dll\"\r\n  - \"system32\\\\vboxoglcrutil.dll\"\r\n  - \"system32\\\\vboxoglerrorspu.dll\"\r\n  - \"system32\\\\vboxoglfeedbackspu.dll\"\r\n  - \"system32\\\\vboxoglpackspu.dll\"\r\n  - \"system32\\\\vboxoglpassthroughspu.dll\"\r\n  - \"system32\\\\vboxservice.exe\"\r\n  - \"system32\\\\vboxtray.exe\"\r\n  - \"system32\\\\VBoxControl.exe\"\r\n  - \"system32\\\\drivers\\\\vmmouse.sys\"\r\n  - \"system32\\\\drivers\\\\vmhgfs.sys\"\r\n  - \"system32\\\\drivers\\\\vm3dmp.sys\"\r\n  - \"system32\\\\drivers\\\\vmci.sys\"\r\n  - \"system32\\\\drivers\\\\vmhgfs.sys\"\r\n  - \"system32\\\\drivers\\\\vmmemctl.sys\"\r\n  - \"system32\\\\drivers\\\\vmmouse.sys\"\r\n  - \"system32\\\\drivers\\\\vmrawdsk.sys\"\r\n  - \"system32\\\\drivers\\\\vmusbmouse.sys\"\r\n\r\n- **Directories artifacts**\r\n  - \"%PROGRAMFILES%\\\\oracle\\\\virtualbox guest additions\\\\\"\r\n  - \"%PROGRAMFILES%\\\\VMWare\\\\\"\r\n- **Memory artifacts**\r\n  - Interupt Descriptor Table (IDT) location\r\n  - Local Descriptor Table (LDT) location\r\n  - Global Descriptor Table (GDT) location\r\n  - Task state segment trick with STR\r\n- **MAC Address**\r\n  - \"\\x08\\x00\\x27\" (VBOX)\r\n  - \"\\x00\\x05\\x69\" (VMWARE)\r\n  - \"\\x00\\x0C\\x29\" (VMWARE)\r\n  - \"\\x00\\x1C\\x14\" (VMWARE)\r\n  - \"\\x00\\x50\\x56\" (VMWARE)\r\n  - \"\\x00\\x1C\\x42\" (Parallels)\r\n  - \"\\x00\\x16\\x3E\" (Xen)\r\n  - \"\\x0A\\x00\\x27\" (Hybrid Analysis)\r\n- **Virtual devices**\r\n  - \"\\\\\\\\.\\\\VBoxMiniRdrDN\"\r\n  - \"\\\\\\\\.\\\\VBoxGuest\"\r\n  - \"\\\\\\\\.\\\\pipe\\\\VBoxMiniRdDN\"\r\n  - \"\\\\\\\\.\\\\VBoxTrayIPC\"\r\n  - \"\\\\\\\\.\\\\pipe\\\\VBoxTrayIPC\")\r\n  - \"\\\\\\\\.\\\\HGFS\"\r\n  - \"\\\\\\\\.\\\\vmci\"\r\n- **Hardware Device information**\r\n  - SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE) \r\n    - QEMU\r\n    - VMWare\r\n    - VBOX\r\n    - VIRTUAL HD\r\n  - Power policies (S1-S4 states, thermal control)\r\n- **System Firmware Tables**\r\n  - SMBIOS string checks (VirtualBox)\r\n  - SMBIOS string checks (VMWare)\r\n  - SMBIOS string checks (Qemu)\r\n  - SMBIOS number of tables (Qemu, VirtualBox)\r\n  - ACPI string checks (WAET table, PNP devices, PM state with battery checks)\r\n  - ACPI string checks (VirtualBox)\r\n  - ACPI string checks (VMWare)\r\n  - ACPI string checks (Qemu)\r\n- **Driver Services**\r\n  - VirtualBox\r\n  - VMWare\r\n- **Adapter name**\r\n  - VMWare\r\n- **Windows Class**\r\n  - VBoxTrayToolWndClass\r\n  - VBoxTrayToolWnd\r\n- **Network shares**\r\n  - VirtualBox Shared Folders\r\n- **Processes**\r\n  - vboxservice.exe\t(VBOX)\r\n  - vboxtray.exe\t(VBOX)\r\n  - vmtoolsd.exe(VMWARE)\r\n  - vmwaretray.exe(VMWARE)\r\n  - vmwareuser(VMWARE)\r\n  - VGAuthService.exe (VMWARE)\r\n  - vmacthlp.exe (VMWARE)\r\n  - vmsrvc.exe(VirtualPC)\r\n  - vmusrvc.exe(VirtualPC)\r\n  - prl_cc.exe(Parallels)\r\n  - prl_tools.exe(Parallels)\r\n  - xenservice.exe(Citrix Xen)\r\n  - qemu-ga.exe (QEMU)\r\n  - looking-glass-host.exe (GENERIC)\r\n  - VDDSysTray.exe (GENERIC)\r\n- **WMI**\r\n  - SELECT * FROM Win32_Bios (SerialNumber) (GENERIC)\r\n  - SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)\r\n  - SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)\r\n  - SELECT * FROM Win32_NTEventlogFile (VBOX)\r\n  - SELECT * FROM Win32_Processor (NumberOfCores and ProcessorId) (GENERIC)\r\n  - SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)\r\n  - SELECT * FROM Win32_ComputerSystem (Model and Manufacturer) (GENERIC)\r\n  - SELECT * FROM MSAcpi_ThermalZoneTemperature CurrentTemperature) (GENERIC)\r\n  - SELECT * FROM Win32_Fan (GENERIC)\r\n- **DLL Exports and Loaded DLLs**\r\n  - avghookx.dll (AVG)\r\n  - avghooka.dll (AVG)\r\n  - snxhk.dll (Avast)\r\n  - kernel32.dll!wine_get_unix_file_nameWine (Wine)\r\n  - sbiedll.dll (Sandboxie)\r\n  - dbghelp.dll (MS debugging support routines)\r\n  - api_log.dll (iDefense Labs)\r\n  - dir_watch.dll (iDefense Labs)\r\n  - pstorec.dll (SunBelt Sandbox)\r\n  - vmcheck.dll (Virtual PC)\r\n  - wpespy.dll (WPE Pro)\r\n  - cmdvrt32.dll (Comodo Container)\r\n  - cmdvrt64.dll (Comodo Container)\r\n- **CPU**\r\n  - Hypervisor presence using (EAX=0x1)\r\n  - Hypervisor vendor using (EAX=0x40000000)\r\n    - \"KVMKVMKVM\\0\\0\\0\"\t(KVM)\r\n      - \"Microsoft Hv\"(Microsoft Hyper-V or Windows Virtual PC)\r\n      - \"VMwareVMware\"(VMware)\r\n      - \"XenVMMXenVMM\"(Xen)\r\n      - \"prl hyperv  \"( Parallels)\r\n         -\"VBoxVBoxVBox\"( VirtualBox)\r\n- NtQueryLicenseValue with Kernel-VMDetection-Private as license value.\r\n\r\n### Anti-Analysis\r\n- **Processes**\r\n  - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine\r\n  - SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)\r\n  - Wireshark / Dumpcap / Fiddler / Http Debugger\r\n  - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector\r\n  - ImportREC / PETools / LordPE\r\n  - JoeBox Sandbox\r\n  - Resource Hacker\r\n  - Frida\r\n\r\n### Anti-Disassembly\r\n- Jump with constant condition\r\n- Jump instruction with same target\r\n- Impossible disassembly\r\n- Function Pointers\r\n- Return Pointer Abuse\r\n\r\n### Macro malware attacks\r\n- Document_Close / Auto_Close.\r\n- Application.RecentFiles.Count \r\n\r\n### Code/DLL Injections techniques\r\n- CreateRemoteThread \r\n- SetWindowsHooksEx\r\n- NtCreateThreadEx\r\n- RtlCreateUserThread\r\n- APC (QueueUserAPC / NtQueueApcThread)\r\n- RunPE (GetThreadContext / SetThreadContext)\r\n\r\n## Authors\r\n- [Mattiwatti](https://github.com/Mattiwatti): Matthijs Lavrijsen\r\n- [gsuberland](https://twitter.com/gsuberland): Graham Sutherland\r\n- [hFireF0x](https://github.com/hfiref0x): hfiref0x\r\n\r\nPull requests welcome. Please read the [Developer Guidelines](https://github.com/LordNoteworthy/al-khaser/wiki/Developer-Guidelines) on our wiki if you wish to contribute to the project.\r\n\r\n## References\r\n- An Anti-Reverse Engineering Guide By Josh Jackson.\r\n- Anti-Unpacker Tricks By Peter Ferrie.\r\n- The Art Of Unpacking By Mark Vincent Yason.\r\n- Walied Assar's blog http://waleedassar.blogspot.de/.\r\n- Pafish tool: https://github.com/a0rtega/pafish.\r\n- PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro \r\n","funding_links":[],"categories":["C++",":wrench: Tools","🛡️ EDR Evasion Techniques"],"sub_categories":["Media","🔹 Sandbox \u0026 VM Evasion"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayoubfaouzi%2Fal-khaser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fayoubfaouzi%2Fal-khaser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayoubfaouzi%2Fal-khaser/lists"}