al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system.
Latest Change 10/12/2012:
+ Fix Windows 10 detection -> RtlGetVersion
+ add NtQueryObject : ObjectTypeInformation anti debug
al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system.
It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.
Possible uses :
+ You are making an anti-debug plugin and you want to check its effectiveness.
+ You want to ensure that your sandbox solution is hidden enough.
+ Or you want to ensure that your malware analysis environment is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don’t hesitate to contribute.
Anti-debugging attacks
– IsDebuggerPresent
– CheckRemoteDebuggerPresent
– Process Environement Block (BeingDebugged)
– Process Environement Block (NtGlobalFlag)
– ProcessHeap (Flags)
– ProcessHeap (ForceFlags)
– NtQueryInformationProcess (ProcessDebugPort)
– NtQueryInformationProcess (ProcessDebugFlags)
– NtQueryInformationProcess (ProcessDebugObject)
– NtSetInformationThread (HideThreadFromDebugger)
– NtQueryObject (ObjectTypeInformation)
– CloseHanlde (NtClose) Invalide Handle
– UnhandledExceptionFilter
– OutputDebugString (GetLastError())
– Hardware Breakpoints (SEH / GetThreadContext)
– Software Breakpoints (INT3 / 0xCC)
– Memory Breakpoints (PAGE_GUARD)
– Interrupt 1
– Parent Process (Explorer.exe)
– SeDebugPrivilege (Csrss.exe)
Anti Dumping
– Erase PE header from memory
Download from source: al-khaser.zip
Source : https://github.com/LordNoteworthy