https://github.com/whiterabb17/medusa

Anti VM checks in GoLang
https://github.com/whiterabb17/medusa

antivm antivmdetection detection golang-antivm helper malware malware-tools red-team redteam-tools redteaming virtual-detection virtualization vm-detection

Last synced: 5 months ago
JSON representation

Anti VM checks in GoLang

Host: GitHub
URL: https://github.com/whiterabb17/medusa
Owner: whiterabb17
Created: 2022-12-11T08:26:40.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-01-15T12:57:50.000Z (over 3 years ago)
Last Synced: 2024-06-20T11:52:20.554Z (almost 2 years ago)
Topics: antivm, antivmdetection, detection, golang-antivm, helper, malware, malware-tools, red-team, redteam-tools, redteaming, virtual-detection, virtualization, vm-detection
Language: Go
Homepage:
Size: 552 KB
Stars: 7
Watchers: 1
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

          # Medusa

Golang anti-vm framework



  

    

  

  

  


    Let Medusa stone wall analysis

    


    


    


  


  Table of Contents

  


    

      About The Project

    

    

      Getting Started

      

        Dependencies

        Installation

      

    

    

      Usage

      

        Anti-Debugging 

        Anti-Memory

        Anti-VM

      

    

  


## About The Project

Medusa is an anti-vm framework.


Written in Golang in order to support Red Team operations and Pentesters during engagements.


Medusa is designed for Windows environment!


!!I'm not responsible for your acts!!

## Getting Started

Firstly, make sure that your dependencies are satisfied.

### Dependencies

Medusa has 3 dependencies:

* wmi

  ```

  go get github.com/StackExchange/wmi@v0.0.0-20210224194228-fe8f1750fd46

  ```

* go-ole

  ```

  go get github.com/go-ole/go-ole@v1.2.5 

  ```

* go-ps

  ```

  go get github.com/mitchellh/go-ps@v1.0.0 

  ```

  

### Installation

In your prompt type

  ```

  go get github.com/whiterabb17/medusa

  ```

 

### Note

Additional processes and configs can be set in `util\process_list.go`


Such as AV processes to kill/search for.


Additional strings to find or MAC addresses to add to the blacklist

  

## Usage

Into your program, import the packages used by Medusa

```

import (

      "github.com/whiterabb17/medusa/antidebug"

      "github.com/whiterabb17/medusa/antimem"

      "github.com/whiterabb17/medusa/antivm"

    )

```

### Anti-Debugging

` "github.com/whiterabb17/medusa/antidebug"` 


Antidebug package implement strategies to avoid common programs that are used for debugging.

#### Process

`antidebug.ByProcessWatcher()` return boolean 


This function look for common programs used for inspect process, like processhacker.exe, procmon.exe, xdbg.exe, etc. 


Example:

```

if antidebug.ByProcessWatcher() { // Whether some debugger program founded, enter here.

  // exit or wait

}

```

#### Timming

`antidebug.ByTimmingDiff(time, int)` return boolean


Compare whether the difference between initial and end time is bigger than difference allowed (in seconds).

When debugging, some analisys use to take some time into a function.

Grab the time just in the begging of the function and later in the end, before go out, and ask Medusa to compare.


Example:

```

func myFuncHere(){

  initTime := time.Now() // grab the time here

  // do your actions here

  if antidebug.ByTimmingDiff(timeInit, 2){ // if your function takes 2 seconds or more, your malware must be debugged. You chose your time.

    // exit or wait

  }

}

  ```

### Anti-Memory

` "github.com/whiterabb17/medusa/antimem"` 


Antimem package implement strategies to avoid common programs that are used for inspect memory process.

#### Memory

`antimem.ByMemWatcher()` return boolean 


This function look for common programs used for inspect memory, like rammap.exe, dumpit.exe, etc. 


Example:

```

if antimem.ByMemWatcher() { // Whether some program used for inspect memory founded, enter here.

  // exit or wait

}

```

### Anti-VM

` "github.com/whiterabb17/medusa/antivm"` 


Antivm package implement strategies to avoid virtualized environment.

#### Disk size

`antivm.BySizeDisk( int )` return boolean 


Check total size disk, in GB. 


Example:

```

if antivm.BySizeDisk(100) { // whether total disk size is less than 100 GB, enter here. You chose the size, always in GB.

  // exit or wait

}

```

#### Virtual disk

`antivm.IsVirtualDisk()` boolean 


Check whether may be on virtual disk. 


Example:

```

if antivm.IsVirtualDisk() { // If Medusa guess you are on virtual disk, enter here.

  // exit or wait

}

 ```

#### Known virtual MAC Address

`antivm.ByMacAddress()` boolean 


Look for known virtualized MAC Address. 


Example:

```

if antivm.ByMacAddress() { If Medusa guess you are on virtual MAC Address, enter here.

  // exit or wait

}

```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/whiterabb17/medusa

Awesome Lists containing this project

README