{"id":13830957,"url":"https://github.com/secrary/makin","last_synced_at":"2025-07-09T13:30:58.224Z","repository":{"id":46526773,"uuid":"113866267","full_name":"secrary/makin","owner":"secrary","description":"makin - reveal anti-debugging and anti-VM tricks [This project is not maintained anymore]","archived":false,"fork":false,"pushed_at":"2019-03-17T23:50:40.000Z","size":295,"stargazers_count":727,"open_issues_count":2,"forks_count":147,"subscribers_count":54,"default_branch":"master","last_synced_at":"2024-08-05T10:15:05.335Z","etag":null,"topics":["capstone","debugging","hooks","malware-analysis","reverse-engineering"],"latest_commit_sha":null,"homepage":"https://secrary.com","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secrary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-11T14:06:06.000Z","updated_at":"2024-07-29T01:55:21.000Z","dependencies_parsed_at":"2022-09-23T02:31:03.915Z","dependency_job_id":null,"html_url":"https://github.com/secrary/makin","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secrary%2Fmakin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secrary%2Fmakin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secrary%2Fmakin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secrary%2Fmakin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secrary","download_url":"https://codeload.github.com/secrary/makin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225553265,"owners_count":17487293,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capstone","debugging","hooks","malware-analysis","reverse-engineering"],"created_at":"2024-08-04T10:01:13.697Z","updated_at":"2024-11-20T12:30:47.807Z","avatar_url":"https://github.com/secrary.png","language":"C++","readme":"I create `makin` to make initial malware assessment little bit easier for me, I think it's useful for others as well, It helps to reveal a debugger detection techniques used by a sample.\n\n##### Any feedback is greatly appreciated: [@_qaz_qaz](https://twitter.com/_qaz_qaz)\n\n### How does it work?\n`makin` opens a sample as a debuggee and injects `asho.dll`(main module renames all `dlls` before injection), `asho.dll` hooks several functions at `ntdll.dll` and `kernelbase.dll` libraries and after parameters checkings, it sends the corresponding message to the debugger (`makin.exe`).\n\n`makin` also generates a script for IDA Pro to set breakpoints at detected APIs.\n\nAt this moment, `makin` can reveal following techniques: \n\n`ntdll.dll`:\n* `NtClose` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.B.ii](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtOpenProcess` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.B.i](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtCreateFile` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.B.iii (Open itself)](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtCreateFile` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.B.iii (Open a driver)](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `LdrLoadDll` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.B.iv](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtSetDebugFilterState` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.D.vi](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtQueryInformationProcess` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.D.viii.a, 7.D.viii.b, 7.D.viii.c](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtQuerySystemInformation` - ref: [The \"Ultimate\" Anti-Debugging Reference: 7.E.iii](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtSetInformationThread` - ref: [The \"Ultimate\" Anti-Debugging Reference 7.F.iii](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtCreateUserProcess` - ref: [The \"Ultimate\" Anti-Debugging Reference 7.G.i](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtCreateThreadEx` - ref: [ntuery blog post](https://web.archive.org/web/20171211143522/https://ntquery.wordpress.com/2014/03/29/anti-debug-ntcreatethreadex/)\n* `NtSystemDebugControl` - ref: [@waleedassar - pastebin](https://goo.gl/j4g5pV)\n* `NtYieldExecution` - ref: [The \"Ultimate\" Anti-Debugging Reference 7.D.xiii](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `NtSetLdtEntries` - ref: [ANTI-UNPACKER TRICKS: PART ONE - 2.1.2](https://web.archive.org/web/20171215191103/http://pferrie.tripod.com/papers/unpackers21.pdf)\n* `NtQueryInformationThread` - ref: [ntquery - NtQueryInformationThread](https://web.archive.org/web/20180110063515/https://ntquery.wordpress.com/2014/03/29/anti-debug-ntsetinformationthread/)\n* `NtCreateDebugObject` and `NtQueryObject` - ref: [Anti-Debug NtQueryObject](https://goo.gl/krE6JM)\n* `RtlAdjustPrivilege` - ref: [Using RtlAdjustPrivilege to detect debugger by insid3codeteam](https://goo.gl/m46tQe) \n* ~~~`GetWriteWatch` - ref: [Anti-debug with VirtualAlloc’s write watch](https://web.archive.org/web/20180127193503/https://codeinsecurity.wordpress.com/2018/01/24/anti-debug-with-virtualallocs-write-watch/)~~~\n* `PEB-\u003eBeingDebugged` - Instead of calling `IsDebuggerPresent()`, some programs manually check the `PEB` (Process Environment Block) for the [`BeingDebugged`](https://www.aldeid.com/wiki/PEB-Process-Environment-Block/BeingDebugged) flag.\n* `PEB-\u003eNtGlobalFlag` - ref: [al-khaser](https://github.com/LordNoteworthy/al-khaser/blob/bbf020b39b28bfb2561408c276fb91db528fa4ca/al-khaser/Anti%20Debug/ProcessHeap_NtGlobalFlag.cpp)\n* `UserSharedData-\u003eKdDebuggerEnabled` - ref: [al-khaser - SharedUserData_KernelDebugger](https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Anti%20Debug/SharedUserData_KernelDebugger.cpp)\n*  Close `PROCTECTED` handle trick - ref: [al-khaser - HANDLE_FLAG_PROTECT_FROM_CLOSE](https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp)\n\n`kernelbase.dll`:\n* `IsDebuggerPresent` - ref: [MSDN](https://goo.gl/cg7Fkm)\n* `CheckRemoteDebuggerPresent` - ref: [MSDN](https://goo.gl/LrUdaG)\n* `SetUnhandledExceptionFilter` - ref: [The \"Ultimate\" Anti-Debugging Reference: D.xv](https://web.archive.org/web/20171212061916/http://pferrie.host22.com/papers/antidebug.pdf)\n* `RegOpenKeyExInternalW` - checks registry keys\n* `RegQueryValueExW` - checks registry key values\n\nYou can add more VM checks via editing `checks.json` file, without modification of the executable\n\nThat's all for now, you can add as much as you wish :) \n\n## Third-party\n- Zydis ([MIT License](https://github.com/zyantific/zydis/blob/master/LICENSE))\n- JSON for Modern C++ ([MIT License](https://github.com/nlohmann/json/blob/develop/LICENSE.MIT))\n\n##### DEMO:\n\n![makin_demo](https://user-images.githubusercontent.com/16405698/33871171-c6f8a156-df2a-11e7-8ffb-b9ae5c030c48.gif)\n","funding_links":[],"categories":["C++","Malware Analysis"],"sub_categories":["Hashing"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecrary%2Fmakin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecrary%2Fmakin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecrary%2Fmakin/lists"}