├── .gitattributes ├── .gitignore ├── Backup Logs └── fullShellCode.txt ├── Baseline Tools ├── BaselineTools.sln ├── Debug │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── GenerateReport.exe │ ├── InstructionCounter.dll │ ├── InstructionCounter.exp │ ├── InstructionCounter.lib │ ├── ParanoidPreventer.dll │ ├── ParanoidPreventer.exp │ ├── ParanoidPreventer.lib │ ├── PinTool.dll │ ├── PinTool.exp │ ├── PinTool.lastbuildstate │ ├── PinTool.lib │ ├── PinTool.write.1.tlog │ ├── cl.command.1.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ ├── link.read.2.tlog │ ├── link.write.1.tlog │ └── link.write.2.tlog ├── InstructionCount.cpp ├── MyPinTool.sln.old ├── MyPinTool.vcxproj ├── MyPinTool.vcxproj.filters ├── main.h └── makefile ├── ParanoidFamily ├── Debug │ ├── ParanoidDetector.dll │ ├── ParanoidDetector.exp │ ├── ParanoidDetector.lib │ ├── ParanoidMalware.exe │ ├── ParanoidPreventer.dll │ ├── ParanoidPreventer.exp │ └── ParanoidPreventer.lib ├── ParanoidDetector │ ├── AllRoutines.cpp │ ├── AllRoutines.h │ ├── Debug │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── ParanoidDetector.dll │ │ ├── ParanoidDetector.exp │ │ ├── ParanoidDetector.lastbuildstate │ │ ├── ParanoidDetector.lib │ │ ├── ParanoidDetector.write.1.tlog │ │ ├── cl.command.1.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── MyPinTool.sln.old │ ├── ParanoidDetector.cpp │ ├── ParanoidDetector.vcxproj │ ├── ParanoidDetector.vcxproj.filters │ ├── ShellCode.cpp │ ├── ShellCode.h │ ├── SystemCall.cpp │ ├── SystemCall.h │ └── main.h ├── ParanoidFamily.sln ├── ParanoidMalware │ ├── Debug │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── ParanoidMalware.exe.embed.manifest │ │ ├── ParanoidMalware.exe.embed.manifest.res │ │ ├── ParanoidMalware.exe.intermediate.manifest │ │ ├── ParanoidMalware.lastbuildstate │ │ ├── ParanoidMalware_manifest.rc │ │ ├── cl.command.1.tlog │ │ ├── link-cvtres.read.1.tlog │ │ ├── link-cvtres.write.1.tlog │ │ ├── link.1488-cvtres.read.1.tlog │ │ ├── link.1488-cvtres.write.1.tlog │ │ ├── link.1488.read.1.tlog │ │ ├── link.1488.write.1.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ ├── link.write.1.tlog │ │ ├── mt.command.1.tlog │ │ ├── mt.read.1.tlog │ │ ├── mt.write.1.tlog │ │ ├── rc.command.1.tlog │ │ ├── rc.read.1.tlog │ │ ├── rc.write.1.tlog │ │ └── vc100.idb │ ├── Helper.cpp │ ├── Helper.h │ ├── ParanoidMalware.cpp │ ├── ParanoidMalware.vcxproj │ ├── ParanoidMalware.vcxproj.filters │ ├── ReadMe.txt │ ├── Release │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── ParanoidMalware.exe.intermediate.manifest │ │ ├── ParanoidMalware.lastbuildstate │ │ ├── cl.command.1.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ ├── link.write.1.tlog │ │ ├── mt.command.1.tlog │ │ ├── mt.read.1.tlog │ │ └── mt.write.1.tlog │ ├── antidebug.cpp │ ├── antidebug.h │ ├── antisandbox.cpp │ ├── antisandbox.h │ ├── main.h │ ├── qemu.cpp │ ├── qemu.h │ ├── virtualbox.cpp │ ├── virtualbox.h │ ├── virtualpc.cpp │ ├── virtualpc.h │ ├── vmware.cpp │ └── vmware.h └── ParanoidPreventer │ ├── Debug │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── ParanoidPreventer.dll │ ├── ParanoidPreventer.exp │ ├── ParanoidPreventer.lastbuildstate │ ├── ParanoidPreventer.lib │ ├── ParanoidPreventer.write.1.tlog │ ├── cl.command.1.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ └── link.write.1.tlog │ ├── MyPinTool.vcproj │ ├── MyPinTool.vcxproj │ ├── MyPinTool.vcxproj.filters │ ├── ParanoidPreventer.cpp │ ├── main.h │ └── makefile ├── README.md └── yaraCheck.py /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | 5 | *.pydevproject 6 | .project 7 | .metadata 8 | bin/ 9 | tmp/ 10 | *.tmp 11 | *.bak 12 | *.swp 13 | *~.nib 14 | local.properties 15 | .classpath 16 | .settings/ 17 | .loadpath 18 | 19 | # External tool builders 20 | .externalToolBuilders/ 21 | 22 | # Locally stored "Eclipse launch configurations" 23 | *.launch 24 | 25 | # CDT-specific 26 | .cproject 27 | 28 | # PDT-specific 29 | .buildpath 30 | 31 | 32 | ################# 33 | ## Visual Studio 34 | ################# 35 | 36 | ## Ignore Visual Studio temporary files, build results, and 37 | ## files generated by popular Visual Studio add-ons. 38 | 39 | # User-specific files 40 | *.suo 41 | *.user 42 | *.sln.docstates 43 | 44 | # Build results 45 | 46 | x64/ 47 | build/ 48 | [Bb]in/ 49 | [Oo]bj/ 50 | 51 | # MSTest test Results 52 | [Tt]est[Rr]esult*/ 53 | [Bb]uild[Ll]og.* 54 | 55 | *_i.c 56 | *_p.c 57 | *.ilk 58 | *.meta 59 | *.obj 60 | *.pch 61 | *.pdb 62 | *.pgc 63 | *.pgd 64 | *.rsp 65 | *.sbr 66 | *.tlb 67 | *.tli 68 | *.tlh 69 | *.tmp 70 | *.tmp_proj 71 | *.log 72 | *.vspscc 73 | *.vssscc 74 | .builds 75 | *.pidb 76 | *.log 77 | *.scc 78 | 79 | # Visual C++ cache files 80 | ipch/ 81 | *.aps 82 | *.ncb 83 | *.opensdf 84 | *.sdf 85 | *.cachefile 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | 92 | # Guidance Automation Toolkit 93 | *.gpState 94 | 95 | # ReSharper is a .NET coding add-in 96 | _ReSharper*/ 97 | *.[Rr]e[Ss]harper 98 | 99 | # TeamCity is a build add-in 100 | _TeamCity* 101 | 102 | # DotCover is a Code Coverage Tool 103 | *.dotCover 104 | 105 | # NCrunch 106 | *.ncrunch* 107 | .*crunch*.local.xml 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.Publish.xml 127 | *.pubxml 128 | 129 | # NuGet Packages Directory 130 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line 131 | #packages/ 132 | 133 | # Windows Azure Build Output 134 | csx 135 | *.build.csdef 136 | 137 | # Windows Store app package directory 138 | AppPackages/ 139 | 140 | # Others 141 | sql/ 142 | *.Cache 143 | ClientBin/ 144 | [Ss]tyle[Cc]op.* 145 | ~$* 146 | *~ 147 | *.dbmdl 148 | *.[Pp]ublish.xml 149 | *.pfx 150 | *.publishsettings 151 | 152 | # RIA/Silverlight projects 153 | Generated_Code/ 154 | 155 | # Backup & report files from converting an old project file to a newer 156 | # Visual Studio version. Backup files are not needed, because we have git ;-) 157 | _UpgradeReport_Files/ 158 | Backup*/ 159 | UpgradeLog*.XML 160 | UpgradeLog*.htm 161 | 162 | # SQL Server files 163 | App_Data/*.mdf 164 | App_Data/*.ldf 165 | 166 | ############# 167 | ## Windows detritus 168 | ############# 169 | 170 | # Windows image file caches 171 | Thumbs.db 172 | ehthumbs.db 173 | 174 | # Folder config file 175 | Desktop.ini 176 | 177 | # Recycle Bin used on file shares 178 | $RECYCLE.BIN/ 179 | 180 | # Mac crap 181 | .DS_Store 182 | 183 | 184 | ############# 185 | ## Python 186 | ############# 187 | 188 | *.py[co] 189 | 190 | # Packages 191 | *.egg 192 | *.egg-info 193 | dist/ 194 | build/ 195 | eggs/ 196 | parts/ 197 | var/ 198 | sdist/ 199 | develop-eggs/ 200 | .installed.cfg 201 | 202 | # Installer logs 203 | pip-log.txt 204 | 205 | # Unit test / coverage reports 206 | .coverage 207 | .tox 208 | 209 | #Translations 210 | *.mo 211 | 212 | #Mr Developer 213 | .mr.developer.cfg 214 | -------------------------------------------------------------------------------- /Baseline Tools/BaselineTools.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PinTool", "MyPinTool.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Debug|Win32.ActiveCfg = Debug|Win32 23 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Debug|Win32.Build.0 = Debug|Win32 24 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Debug|x64.ActiveCfg = Debug|Win32 25 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Release|Win32.ActiveCfg = Release|Win32 26 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Release|Win32.Build.0 = Release|Win32 27 | {E4831133-389A-462C-82E6-A6130DB0E3FC}.Release|x64.ActiveCfg = Release|Win32 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | EndGlobal 33 | -------------------------------------------------------------------------------- /Baseline Tools/Debug/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/CL.read.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/CL.write.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/GenerateReport.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/GenerateReport.exe -------------------------------------------------------------------------------- /Baseline Tools/Debug/InstructionCounter.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/InstructionCounter.dll -------------------------------------------------------------------------------- /Baseline Tools/Debug/InstructionCounter.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/InstructionCounter.exp -------------------------------------------------------------------------------- /Baseline Tools/Debug/InstructionCounter.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/InstructionCounter.lib -------------------------------------------------------------------------------- /Baseline Tools/Debug/ParanoidPreventer.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/ParanoidPreventer.dll -------------------------------------------------------------------------------- /Baseline Tools/Debug/ParanoidPreventer.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/ParanoidPreventer.exp -------------------------------------------------------------------------------- /Baseline Tools/Debug/ParanoidPreventer.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/ParanoidPreventer.lib -------------------------------------------------------------------------------- /Baseline Tools/Debug/PinTool.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/PinTool.dll -------------------------------------------------------------------------------- /Baseline Tools/Debug/PinTool.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/PinTool.exp -------------------------------------------------------------------------------- /Baseline Tools/Debug/PinTool.lastbuildstate: -------------------------------------------------------------------------------- 1 | #v4.0:v100 2 | Debug|Win32|C:\GitHub\CP4101\InstructionCounter\| 3 | -------------------------------------------------------------------------------- /Baseline Tools/Debug/PinTool.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/PinTool.lib -------------------------------------------------------------------------------- /Baseline Tools/Debug/cl.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/cl.command.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/link.command.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/link.read.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/link.read.2.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/link.read.2.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/link.write.1.tlog -------------------------------------------------------------------------------- /Baseline Tools/Debug/link.write.2.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/Baseline Tools/Debug/link.write.2.tlog -------------------------------------------------------------------------------- /Baseline Tools/InstructionCount.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "main.h" 3 | 4 | ofstream OutFile; 5 | 6 | // The running count of instructions is kept here 7 | // make it static to help the compiler optimize docount 8 | static UINT64 icount = 0; 9 | 10 | // This function is called before every instruction is executed 11 | VOID docount() { icount++; } 12 | 13 | // Pin calls this function every time a new instruction is encountered 14 | VOID Instruction(INS ins, VOID *v) 15 | { 16 | // Insert a call to docount before every instruction, no arguments are passed 17 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END); 18 | } 19 | 20 | KNOB KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", 21 | "o", "count\\inscount.out", "specify output file name"); 22 | 23 | // This function is called when the application exits 24 | VOID Fini(INT32 code, VOID *v) 25 | { 26 | // Write to a file since cout and cerr maybe closed by the application 27 | OutFile.setf(ios::showbase); 28 | cout << icount << endl; 29 | OutFile << "Count " << icount << endl; 30 | OutFile.close(); 31 | } 32 | 33 | /* ===================================================================== */ 34 | /* Print Help Message */ 35 | /* ===================================================================== */ 36 | 37 | INT32 Usage() 38 | { 39 | cerr << "This tool counts the number of dynamic instructions executed" << endl; 40 | cerr << endl << KNOB_BASE::StringKnobSummary() << endl; 41 | return -1; 42 | } 43 | 44 | /* ===================================================================== */ 45 | /* Main */ 46 | /* ===================================================================== */ 47 | /* argc, argv are the entire command line: pin -t -- ... */ 48 | /* ===================================================================== */ 49 | 50 | int main(int argc, char * argv[]) 51 | { 52 | // Initialize pin 53 | if (PIN_Init(argc, argv)) return Usage(); 54 | 55 | OutFile.open(KnobOutputFile.Value().c_str()); 56 | 57 | // Register Instruction to be called to instrument instructions 58 | INS_AddInstrumentFunction(Instruction, 0); 59 | 60 | // Register Fini to be called when the application exits 61 | PIN_AddFiniFunction(Fini, 0); 62 | 63 | // Start the program, never returns 64 | PIN_StartProgram(); 65 | 66 | return 0; 67 | } -------------------------------------------------------------------------------- /Baseline Tools/MyPinTool.sln.old: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 9.00 3 | # Visual Studio 2005 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPinTool", "MyPinTool.vcproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /Baseline Tools/MyPinTool.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {639EF517-FCFC-408E-9500-71F0DC0458DB} 23 | InstructionCounter 24 | Win32Proj 25 | InstructionCounter 26 | 27 | 28 | 29 | DynamicLibrary 30 | MultiByte 31 | true 32 | 33 | 34 | DynamicLibrary 35 | MultiByte 36 | 37 | 38 | DynamicLibrary 39 | MultiByte 40 | true 41 | 42 | 43 | DynamicLibrary 44 | MultiByte 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | <_ProjectFileVersion>10.0.40219.1 64 | $(ProjectDir)$(Configuration)\ 65 | $(Configuration)\ 66 | false 67 | false 68 | $(ProjectDir)$(Platform)\$(Configuration)\ 69 | $(Platform)\$(Configuration)\ 70 | false 71 | false 72 | $(ProjectDir)$(Configuration)\ 73 | $(Configuration)\ 74 | false 75 | false 76 | $(ProjectDir)$(Platform)\$(Configuration)\ 77 | $(Platform)\$(Configuration)\ 78 | false 79 | false 80 | AllRules.ruleset 81 | 82 | 83 | AllRules.ruleset 84 | 85 | 86 | AllRules.ruleset 87 | 88 | 89 | AllRules.ruleset 90 | 91 | 92 | InstructionCounter 93 | 94 | 95 | 96 | /EHs- /EHa- %(AdditionalOptions) 97 | Disabled 98 | C:\pin\source\include;C:\pin\source\include\gen;C:\pin\source\tools\InstLib;C:\pin\extras\xed2-ia32\include;C:\pin\extras\components\include;%(AdditionalIncludeDirectories) 99 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 100 | false 101 | 102 | 103 | Default 104 | MultiThreaded 105 | false 106 | true 107 | NotSet 108 | false 109 | 110 | 111 | Level3 112 | ProgramDatabase 113 | 4530;%(DisableSpecificWarnings) 114 | 115 | 116 | /export:main %(AdditionalOptions) 117 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib;psapi.lib 118 | C:\pin\ia32\lib;C:\pin\ia32\lib-ext;C:\pin\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 119 | true 120 | %(IgnoreSpecificDefaultLibraries) 121 | true 122 | NotSet 123 | false 124 | Ptrace_DllMainCRTStartup%4012 125 | 0x55000000 126 | MachineX86 127 | true 128 | 129 | 130 | 131 | 132 | X64 133 | 134 | 135 | /EHs- /EHa- %(AdditionalOptions) 136 | Disabled 137 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 138 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 139 | false 140 | 141 | 142 | Default 143 | MultiThreaded 144 | false 145 | true 146 | false 147 | 148 | 149 | Level3 150 | ProgramDatabase 151 | 4530;%(DisableSpecificWarnings) 152 | 153 | 154 | /export:main %(AdditionalOptions) 155 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 156 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 157 | true 158 | %(IgnoreSpecificDefaultLibraries) 159 | true 160 | NotSet 161 | false 162 | Ptrace_DllMainCRTStartup 163 | 0xC5000000 164 | MachineX64 165 | true 166 | 167 | 168 | 169 | 170 | /EHs- /EHa- %(AdditionalOptions) 171 | true 172 | false 173 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-ia32\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 174 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 175 | false 176 | 177 | 178 | Default 179 | MultiThreaded 180 | false 181 | true 182 | NotSet 183 | false 184 | 185 | 186 | Level3 187 | 188 | 189 | 4530;%(DisableSpecificWarnings) 190 | 191 | 192 | /export:main %(AdditionalOptions) 193 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib 194 | ..\..\..\ia32\lib;..\..\..\ia32\lib-ext;..\..\..\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 195 | true 196 | %(IgnoreSpecificDefaultLibraries) 197 | true 198 | NotSet 199 | true 200 | 201 | 202 | 203 | 204 | Ptrace_DllMainCRTStartup%4012 205 | 0x55000000 206 | MachineX86 207 | 208 | 209 | 210 | 211 | X64 212 | 213 | 214 | /EHs- /EHa- %(AdditionalOptions) 215 | true 216 | false 217 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 218 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 219 | false 220 | 221 | 222 | Default 223 | MultiThreaded 224 | false 225 | true 226 | false 227 | 228 | 229 | Level3 230 | 231 | 232 | 4530;%(DisableSpecificWarnings) 233 | 234 | 235 | /export:main %(AdditionalOptions) 236 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 237 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 238 | true 239 | %(IgnoreSpecificDefaultLibraries) 240 | true 241 | NotSet 242 | true 243 | 244 | 245 | 246 | 247 | Ptrace_DllMainCRTStartup 248 | 0xC5000000 249 | MachineX64 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | -------------------------------------------------------------------------------- /Baseline Tools/MyPinTool.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {36d60a99-9b59-434c-8eb8-a3907e0547da} 14 | txt;doc;html 15 | 16 | 17 | 18 | 19 | Documents 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /Baseline Tools/main.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "pin.H" -------------------------------------------------------------------------------- /Baseline Tools/makefile: -------------------------------------------------------------------------------- 1 | ## 2 | ## This is a sample makefile for building Pin tools outside 3 | ## of the Pin environment. This makefile is suitable for 4 | ## building with the Pin kit, not a Pin source development tree. 5 | ## 6 | ## To build the tool, execute the make command: 7 | ## 8 | ## make 9 | ## or 10 | ## make PIN_HOME= 11 | ## 12 | ## After building your tool, you would invoke Pin like this: 13 | ## 14 | ## $PIN_HOME/pin -t MyPinTool -- /bin/ls 15 | ## 16 | ############################################################## 17 | # 18 | # User-specific configuration 19 | # 20 | ############################################################## 21 | 22 | # 23 | # 1. Change PIN_HOME to point to the top-level directory where 24 | # Pin was installed. This can also be set on the command line, 25 | # or as an environment variable. 26 | # 27 | PIN_HOME ?= ../../.. 28 | 29 | 30 | ############################################################## 31 | # 32 | # set up and include *.config files 33 | # 34 | ############################################################## 35 | 36 | PIN_KIT=$(PIN_HOME) 37 | KIT=1 38 | TESTAPP=$(OBJDIR)cp-pin.exe 39 | 40 | TARGET_COMPILER?=gnu 41 | ifdef OS 42 | ifeq (${OS},Windows_NT) 43 | TARGET_COMPILER=ms 44 | endif 45 | endif 46 | 47 | ifeq ($(TARGET_COMPILER),gnu) 48 | include $(PIN_HOME)/source/tools/makefile.gnu.config 49 | CXXFLAGS ?= -Wall -Werror -Wno-unknown-pragmas $(DBG) $(OPT) 50 | PIN=$(PIN_HOME)/pin 51 | endif 52 | 53 | ifeq ($(TARGET_COMPILER),ms) 54 | include $(PIN_HOME)/source/tools/makefile.ms.config 55 | DBG?= 56 | PIN=$(PIN_HOME)/pin.bat 57 | endif 58 | 59 | 60 | ############################################################## 61 | # 62 | # Tools - you may wish to add your tool name to TOOL_ROOTS 63 | # 64 | ############################################################## 65 | 66 | 67 | TOOL_ROOTS = MyPinTool 68 | 69 | TOOLS = $(TOOL_ROOTS:%=$(OBJDIR)%$(PINTOOL_SUFFIX)) 70 | 71 | 72 | ############################################################## 73 | # 74 | # build rules 75 | # 76 | ############################################################## 77 | 78 | all: tools 79 | tools: $(OBJDIR) $(TOOLS) $(OBJDIR)cp-pin.exe 80 | test: $(OBJDIR) $(TOOL_ROOTS:%=%.test) 81 | 82 | MyPinTool.test: $(OBJDIR)cp-pin.exe 83 | $(MAKE) -k PIN_HOME=$(PIN_HOME) 84 | 85 | $(OBJDIR)cp-pin.exe: 86 | $(CXX) $(PIN_HOME)/source/tools/Tests/cp-pin.cpp $(APP_CXXFLAGS) -o $(OBJDIR)cp-pin.exe 87 | 88 | $(OBJDIR): 89 | mkdir -p $(OBJDIR) 90 | 91 | $(OBJDIR)%.o : %.cpp 92 | $(CXX) -c $(CXXFLAGS) $(PIN_CXXFLAGS) ${OUTOPT}$@ $< 93 | 94 | $(TOOLS): $(PIN_LIBNAMES) 95 | 96 | $(TOOLS): %$(PINTOOL_SUFFIX) : %.o 97 | ${PIN_LD} $(PIN_LDFLAGS) $(LINK_DEBUG) ${LINK_OUT}$@ $< ${PIN_LPATHS} $(PIN_LIBS) $(DBG) 98 | 99 | 100 | ## cleaning 101 | clean: 102 | -rm -rf $(OBJDIR) *.out *.tested *.failed makefile.copy 103 | -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidDetector.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidDetector.dll -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidDetector.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidDetector.exp -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidDetector.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidDetector.lib -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidMalware.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidMalware.exe -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidPreventer.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidPreventer.dll -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidPreventer.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidPreventer.exp -------------------------------------------------------------------------------- /ParanoidFamily/Debug/ParanoidPreventer.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/Debug/ParanoidPreventer.lib -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/AllRoutines.cpp: -------------------------------------------------------------------------------- 1 | #include "AllRoutines.h" 2 | #include 3 | typedef struct RtnName{ 4 | string _name; 5 | struct RtnName * _next; 6 | }RTNNAME; 7 | // Linked list 8 | RTNNAME *RtnList = 0; 9 | namespace WINDOWS 10 | { 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #define BUFSIZE 512 34 | 35 | int getProcessID(string procName){ 36 | HANDLE hProcessSnap; 37 | 38 | PROCESSENTRY32 pe32; 39 | 40 | // Take a snapshot of all processes in the system. 41 | hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 42 | if( hProcessSnap == INVALID_HANDLE_VALUE ) 43 | { 44 | return( -1 ); 45 | } 46 | 47 | // Set the size of the structure before using it. 48 | pe32.dwSize = sizeof( PROCESSENTRY32 ); 49 | 50 | // Retrieve information about the first process, 51 | // and exit if unsuccessful 52 | if( !Process32First( hProcessSnap, &pe32 ) ) 53 | { 54 | CloseHandle( hProcessSnap ); // clean the snapshot object 55 | return( -1 ); 56 | } 57 | 58 | // Now walk the snapshot of processes, and 59 | // display information about each process in turn 60 | do 61 | { 62 | if(pe32.szExeFile == procName){ 63 | return pe32.th32ProcessID; 64 | } 65 | } while( Process32Next( hProcessSnap, &pe32 ) ); 66 | 67 | CloseHandle( hProcessSnap ); 68 | return( -1 ); 69 | } 70 | 71 | BOOL GetFileNameFromHandle(HANDLE hFile) 72 | { 73 | BOOL bSuccess = FALSE; 74 | TCHAR pszFilename[MAX_PATH+1]; 75 | HANDLE hFileMap; 76 | 77 | // Get the file size. 78 | DWORD dwFileSizeHi = 0; 79 | DWORD dwFileSizeLo = GetFileSize(hFile, &dwFileSizeHi); 80 | 81 | if( dwFileSizeLo == 0 && dwFileSizeHi == 0 ) 82 | { 83 | _tprintf(TEXT("Cannot map a file with a length of zero.\n")); 84 | return FALSE; 85 | } 86 | 87 | // Create a file mapping object. 88 | hFileMap = CreateFileMapping(hFile, 89 | NULL, 90 | PAGE_READONLY, 91 | 0, 92 | 1, 93 | NULL); 94 | 95 | if (hFileMap) 96 | { 97 | // Create a file mapping to get the file name. 98 | void* pMem = MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1); 99 | 100 | if (pMem) 101 | { 102 | if (GetMappedFileName (GetCurrentProcess(), 103 | pMem, 104 | pszFilename, 105 | MAX_PATH)) 106 | { 107 | 108 | // Translate path with device name to drive letters. 109 | TCHAR szTemp[BUFSIZE]; 110 | szTemp[0] = '\0'; 111 | 112 | if (GetLogicalDriveStrings(BUFSIZE-1, szTemp)) 113 | { 114 | TCHAR szName[MAX_PATH]; 115 | TCHAR szDrive[3] = TEXT(" :"); 116 | BOOL bFound = FALSE; 117 | TCHAR* p = szTemp; 118 | 119 | do 120 | { 121 | // Copy the drive letter to the template string 122 | *szDrive = *p; 123 | 124 | // Look up each device name 125 | if (QueryDosDevice(szDrive, szName, MAX_PATH)) 126 | { 127 | size_t uNameLen = _tcslen(szName); 128 | 129 | if (uNameLen < MAX_PATH) 130 | { 131 | bFound = _tcsnicmp(pszFilename, szName, uNameLen) == 0 132 | && *(pszFilename + uNameLen) == _T('\\'); 133 | 134 | if (bFound) 135 | { 136 | // Reconstruct pszFilename using szTempFile 137 | // Replace device path with DOS path 138 | TCHAR szTempFile[MAX_PATH]; 139 | StringCchPrintf(szTempFile, 140 | MAX_PATH, 141 | TEXT("%s%s"), 142 | szDrive, 143 | pszFilename+uNameLen); 144 | StringCchCopyN(pszFilename, MAX_PATH+1, szTempFile, _tcslen(szTempFile)); 145 | } 146 | } 147 | } 148 | 149 | // Go to the next NULL character. 150 | while (*p++); 151 | } while (!bFound && *p); // end of string 152 | } 153 | } 154 | bSuccess = TRUE; 155 | UnmapViewOfFile(pMem); 156 | } 157 | 158 | CloseHandle(hFileMap); 159 | } 160 | _tprintf(TEXT("File name is %s\n"), pszFilename); 161 | return(bSuccess); 162 | } 163 | } 164 | std::ofstream TraceFile; 165 | std::ofstream TraceAntiDebug; 166 | std::ofstream TraceAntiVirtual; 167 | std::ofstream TraceAntiSandbox; 168 | std::wofstream TraceRegistry; 169 | 170 | bool switchDesktop = 0; 171 | bool setThreadDesktop = 0; 172 | bool isdebuggerpresent = 0; 173 | bool checkremote = 0; 174 | bool SetUnhandledExceptionFilter = 0; 175 | bool blockInput = 0; 176 | bool vmwaretray = 0; 177 | bool vmtoolsd = 0; 178 | bool vmacthlp = 0; 179 | 180 | const char * StripPath(const char * path) 181 | { 182 | const char * file = strrchr(path,'/'); 183 | if (file) 184 | return file+1; 185 | else 186 | return path; 187 | } 188 | 189 | bool isSeDebugCheck = 0; 190 | bool virtualdisk = 0; 191 | bool vm = 0; 192 | bool vbox = 0; 193 | bool windowsProduct = 0; 194 | 195 | VOID PrintArguments_RegOpenKey(CHAR * name, ADDRINT arg0, wchar_t * arg1) 196 | { 197 | wstring w = wstring(arg1); 198 | transform(w.begin(), w.end(),w.begin(),towupper); 199 | //wcout << w << "\n"; 200 | //TraceRegistry.write((char*)arg1, wcslen(arg1) * sizeof(wchar_t)); 201 | 202 | //TraceRegistry << arg1 << "\n"; 203 | if(w.find(L"VBOX") != w.npos && vbox == 0){ 204 | //TraceFile << "Anti-VirtualBox: Checking for Vbox environment" << "\n"; 205 | TraceAntiVirtual << "virtualbox,registry,\"vbox\"" << endl; 206 | vbox = 1; 207 | } 208 | 209 | if(w.find(L"VIRTUALBOX") != w.npos && vbox == 0){ 210 | //TraceFile << "Anti-VirtualBox: Checking for Vbox environment" << "\n"; 211 | TraceAntiVirtual << "virtualbox, registry, \"virtualbox\"" << "\n"; 212 | vbox = 1; 213 | } 214 | 215 | if( w.find(L"VMWARE") != w.npos || w.find(L"VMTOOLS") != w.npos || w.find(L"VM") != w.npos){ 216 | if(vm==0){ 217 | //TraceFile << "Anti-VM: Checking for vm environment (VMWare, VMTools in registry)" << "\n"; 218 | TraceAntiVirtual << "vmware, registry, \"vm\"" << "\n"; 219 | vm = 1; 220 | } 221 | } 222 | 223 | if( w.find(L"VideoBios") != w.npos){ 224 | TraceAntiVirtual << "vmware, registry, \"videobios\"" << "\n"; 225 | } 226 | 227 | } 228 | 229 | VOID PrintArguments_RegQueryKey(CHAR * name, ADDRINT arg0, wchar_t * arg1) 230 | { 231 | wstring w = L" " + wstring(arg1) + L" " ; 232 | transform(w.begin(), w.end(),w.begin(),towupper); 233 | 234 | if(w.find(L" 0 ") != w.npos || w.find(L" IDENTIFIER ")!= w.npos){ 235 | if(virtualdisk == 0){ 236 | //TraceFile << "Anti-Virtualization: Checking on virtual disk.\n"; 237 | TraceAntiVirtual << "vmware, registry, \"0\", \"identifier\"\n"; 238 | virtualdisk =1 ; 239 | } 240 | } 241 | 242 | if(w.find(L" PRODUCTID ") != w.npos && windowsProduct == 0){ 243 | //TraceFile << "Anti-Sandbox: Checking on Windows Operating system's product ID\n"; 244 | TraceAntiSandbox << "sandbox, registry, \"productid\"\n"; 245 | windowsProduct = 1; 246 | } 247 | 248 | if( w.find(L"VideoBios") != w.npos){ 249 | TraceAntiVirtual << "vmware, registry, \"videobios\"" << "\n"; 250 | } 251 | 252 | } 253 | 254 | VOID PrintArguments_Process(CHAR * name, ADDRINT arg0) 255 | { 256 | if(WINDOWS::getProcessID("csrss.exe") == arg0 && isSeDebugCheck == 0){ 257 | //TraceFile << "Anti-Debugging: Executable enables SeDebugPrivilege." << endl; 258 | TraceAntiDebug << "debugger, process, \"csrss.exe\", \"SeDebugPrivileges\"\n"; 259 | isSeDebugCheck = 1; 260 | } 261 | 262 | if(WINDOWS::getProcessID("vmacthlp.exe") == arg0 && vmacthlp == 0){ 263 | TraceAntiVirtual << "vmware, process, \"vmacthlp.exe\"\n"; 264 | vmacthlp = 1; 265 | } 266 | 267 | if(WINDOWS::getProcessID("vmtoolsd.exe") == arg0 && vmtoolsd == 0){ 268 | TraceAntiVirtual << "vmware, process, \"vmtoolsd.exe\"\n"; 269 | vmtoolsd = 1; 270 | } 271 | 272 | if(WINDOWS::getProcessID("VMwareTray.exe") == arg0 && vmwaretray == 0){ 273 | TraceAntiVirtual << "vmware, process, \"vmwaretray.exe\"\n"; 274 | vmwaretray = 1; 275 | } 276 | } 277 | 278 | VOID PrintArguments_FindWindow(CHAR * name, wchar_t * arg0) 279 | { 280 | wstring w = wstring(arg0); 281 | transform(w.begin(), w.end(),w.begin(),towupper); 282 | wcout << w << "\n"; 283 | TraceFile << w.c_str() << "\n"; 284 | } 285 | 286 | VOID checkIsDebuggerPresent(CHAR * name, bool retVal){ 287 | TraceAntiDebug << "debugger, api, \"isDebuggerPresent\"\n"; 288 | isdebuggerpresent = 1; 289 | } 290 | 291 | VOID checkIsRemoteDebuggerPresent(CHAR *name, bool retVal){ 292 | TraceAntiDebug << "debugger, api, \"CheckremoteDebuggerPresent\"\n"; 293 | checkremote = 1; 294 | } 295 | 296 | VOID checkGetFileAttributes(CHAR * name, ADDRINT arg0){ 297 | //TraceAntiDebug << name << endl; 298 | } 299 | 300 | VOID PrintArguments_OpenFile(CHAR * name, ADDRINT arg0, ADDRINT arg1){ 301 | //printf("FILEHANDLE: %x, %x\n", arg0,arg1); 302 | //WINDOWS::GetFileNameFromHandle((WINDOWS::HANDLE) arg0); 303 | } 304 | 305 | 306 | VOID Image(IMG img, VOID *v) 307 | { 308 | RTN cfwRtn = RTN_FindByName(img, "RegOpenKeyExW"); 309 | if (RTN_Valid(cfwRtn)) 310 | { 311 | RTN_Open(cfwRtn); 312 | 313 | RTN_InsertCall(cfwRtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_RegOpenKey, 314 | IARG_ADDRINT, "RegOpenKeyExW", 315 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 316 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 317 | IARG_FUNCARG_ENTRYPOINT_VALUE, 2, 318 | IARG_END); 319 | RTN_Close(cfwRtn); 320 | } 321 | 322 | cfwRtn = RTN_FindByName(img, "GetFileAttributesA"); 323 | if (RTN_Valid(cfwRtn)) 324 | { 325 | RTN_Open(cfwRtn); 326 | 327 | RTN_InsertCall(cfwRtn, IPOINT_BEFORE, (AFUNPTR)checkGetFileAttributes, 328 | IARG_ADDRINT, "GetFileAttributesA", 329 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 330 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 331 | IARG_END); 332 | RTN_Close(cfwRtn); 333 | } 334 | 335 | 336 | cfwRtn = RTN_FindByName(img, "RegQueryValueExW"); 337 | if (RTN_Valid(cfwRtn)) 338 | { 339 | RTN_Open(cfwRtn); 340 | 341 | RTN_InsertCall(cfwRtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_RegQueryKey, 342 | IARG_ADDRINT, "RegQueryValueExW", 343 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 344 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 345 | IARG_END); 346 | RTN_Close(cfwRtn); 347 | } 348 | 349 | 350 | /* 351 | cfwRtn = RTN_FindByName(img, "FindWindow"); 352 | if (RTN_Valid(cfwRtn)) 353 | { 354 | RTN_Open(cfwRtn); 355 | 356 | RTN_InsertCall(cfwRtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_FindWindow, 357 | IARG_ADDRINT, "FindWindow", 358 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 359 | IARG_END); 360 | RTN_Close(cfwRtn); 361 | }*/ 362 | 363 | /* checks for SeDebug*/ 364 | cfwRtn = RTN_FindByName(img, "OpenProcess"); 365 | if (RTN_Valid(cfwRtn)) 366 | { 367 | RTN_Open(cfwRtn); 368 | 369 | RTN_InsertCall(cfwRtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_Process, 370 | IARG_ADDRINT, "OpenProcess", 371 | IARG_FUNCARG_ENTRYPOINT_VALUE, 2, 372 | IARG_END); 373 | RTN_Close(cfwRtn); 374 | } 375 | 376 | } 377 | 378 | // This function is called when the application exits 379 | // It prints the name for each procedure 380 | VOID RoutinesFini(INT32 code, VOID *v) 381 | { 382 | } 383 | VOID Fini(INT32 code, VOID *v) 384 | { 385 | TraceFile.close(); 386 | } 387 | 388 | 389 | VOID Routine(RTN rtn, VOID *v) 390 | { 391 | RTNNAME *rc = new RTNNAME; 392 | rc->_name = RTN_Name(rtn); 393 | 394 | if(rc->_name == "RegOpenKeyExW"){ 395 | RTN_Open(rtn); 396 | RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_RegOpenKey, 397 | IARG_ADDRINT, "RegOpenKeyExW", 398 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 399 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 400 | IARG_FUNCARG_ENTRYPOINT_VALUE, 2, 401 | IARG_END); 402 | RTN_Close(rtn); 403 | } 404 | if(rc->_name == "RegQueryValueExW") 405 | { 406 | RTN_Open(rtn); 407 | 408 | RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_RegQueryKey, 409 | IARG_ADDRINT, "RegQueryValueExW", 410 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 411 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 412 | IARG_END); 413 | RTN_Close(rtn); 414 | } 415 | 416 | /* checks for SeDebug*/ 417 | if (rc->_name == "OpenProcess") 418 | { 419 | RTN_Open(rtn); 420 | 421 | RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)PrintArguments_Process, 422 | IARG_ADDRINT, "OpenProcess", 423 | IARG_FUNCARG_ENTRYPOINT_VALUE, 2, 424 | IARG_END); 425 | RTN_Close(rtn); 426 | } 427 | 428 | // Checks for Debugger 429 | if(rc->_name == "IsDebuggerPresent" && isdebuggerpresent == 0){ 430 | RTN_Open(rtn); 431 | 432 | RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)checkIsDebuggerPresent, 433 | IARG_ADDRINT, "IsDebuggerPresent", 434 | IARG_FUNCRET_EXITPOINT_VALUE, 435 | IARG_END); 436 | 437 | RTN_Close(rtn); 438 | } 439 | 440 | if(rc->_name == "CheckRemoteDebuggerPresent" && checkremote == 0){ 441 | RTN_Open(rtn); 442 | 443 | RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)checkIsRemoteDebuggerPresent, 444 | IARG_ADDRINT, "CheckRemoteDebuggerPresent", 445 | IARG_FUNCRET_EXITPOINT_VALUE, 446 | IARG_END); 447 | 448 | RTN_Close(rtn); 449 | } 450 | 451 | if(rc->_name == "SetUnhandledExceptionFilter" && SetUnhandledExceptionFilter == 0){ 452 | //TraceAntiDebug << "debugger, api, \"SetUnhandledExceptionFilter\"\n"; 453 | SetUnhandledExceptionFilter = 1; 454 | } 455 | 456 | if(rc->_name == "BlockInput" && blockInput == 0){ 457 | //TraceAntiDebug << "debugger, api, \"blockInput\"\n"; 458 | blockInput = 1; 459 | } 460 | } 461 | 462 | int mainRoutine() 463 | { 464 | TraceAntiDebug.open("logs\\antidebug_routines.out"); 465 | TraceAntiVirtual.open("logs\\antivirtual_routines.out"); 466 | TraceAntiSandbox.open("logs\\antisandbox_routines.out"); 467 | TraceRegistry.open("logs\\registry.out"); 468 | RTN_AddInstrumentFunction(Routine, 0); 469 | PIN_AddFiniFunction(RoutinesFini, 0); 470 | IMG_AddInstrumentFunction(Image, (VOID *) 1); 471 | PIN_AddFiniFunction(Fini, 0); 472 | 473 | return 0; 474 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/AllRoutines.h: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Lim Seok Min 3 | Email: a0073541@nus.edu.sg 4 | Purpose: This tool will return all the routines called by the program. 5 | 6 | Reference: Modified from proccount.cpp 7 | */ 8 | #pragma once 9 | #include "main.h" 10 | 11 | const char * StripPath(const char * path); 12 | VOID Routine(RTN rtn, VOID *v); 13 | VOID RoutinesFini(INT32 code, VOID *v); 14 | int mainRoutine(); -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/CL.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/CL.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.dll -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.exp -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.lastbuildstate: -------------------------------------------------------------------------------- 1 | #v4.0:v100 2 | Debug|Win32|C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\| 3 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.lib -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/ParanoidDetector.write.1.tlog: -------------------------------------------------------------------------------- 1 | ^C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\MyPinTool.vcxproj 2 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.lib 3 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.lib 4 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.exp 5 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.exp 6 | ^C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\ParanoidDetector.vcxproj 7 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.lib 8 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.lib 9 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.exp 10 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\Debug\ParanoidDetector.exp 11 | ^C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidDetector\ParanoidDetector.vcxproj 12 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidDetector.lib 13 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidDetector.lib 14 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidDetector.exp 15 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidDetector.exp 16 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/cl.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/cl.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/link.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/link.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/Debug/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidDetector/Debug/link.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/MyPinTool.sln.old: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 9.00 3 | # Visual Studio 2005 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPinTool", "MyPinTool.vcproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/ParanoidDetector.cpp: -------------------------------------------------------------------------------- 1 | #include "main.h" 2 | #include "SystemCall.h" 3 | #include "AllRoutines.h" 4 | #include "ShellCode.h" 5 | 6 | 7 | int main(int argc, char * argv[]) 8 | { 9 | PIN_InitSymbols(); 10 | if(PIN_Init(argc, argv)) { 11 | cerr << "This Pintool returns all the system calls that are executed" << endl; 12 | cerr << endl << KNOB_BASE::StringKnobSummary() << endl; 13 | return 0; 14 | } 15 | 16 | // System Call 17 | mainSystemCall(); 18 | 19 | 20 | // Routine 21 | mainRoutine(); 22 | 23 | 24 | // Shell Code 25 | mainShellCode(); 26 | 27 | PIN_StartProgram(); 28 | return 0; 29 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/ParanoidDetector.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | ParanoidDetector 23 | {639EF517-FCFC-408E-9500-71F0DC0458DB} 24 | ParanoidDetector 25 | Win32Proj 26 | 27 | 28 | 29 | DynamicLibrary 30 | MultiByte 31 | true 32 | 33 | 34 | DynamicLibrary 35 | MultiByte 36 | 37 | 38 | DynamicLibrary 39 | MultiByte 40 | true 41 | 42 | 43 | DynamicLibrary 44 | MultiByte 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | <_ProjectFileVersion>10.0.30319.1 64 | $(SolutionDir)$(Configuration)\ 65 | $(Configuration)\ 66 | false 67 | false 68 | $(ProjectDir)$(Platform)\$(Configuration)\ 69 | $(Platform)\$(Configuration)\ 70 | false 71 | false 72 | $(ProjectDir)$(Configuration)\ 73 | $(Configuration)\ 74 | false 75 | false 76 | $(ProjectDir)$(Platform)\$(Configuration)\ 77 | $(Platform)\$(Configuration)\ 78 | false 79 | false 80 | AllRules.ruleset 81 | 82 | 83 | AllRules.ruleset 84 | 85 | 86 | AllRules.ruleset 87 | 88 | 89 | AllRules.ruleset 90 | 91 | 92 | 93 | 94 | 95 | /EHs- /EHa- %(AdditionalOptions) 96 | Disabled 97 | C:\pin\source\include;C:\pin\source\include\gen;C:\pin\source\tools\InstLib;C:\pin\extras\xed2-ia32\include;C:\pin\extras\components\include;%(AdditionalIncludeDirectories) 98 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 99 | false 100 | 101 | 102 | Default 103 | MultiThreaded 104 | false 105 | true 106 | NotSet 107 | false 108 | 109 | 110 | Level3 111 | ProgramDatabase 112 | 4530;%(DisableSpecificWarnings) 113 | 114 | 115 | /export:main %(AdditionalOptions) 116 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib;psapi.lib 117 | C:\pin\ia32\lib;C:\pin\ia32\lib-ext;C:\pin\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 118 | true 119 | %(IgnoreSpecificDefaultLibraries) 120 | true 121 | NotSet 122 | false 123 | Ptrace_DllMainCRTStartup%4012 124 | 0x55000000 125 | MachineX86 126 | true 127 | 128 | 129 | 130 | 131 | X64 132 | 133 | 134 | /EHs- /EHa- %(AdditionalOptions) 135 | Disabled 136 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 137 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 138 | false 139 | 140 | 141 | Default 142 | MultiThreaded 143 | false 144 | true 145 | false 146 | 147 | 148 | Level3 149 | ProgramDatabase 150 | 4530;%(DisableSpecificWarnings) 151 | 152 | 153 | /export:main %(AdditionalOptions) 154 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 155 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 156 | true 157 | %(IgnoreSpecificDefaultLibraries) 158 | true 159 | NotSet 160 | false 161 | Ptrace_DllMainCRTStartup 162 | 0xC5000000 163 | MachineX64 164 | true 165 | 166 | 167 | 168 | 169 | /EHs- /EHa- %(AdditionalOptions) 170 | true 171 | false 172 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-ia32\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 173 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 174 | false 175 | 176 | 177 | Default 178 | MultiThreaded 179 | false 180 | true 181 | NotSet 182 | false 183 | 184 | 185 | Level3 186 | 187 | 188 | 4530;%(DisableSpecificWarnings) 189 | 190 | 191 | /export:main %(AdditionalOptions) 192 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib 193 | ..\..\..\ia32\lib;..\..\..\ia32\lib-ext;..\..\..\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 194 | true 195 | %(IgnoreSpecificDefaultLibraries) 196 | true 197 | NotSet 198 | true 199 | 200 | 201 | 202 | 203 | Ptrace_DllMainCRTStartup%4012 204 | 0x55000000 205 | MachineX86 206 | 207 | 208 | 209 | 210 | X64 211 | 212 | 213 | /EHs- /EHa- %(AdditionalOptions) 214 | true 215 | false 216 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 217 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 218 | false 219 | 220 | 221 | Default 222 | MultiThreaded 223 | false 224 | true 225 | false 226 | 227 | 228 | Level3 229 | 230 | 231 | 4530;%(DisableSpecificWarnings) 232 | 233 | 234 | /export:main %(AdditionalOptions) 235 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 236 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 237 | true 238 | %(IgnoreSpecificDefaultLibraries) 239 | true 240 | NotSet 241 | true 242 | 243 | 244 | 245 | 246 | Ptrace_DllMainCRTStartup 247 | 0xC5000000 248 | MachineX64 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/ParanoidDetector.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {0af310b1-577b-4ca4-8c13-ba908c2fbaf7} 14 | txt;doc;html 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Documents 34 | 35 | 36 | 37 | 38 | Header Files 39 | 40 | 41 | Header Files 42 | 43 | 44 | Header Files 45 | 46 | 47 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/ShellCode.cpp: -------------------------------------------------------------------------------- 1 | #include "pin.H" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | std::list legitInstructions; 10 | std::set dumped; 11 | std::ofstream traceFile; 12 | KNOB outputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "logs\\allShellcode.out", "specify trace file name"); 13 | ofstream shellTraceFile("logs\\shellCode.out"); 14 | 15 | std::string prevInst=""; 16 | 17 | std::ofstream TraceAntiDebug3; 18 | std::ofstream TraceAntiVirtual3; 19 | std::ofstream TraceAntiSandbox3; 20 | // NTGlobalFlag 21 | bool NTGlobalFlag = 0; 22 | string NTGlobalInstr = ""; 23 | int inDetect = 0; 24 | 25 | bool isUnknownAddress(ADDRINT address) 26 | { 27 | for(IMG img=APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img)) 28 | { 29 | for(SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) 30 | { 31 | if (address >= SEC_Address(sec) && address < SEC_Address(sec) + SEC_Size(sec)) 32 | { 33 | return false; 34 | } 35 | } 36 | } 37 | 38 | return true; 39 | } 40 | /* 41 | * Detect what we want to detect and write to our file 42 | * 43 | */ 44 | void detect(std::string thisItr){ 45 | // Anti-VirtualPC, if eax is invalid 46 | if(thisItr.find("ret") != thisItr.npos){ 47 | if(prevInst.find("mov eax, 1") != prevInst.npos){ 48 | TraceAntiVirtual3 << "virtualbox, invalid instruction, \"" << thisItr << "\"" << endl; 49 | } 50 | } 51 | 52 | if(thisItr.find("0f3f070b") != thisItr.npos){ 53 | if(prevInst.find("mov eax, 1") != prevInst.npos){ 54 | TraceAntiVirtual3 << "virtualPC, invalid instruction, \"" << thisItr << "\"" << endl; 55 | } 56 | } 57 | 58 | // Anti-VM 59 | if(thisItr.find("0F 01 E0") != thisItr.npos){ 60 | if(prevInst.find("B8 CC CC CC CC") != prevInst.npos){ 61 | TraceAntiVirtual3 << "vmware, smsw, \"" << thisItr << "\"" << endl; 62 | } 63 | } 64 | 65 | if(thisItr.find("0xdead0000") != thisItr.npos){ 66 | TraceAntiVirtual3 << "vmware, sldt, \"" << thisItr << "\"" << endl; 67 | } 68 | 69 | if(thisItr.find("sidt ") != thisItr.npos){ 70 | TraceAntiVirtual3 << "vmware, sidt, \"" << thisItr << "\"" << endl; 71 | } 72 | if(thisItr.find("0x564d5868") != thisItr.npos){ 73 | TraceAntiVirtual3 << "vmware, IN, \"" << thisItr << "\"" << endl; 74 | } 75 | 76 | } 77 | 78 | std::string dumpInstruction(INS ins) 79 | { 80 | std::stringstream ss, instss; 81 | 82 | ADDRINT address = INS_Address(ins); 83 | 84 | // Generate address and module information 85 | ss << "0x" << setfill('0') << setw(8) << uppercase << hex << address << " " ; 86 | 87 | // Generate instruction byte encoding 88 | for (int i=0;i " << RTN_FindNameByAddress(INS_DirectBranchOrCallTargetAddress(ins)); 108 | } 109 | 110 | // write all shellcode to one file 111 | shellTraceFile << ss.str() << endl; 112 | 113 | // we should do the detection here. 114 | prevInst = ss.str(); 115 | detect(ss.str()); 116 | return ss.str(); 117 | } 118 | 119 | 120 | void dump_shellcode(std::string* instructionString) 121 | { 122 | if (!legitInstructions.empty()) 123 | { 124 | for (std::list::iterator Iter = legitInstructions.begin(); Iter != legitInstructions.end(); ++Iter) 125 | { 126 | if(*Iter!=""){ 127 | traceFile << *Iter << endl; 128 | //detect(*Iter); 129 | } 130 | } 131 | legitInstructions.clear(); 132 | } 133 | } 134 | 135 | 136 | void traceInst(INS ins, VOID*) 137 | { 138 | ADDRINT address = INS_Address(ins); 139 | std::stringstream ss; 140 | 141 | if (isUnknownAddress(address)) 142 | { 143 | INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(dump_shellcode), 144 | IARG_PTR, new std::string(dumpInstruction(ins)), IARG_END 145 | ); 146 | } 147 | else 148 | { 149 | legitInstructions.push_back(dumpInstruction(ins)); 150 | } 151 | 152 | 153 | } 154 | 155 | 156 | 157 | VOID fini(INT32, VOID*) 158 | { 159 | traceFile.close(); 160 | //shellTraceFile.close(); 161 | //generateReport(); 162 | } 163 | 164 | int mainShellCode() 165 | { 166 | TraceAntiDebug3.open("logs\\antidebug_shellCode.out"); 167 | TraceAntiVirtual3.open("logs\\antivirtual_shellCode.out"); 168 | TraceAntiSandbox3.open("logs\\antisandbox_shellCode.out"); 169 | //traceFile.open(outputFile.Value().c_str()); 170 | 171 | INS_AddInstrumentFunction(traceInst, 0); 172 | PIN_AddFiniFunction(fini, 0); 173 | return 0; 174 | } 175 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/ShellCode.h: -------------------------------------------------------------------------------- 1 | int mainShellCode(); 2 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/SystemCall.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Lim Seok Min 3 | Email: a0073541@nus.edu.sg 4 | Purpose: This tool will return all the routines called by the program. 5 | 6 | Reference: http://jbremer.org/malware-unpacking-level-pintool/#rp-syscall 7 | */ 8 | 9 | #include "SystemCall.h" 10 | //ofstream traceFile2("logs\\system.out"); 11 | //ofstream traceFileAll("logs\\allSystem.out"); 12 | std::ofstream TraceAntiDebug2("logs\\antidebug_system.out"); 13 | std::ofstream TraceAntiVirtual2("logs\\antivirtual_system.out"); 14 | std::ofstream TraceAntiSandbox2("logs\\antisandbox_system.out"); 15 | 16 | void setTraceFile(string file){ 17 | //traceFile2.open(file); 18 | } 19 | bool processdebug = 0; 20 | 21 | void syscall_entry(THREADID thread_id, CONTEXT *ctx, 22 | SYSCALL_STANDARD std, void *v) 23 | { 24 | //TraceAntiDebug2 << PIN_GetSyscallNumber(ctx,std) << ", " << PIN_GetSyscallArgument(ctx, std, 0) << endl; 25 | 26 | // check for Certain System Call 27 | if(processdebug ==0 && PIN_GetSyscallNumber(ctx,std) == 154 && PIN_GetSyscallArgument(ctx, std, 1) == 7){ 28 | TraceAntiDebug2 << "debugger, system call, \"ProcessDebugPort\"\n"; 29 | processdebug = 1; 30 | } 31 | 32 | if(PIN_GetSyscallNumber(ctx,std) == 229 && PIN_GetSyscallArgument(ctx, std, 1) == 17){ 33 | TraceAntiDebug2 << "debugger, system call, \"detach debugger\"\n"; 34 | } 35 | 36 | if(PIN_GetSyscallNumber(ctx,std) == 173 && PIN_GetSyscallArgument(ctx, std, 0) == 35){ 37 | TraceAntiDebug2 << "debugger, system call, \"SystemKernelDebuggerInformation\"\n"; 38 | } 39 | } 40 | 41 | void syscall_exit(THREADID thread_id, CONTEXT *ctx, 42 | SYSCALL_STANDARD std, void *v) 43 | { 44 | ADDRINT return_value = PIN_GetSyscallReturn(ctx, std); 45 | } 46 | 47 | void SystemCallfini(INT32, VOID*) 48 | { 49 | // traceFile2.close(); 50 | } 51 | 52 | 53 | int mainSystemCall() 54 | { 55 | setTraceFile("logs\\systemCall.out"); 56 | PIN_AddSyscallEntryFunction(&syscall_entry, NULL); 57 | PIN_AddSyscallExitFunction(&syscall_exit, NULL); 58 | return 0; 59 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/SystemCall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "main.h" 3 | 4 | void syscall_entry(THREADID thread_id, CONTEXT *ctx, 5 | SYSCALL_STANDARD std, void *v); 6 | 7 | void syscall_exit(THREADID thread_id, CONTEXT *ctx, 8 | SYSCALL_STANDARD std, void *v); 9 | 10 | void SystemCallfini(INT32, VOID*); 11 | void setTraceFile(string file); 12 | int mainSystemCall(); 13 | //std::ofstream traceFile2; -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidDetector/main.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "pin.H" -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidFamily.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ParanoidMalware", "ParanoidMalware\ParanoidMalware.vcxproj", "{91D5681B-55EC-4724-99BF-F5F4311C304B}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ParanoidDetector", "ParanoidDetector\ParanoidDetector.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ParanoidPreventer", "ParanoidPreventer\MyPinTool.vcxproj", "{9313CE22-2A07-4311-B806-D90EEA5075E1}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Win32 = Debug|Win32 13 | Debug|x64 = Debug|x64 14 | Release|Win32 = Release|Win32 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Debug|Win32.ActiveCfg = Debug|Win32 19 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Debug|Win32.Build.0 = Debug|Win32 20 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Debug|x64.ActiveCfg = Debug|Win32 21 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Release|Win32.ActiveCfg = Release|Win32 22 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Release|Win32.Build.0 = Release|Win32 23 | {91D5681B-55EC-4724-99BF-F5F4311C304B}.Release|x64.ActiveCfg = Release|Win32 24 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32 26 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 27 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 28 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32 29 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32 30 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 31 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 32 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Debug|Win32.ActiveCfg = Debug|Win32 33 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Debug|Win32.Build.0 = Debug|Win32 34 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Debug|x64.ActiveCfg = Debug|x64 35 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Debug|x64.Build.0 = Debug|x64 36 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Release|Win32.ActiveCfg = Release|Win32 37 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Release|Win32.Build.0 = Release|Win32 38 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Release|x64.ActiveCfg = Release|x64 39 | {9313CE22-2A07-4311-B806-D90EEA5075E1}.Release|x64.Build.0 = Release|x64 40 | EndGlobalSection 41 | GlobalSection(SolutionProperties) = preSolution 42 | HideSolutionNode = FALSE 43 | EndGlobalSection 44 | EndGlobal 45 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/CL.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/CL.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware.exe.embed.manifest: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware.exe.embed.manifest.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware.exe.embed.manifest.res -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware.exe.intermediate.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware.lastbuildstate: -------------------------------------------------------------------------------- 1 | #v4.0:v100 2 | Debug|Win32|C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\| 3 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware_manifest.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/ParanoidMalware_manifest.rc -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/cl.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/cl.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link-cvtres.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link-cvtres.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link-cvtres.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link-cvtres.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.1488-cvtres.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.1488-cvtres.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.1488-cvtres.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.1488-cvtres.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.1488.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.1488.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.1488.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.1488.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/link.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/mt.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/mt.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/mt.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/mt.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/mt.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/mt.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/rc.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/rc.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/rc.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/rc.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/rc.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/rc.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Debug/vc100.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Debug/vc100.idb -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Helper.cpp: -------------------------------------------------------------------------------- 1 | #include "Helper.h" 2 | 3 | using namespace std; 4 | 5 | Helper::Helper(void) 6 | { 7 | } 8 | 9 | 10 | Helper::~Helper(void) 11 | { 12 | } 13 | 14 | void Helper::toLowerCase(std::string & input){ 15 | std::transform(input.begin(), input.end(),input.begin(), ::tolower); 16 | } 17 | 18 | void Helper::toLowerCase(std::wstring &input){ 19 | std::transform(input.begin(), input.end(),input.begin(), ::tolower); 20 | } 21 | 22 | bool Helper::isProcessExists(std::string t){ 23 | DWORD ProcessesIDs[50], cbNeeded, cProcesses; 24 | unsigned int i; 25 | 26 | TCHAR szProcessName[50] = TEXT(""); 27 | 28 | if ( !EnumProcesses( ProcessesIDs, sizeof(ProcessesIDs), &cbNeeded ) ) 29 | return false; 30 | 31 | cProcesses = cbNeeded / sizeof(DWORD); 32 | 33 | // This for loop will be enumerating each process. 34 | for ( i = 0; i < cProcesses; i++ ) 35 | { 36 | HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 37 | FALSE, ProcessesIDs[i] ); 38 | 39 | // Get the process name 40 | if (hProcess != NULL ) 41 | { 42 | GetModuleBaseName( hProcess, NULL, szProcessName, 43 | sizeof(szProcessName)/sizeof(TCHAR) ); 44 | } 45 | 46 | // convert to string 47 | std::wstring arr_w( szProcessName ); 48 | std::string arr_s( arr_w.begin(), arr_w.end() ); 49 | 50 | // case insensitive 51 | toLowerCase(arr_s); 52 | toLowerCase(t); 53 | 54 | // comparison of process 55 | if(arr_s.find(t) == 0){ 56 | //_tprintf( TEXT("Process Name = %s, PID = %u \n"), szProcessName, ProcessesIDs[i]); 57 | return true; 58 | } 59 | 60 | CloseHandle( hProcess ); 61 | } 62 | 63 | return false; 64 | } 65 | 66 | bool Helper::isRegistryKeyExists(HKEY hkey,LPTSTR lpSubKey ){ 67 | /*LONG WINAPI RegOpenKeyEx( 68 | _In_ HKEY hKey, 69 | _In_opt_ LPCTSTR lpSubKey, 70 | _Reserved_ DWORD ulOptions, 71 | _In_ REGSAM samDesired, 72 | _Out_ PHKEY phkResult 73 | ); 74 | */ 75 | HKEY key; 76 | LONG lResult; 77 | DWORD dwSize = 1024; 78 | lResult = RegOpenKeyEx(hkey, lpSubKey, 0, KEY_ALL_ACCESS|KEY_WOW64_64KEY, &key); 79 | if (lResult == ERROR_FILE_NOT_FOUND) { 80 | return false; 81 | } 82 | else{ 83 | if(lResult == ERROR_SUCCESS){ 84 | //enumerate 85 | /*DWORD index = 0; 86 | while (ERROR_SUCCESS == RegEnumKeyEx(key, index, name, &dwSize, NULL, NULL, NULL, NULL)) 87 | { 88 | _tcprintf(TEXT("%s\n"), name); 89 | dwSize = 1024; 90 | ++index; 91 | }*/ 92 | } 93 | return true; 94 | } 95 | } 96 | 97 | bool Helper::isRegistryValue(HKEY h, wstring key, wstring name, wstring checkString[], int size){ 98 | DWORD type; 99 | DWORD cbData; 100 | HKEY hkey; 101 | wstring res; 102 | 103 | if (RegOpenKeyEx(h, key.c_str(), 0, KEY_READ, &hkey) == ERROR_SUCCESS) 104 | { 105 | if(RegQueryValueEx(hkey, name.c_str(), NULL, &type, NULL, &cbData) == ERROR_SUCCESS){ 106 | wstring value(cbData/sizeof(wchar_t), L'\0'); 107 | if (RegQueryValueEx(hkey, name.c_str(), NULL, NULL, reinterpret_cast(&value[0]), &cbData) != ERROR_SUCCESS) 108 | { 109 | RegCloseKey(hkey); 110 | throw "Could not read registry value"; 111 | } 112 | 113 | RegCloseKey(hkey); 114 | 115 | size_t firstNull = value.find_first_of(L'\0'); 116 | if (firstNull != string::npos) 117 | value.resize(firstNull); 118 | 119 | res = value; 120 | 121 | } 122 | } 123 | 124 | // compare string 125 | toLowerCase(res); 126 | 127 | int i; 128 | for(i = 0; i < size; i++){ 129 | // toLowerCase(&checkString[i]); 130 | // wcout << checkString[i] << "\n"; 131 | if(res.find(checkString[i]) != std::string::npos){ 132 | //cout << "true\n"; 133 | return true; 134 | } 135 | } 136 | 137 | 138 | return false; 139 | } 140 | 141 | bool Helper::isFileExists(std::string fileName){ 142 | DWORD dwAttributes = GetFileAttributesA(fileName.c_str()); 143 | //printf("File attributes are: %#x\n", dwAttributes); 144 | 145 | if(dwAttributes != INVALID_FILE_ATTRIBUTES && 146 | !(dwAttributes & FILE_ATTRIBUTE_DIRECTORY)){ 147 | cout << fileName << " exists. \n"; 148 | return true; 149 | } 150 | else{ 151 | return false; 152 | } 153 | /*struct stat buf; 154 | if (stat(fileName.c_str(), &buf) != -1) 155 | { 156 | cout << fileName << " exists. \n"; 157 | return true; 158 | } 159 | 160 | return false; 161 | 162 | struct stat buf; 163 | if (stat(fileName.c_str(), &buf) != -1) 164 | { 165 | cout << fileName << " exists. \n"; 166 | return true; 167 | } 168 | 169 | return false; 170 | 171 | wchar_t szBuff[1024]; 172 | swprintf(szBuff, L"%s", fileName); 173 | 174 | cout << GetFileAttributes(szBuff) << "\n"; 175 | if(GetLastError()==ERROR_FILE_NOT_FOUND) 176 | { 177 | return false; 178 | } 179 | else{ 180 | cout << fileName << " exists. \n"; 181 | return true; 182 | }*/ 183 | } 184 | 185 | bool Helper::isStartWithMac(std::string input){ 186 | // http://msdn.microsoft.com/en-us/library/aa365915(VS.85).aspx 187 | 188 | vector macAddresses; 189 | IP_ADAPTER_INFO AdapterInfo[32]; // Allocate information for up to 32 NICs 190 | DWORD dwBufLen = sizeof(AdapterInfo); // Save memory size of buffer 191 | DWORD dwStatus = GetAdaptersInfo( // Call GetAdapterInfo 192 | AdapterInfo, // [out] buffer to receive data 193 | &dwBufLen); // [in] size of receive data buffer 194 | 195 | //No network card? Other error? 196 | if(dwStatus != ERROR_SUCCESS) 197 | return false; 198 | 199 | PIP_ADAPTER_INFO pAdapterInfo = AdapterInfo; 200 | char szBuffer[512]; 201 | while(pAdapterInfo) 202 | { 203 | if(pAdapterInfo->Type == MIB_IF_TYPE_ETHERNET) 204 | { 205 | sprintf_s(szBuffer, sizeof(szBuffer), "%.2x-%.2x-%.2x-%.2x-%.2x-%.2x" 206 | , pAdapterInfo->Address[0] 207 | , pAdapterInfo->Address[1] 208 | , pAdapterInfo->Address[2] 209 | , pAdapterInfo->Address[3] 210 | , pAdapterInfo->Address[4] 211 | , pAdapterInfo->Address[5] 212 | ); 213 | macAddresses.push_back(szBuffer); 214 | } 215 | pAdapterInfo = pAdapterInfo->Next; 216 | } 217 | vector::iterator itr = macAddresses.begin(); 218 | while(itr != macAddresses.end()){ 219 | toLowerCase(*itr); 220 | toLowerCase(input); 221 | if((signed)(*itr).find(input) != std::string::npos){ 222 | cout << "Mac address found: " << *itr << "\n"; 223 | return true; 224 | } 225 | 226 | itr++; 227 | } 228 | 229 | return false; 230 | } 231 | 232 | int Helper::getProcessID(std::string procName){ 233 | HANDLE hProcessSnap; 234 | PROCESSENTRY32 pe32; 235 | int result = 0; 236 | 237 | // Take a snapshot of all processes in the system. 238 | hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 239 | if( hProcessSnap == INVALID_HANDLE_VALUE ) 240 | { 241 | return( FALSE ); 242 | } 243 | 244 | // Set the size of the structure before using it. 245 | pe32.dwSize = sizeof( PROCESSENTRY32 ); 246 | 247 | // Retrieve information about the first process, 248 | // and exit if unsuccessful 249 | if( !Process32First( hProcessSnap, &pe32 ) ) 250 | { 251 | CloseHandle( hProcessSnap ); // clean the snapshot object 252 | return( FALSE ); 253 | } 254 | 255 | // Now walk the snapshot of processes, and 256 | // display information about each process in turn 257 | int i = 0; 258 | do 259 | { 260 | //convert from wide char to narrow char array 261 | char ch[sizeof(pe32.szExeFile)]; 262 | char DefChar = ' '; 263 | WideCharToMultiByte(CP_ACP,0,pe32.szExeFile,-1, ch,sizeof(pe32.szExeFile),&DefChar, NULL); 264 | 265 | //A std:string using the char* constructor. 266 | std::string ss(ch); 267 | if(ss.compare(procName) == 0){ 268 | result = pe32.th32ProcessID; 269 | break; 270 | } 271 | 272 | } while( Process32Next( hProcessSnap, &pe32 ) ); 273 | 274 | CloseHandle( hProcessSnap ); 275 | 276 | return result; 277 | } 278 | 279 | bool Helper::findWindows(LPCWSTR winname){ 280 | HWND hnd = FindWindow(winname, 0); 281 | // add more debugger 282 | 283 | if (hnd) 284 | return true; 285 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "main.h" 3 | /* 4 | Author: Lim Seok Min 5 | Email: a0073541@nus.edu.sg 6 | Purpose: To perform simple windows functions shared by other classes. 7 | Registry Subkey Check 8 | Comparison between registry values and our values 9 | Running Processes 10 | */ 11 | class Helper 12 | { 13 | 14 | public: 15 | Helper(void); 16 | ~Helper(void); 17 | 18 | bool isProcessExists(std::string t); 19 | bool isRegistryKeyExists(HKEY hkey,LPTSTR lpSubKey); 20 | bool isRegistryValue(HKEY hkey, wstring lpSubKey, wstring name, wstring checkString[], int size); 21 | bool isFileExists(string); 22 | bool isStartWithMac(std::string t); 23 | int getProcessID(std::string); 24 | bool findWindows(LPCWSTR); 25 | 26 | private: 27 | void toLowerCase(std::string&); 28 | void toLowerCase(std::wstring&); 29 | }; 30 | 31 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/ParanoidMalware.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Lim Seok Min 3 | Email: a0073541@nus.edu.sg 4 | Purpose: To perform anti-techniques 5 | - AntiVM 6 | - AntiDebugging 7 | - AntiSandbox 8 | - AntiMonitoring 9 | 10 | Disclaimer: Some of the codes are by no means discovered 11 | by me. References are written at the beginning 12 | of every header file. 13 | */ 14 | 15 | #include "vmware.h" 16 | #include "virtualbox.h" 17 | #include "virtualpc.h" 18 | #include "qemu.h" 19 | #include "antidebug.h" 20 | #include "antisandbox.h" 21 | 22 | int main(){ 23 | // CHECK FOR VMWARE 24 | vmware v; 25 | v.startDetect(); 26 | 27 | virtualbox vbox; 28 | vbox.startDetect(); 29 | 30 | // TODO: QEMU 31 | qemu q; 32 | q.startDetect(); 33 | 34 | // TODO: VIRTUAL PC 35 | virtualpc vPC; 36 | //vPC.startDetect(); 37 | 38 | // TODO: ANTI-DEBUGGER 39 | antidebug ad; 40 | ad.startDetect(); 41 | 42 | // TODO: ANTI-SANDBOX 43 | antisandbox as; 44 | as.startDetect(); 45 | 46 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/ParanoidMalware.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {91D5681B-55EC-4724-99BF-F5F4311C304B} 15 | Win32Proj 16 | ParanoidMalware 17 | 18 | 19 | 20 | Application 21 | true 22 | Unicode 23 | 24 | 25 | Application 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | 43 | 44 | false 45 | 46 | 47 | 48 | 49 | 50 | Level3 51 | Disabled 52 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 53 | 54 | 55 | Console 56 | true 57 | Iphlpapi.lib;psapi.lib;Ws2_32.lib;%(AdditionalDependencies) 58 | 59 | 60 | 61 | 62 | Level3 63 | 64 | 65 | MaxSpeed 66 | true 67 | true 68 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 69 | MultiThreaded 70 | 71 | 72 | Console 73 | false 74 | true 75 | true 76 | Iphlpapi.lib;psapi.lib;Ws2_32.lib;%(AdditionalDependencies) 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/ParanoidMalware.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : ParanoidMalware Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this ParanoidMalware application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your ParanoidMalware application. 9 | 10 | 11 | ParanoidMalware.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | ParanoidMalware.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | ParanoidMalware.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named ParanoidMalware.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/CL.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/CL.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/ParanoidMalware.exe.intermediate.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/ParanoidMalware.lastbuildstate: -------------------------------------------------------------------------------- 1 | #v4.0:v100 2 | Release|Win32|C:\GitHub\CP4101\ParanoidMalware\| 3 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/cl.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/cl.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/link.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/link.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/link.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/mt.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/mt.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/mt.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/mt.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/Release/mt.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidMalware/Release/mt.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/antidebug.cpp: -------------------------------------------------------------------------------- 1 | #include "antidebug.h" 2 | #include "Helper.h" 3 | 4 | antidebug::antidebug(void) 5 | { 6 | debuggerPresent = 0; 7 | } 8 | 9 | 10 | antidebug::~antidebug(void) 11 | { 12 | } 13 | 14 | void antidebug::startDetect(){ 15 | printf("========= Checks for Anti-Debugger Techniques =======\n"); 16 | isDebuggerPresent(); 17 | isCheckRemoteDebuggerPresent(); 18 | isOutputDebugString(); 19 | isProcessDebugPort(); 20 | isSystemKernelDebuggerInformation(); 21 | checkNtGlobalFlag(); 22 | findWindows(); 23 | selfDebug(); 24 | unHandledExceptionFilter(); 25 | isSeDebugPrivilege(); 26 | 27 | // last one 28 | //multipleDesktop(); 29 | //blockInput(); 30 | detachDebugger(); 31 | 32 | checkRegistry(); 33 | checkProcess(); 34 | checkFile(); 35 | 36 | printf("\n"); 37 | doMaliciousStuff(); 38 | } 39 | 40 | void antidebug::isDebuggerPresent(){ 41 | BOOL result = FALSE; 42 | 43 | HINSTANCE kern_lib = LoadLibraryEx(L"kernel32.dll", NULL, 0 ); 44 | if( kern_lib ) { 45 | FARPROC lIsDebuggerPresent = GetProcAddress( kern_lib, "IsDebuggerPresent" ); 46 | if( lIsDebuggerPresent && lIsDebuggerPresent() ) { 47 | result = TRUE; 48 | } 49 | FreeLibrary( kern_lib ); 50 | } 51 | 52 | if(result){ 53 | printf("Anti-Debug: IsDebuggerPresent exists.\n"); 54 | } 55 | else{ 56 | debuggerPresent = 1; 57 | } 58 | 59 | } 60 | 61 | void antidebug::isCheckRemoteDebuggerPresent(){ 62 | BOOL result = false;; 63 | BOOL WINAPI CheckRemoteDebuggerPresent(__in HANDLE hProcess, 64 | __inout PBOOL pbDebuggerPresent); 65 | 66 | BOOL pbIsPresent = FALSE; 67 | CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbIsPresent); 68 | if (pbIsPresent) { 69 | result = true; 70 | } 71 | 72 | if(result){ 73 | printf("Anti-Debug: CheckRemoteDebuggerPresent.\n"); 74 | } 75 | } 76 | 77 | // If there is debugger attached to this process, the value for setlasterror will not change 78 | // as outputdebugstring is normal! if it changes, means debugger does not exist. 79 | void antidebug::isOutputDebugString(){ 80 | void WINAPI OutputDebugString(__in_opt LPCTSTR lpOutputString); 81 | BOOL result = false; 82 | 83 | OutputDebugString(L"random"); 84 | if(GetLastError() == 0) { 85 | result = true; 86 | } 87 | 88 | if(result){ 89 | printf("Anti-Debug: OutputDebugString.\n"); 90 | } 91 | } 92 | 93 | // Silence Version of IsDebuggerPresent 94 | void antidebug::isProcessDebugPort(){ 95 | bool result = false; 96 | int retVal = 0; 97 | 98 | typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)( 99 | HANDLE ProcessHandle, 100 | DWORD ProcessInformationClass, /* can't be bothered defining the whole enum */ 101 | PVOID ProcessInformation, 102 | DWORD ProcessInformationLength, 103 | PDWORD ReturnLength 104 | ); 105 | 106 | _NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess) 107 | GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); 108 | 109 | NtQueryInformationProcess(GetCurrentProcess(), 0x07, &retVal, 4, NULL); 110 | 111 | if(retVal!=0){ 112 | result = true; 113 | } 114 | 115 | if(result){ 116 | printf("Anti-Debug: ProcessDebugPort is triggered.\n"); 117 | } 118 | else{ 119 | debuggerPresent = 1; 120 | //pfile->close(); 121 | } 122 | } 123 | 124 | void antidebug::detachDebugger(){ 125 | bool result = false; 126 | int retVal = 0; 127 | 128 | typedef NTSTATUS (NTAPI *_NtSetInformationThread)( 129 | HANDLE ThreadHandle, 130 | DWORD ThreadInformationClass, /* can't be bothered defining the whole enum */ 131 | PVOID ThreadInformation, 132 | ULONG ThreadInformationLength 133 | ); 134 | 135 | _NtSetInformationThread NtSetInformationThread = (_NtSetInformationThread) 136 | GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtSetInformationThread"); 137 | 138 | NtSetInformationThread(GetCurrentThread(), 0x11, 0, 0); 139 | 140 | printf("Anti-Debug: Detach Debugger\n"); 141 | } 142 | 143 | void antidebug::findWindows(){ 144 | Helper h; 145 | if(h.findWindows(L"OLLYDBG")){ 146 | printf("Anti-Debug: OllyDbg exists.\n"); 147 | } 148 | else if(h.findWindows(L"TIdaWindows")){ 149 | printf("Anti-Debug: IDA Pro exists.\n"); 150 | } 151 | else if(h.findWindows(L"WinDbgFrameClass")){ 152 | printf("Anti-Debug: WinDbg exists.\n"); 153 | } 154 | else{ 155 | debuggerPresent = 1; 156 | 157 | 158 | } 159 | } 160 | 161 | void antidebug::BeDebugged(){ 162 | char IsDbgPresent = 0; 163 | bool result = false; 164 | __asm { 165 | mov eax, fs:[30h] 166 | mov al, [eax + 2h] 167 | mov IsDbgPresent, al 168 | } 169 | 170 | if(IsDbgPresent) 171 | { 172 | result = true; 173 | } 174 | 175 | if(result){ 176 | printf("Anti-Debug: IsDebuggerPresent detected\n"); 177 | } 178 | } 179 | 180 | //http://www.codeproject.com/Articles/29469/Introduction-Into-Windows-Anti-Debugging 181 | void antidebug::checkNtGlobalFlag(){ 182 | unsigned long NtGlobalFlags = 0; 183 | BOOL result = false; 184 | 185 | __asm { 186 | 187 | mov eax, fs:[30h] 188 | mov eax, [eax + 68h] 189 | mov NtGlobalFlags, eax 190 | } 191 | 192 | 193 | if(NtGlobalFlags & 0x70) 194 | { 195 | result = true; 196 | } 197 | 198 | if(result){ 199 | printf("Anti-Debug: NtGlobalFlag is set. Debugger detected\n"); 200 | } 201 | } 202 | 203 | // reference: http://shangdi.googlecode.com/svn/trunk/code/LicenseLib/AntiDebug.cpp 204 | void antidebug::isSystemKernelDebuggerInformation(){ 205 | bool result = false; 206 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { 207 | BOOLEAN DebuggerEnabled; 208 | BOOLEAN DebuggerNotPresent; 209 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 210 | enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 }; 211 | typedef NTSTATUS (__stdcall *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); 212 | 213 | ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation; 214 | SYSTEM_KERNEL_DEBUGGER_INFORMATION Info; 215 | 216 | HMODULE hmd = GetModuleHandle(L"ntdll.dll"); 217 | if (hmd != NULL) { 218 | ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hmd, "ZwQuerySystemInformation"); 219 | if (ZwQuerySystemInformation) { 220 | if ((NTSTATUS)0L == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) { 221 | if (Info.DebuggerEnabled&&!Info.DebuggerNotPresent) { 222 | result = true; 223 | } 224 | } 225 | } 226 | } 227 | 228 | if(result){ 229 | printf("Anti-Debug: SystemKernelDebuggerInformation is set. Debugger detected\n"); 230 | } 231 | } 232 | 233 | // reference: http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#SelfDebugging 234 | void antidebug::selfDebug(){ 235 | 236 | HANDLE hnd = NULL; 237 | DEBUG_EVENT deEvent; 238 | PROCESS_INFORMATION pi; 239 | STARTUPINFO startInfo; 240 | 241 | // initialize 242 | ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); 243 | ZeroMemory(&startInfo, sizeof(STARTUPINFO)); 244 | ZeroMemory(&deEvent, sizeof(DEBUG_EVENT)); 245 | 246 | GetStartupInfo(&startInfo); 247 | 248 | //Clone this process and debug our parent process 249 | CreateProcess(NULL, GetCommandLine(), NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, &startInfo, &pi); 250 | ContinueDebugEvent(pi.dwProcessId, pi.dwThreadId, DBG_CONTINUE); 251 | WaitForDebugEvent(&deEvent, INFINITE); 252 | 253 | printf("Anti-Debug: This process is self-debugging now to prevent other debuggers from attaching.\n"); 254 | } 255 | 256 | LONG WINAPI UnhandledExcepFilter(PEXCEPTION_POINTERS pExcepPointers) 257 | { 258 | SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER) 259 | pExcepPointers->ContextRecord->Eax); 260 | 261 | pExcepPointers->ContextRecord->Eip += 2; 262 | 263 | return EXCEPTION_CONTINUE_EXECUTION; 264 | } 265 | 266 | 267 | void antidebug::unHandledExceptionFilter(){ 268 | SetUnhandledExceptionFilter(UnhandledExcepFilter); 269 | __asm{xor eax, eax} 270 | __asm{div eax} 271 | 272 | printf("Anti-Debug: UnhandledExceptionFilter: There is no debugger attached.\n"); 273 | } 274 | 275 | // Check if CRCSS.exe can be open 276 | // If it can be opened, a debugger is attached to make it accessible 277 | void antidebug::isSeDebugPrivilege(){ 278 | HANDLE csrss = NULL; 279 | Helper h; 280 | csrss = OpenProcess(PROCESS_ALL_ACCESS, false, h.getProcessID("csrss.exe")); 281 | 282 | if(csrss!=NULL){ 283 | printf("Anti-Debug: SeDebugPrivilege flag on for CSRSS.exe. AntiDebug exists."); 284 | } 285 | } 286 | 287 | // block mouse and keyboard 288 | void antidebug::blockInput(){ 289 | BlockInput(true); 290 | printf("Anti-Debug: Mouse/Key input is blocked.\n"); 291 | } 292 | 293 | // create multiple desktop 294 | void antidebug::multipleDesktop(){ 295 | HDESK hdeskOriginalThread = GetThreadDesktop(GetCurrentThreadId()); 296 | HDESK hdeskOriginalInput = OpenInputDesktop(0, FALSE, DESKTOP_SWITCHDESKTOP); 297 | HDESK hDesk=CreateDesktop(L"NewDesktop",NULL,NULL,NULL,GENERIC_ALL,NULL); 298 | 299 | if(hDesk!=NULL) { 300 | SetThreadDesktop(hDesk); 301 | //SwitchDesktop(hDesk);MessageBox(NULL, TEXT("MessageBox on private desktop"), TEXT("Private Desktop"), MB_OK); 302 | SwitchDesktop(hdeskOriginalInput); 303 | SetThreadDesktop(hdeskOriginalThread); 304 | CloseDesktop(hDesk); 305 | printf("Anti-Debug: Created the program in another Desktop.\n"); 306 | } 307 | } 308 | 309 | 310 | // offset 0x10 at heap 311 | void antidebug::checkHeapflags(){ 312 | // check for Windows 7 313 | DWORD ver = GetVersion(); 314 | DWORD first = (DWORD) (LOBYTE(LOWORD(ver))); 315 | DWORD second = (DWORD) (HIBYTE(LOWORD(ver))); 316 | 317 | // 6.1 = Windows 7 318 | if(first > 6 || (first==6 && second>=1)){ 319 | __asm 320 | { 321 | mov eax, fs:[18h] 322 | mov eax, [eax + 30h] ;PEB 323 | mov eax, [eax + 18h] 324 | cmp [eax + 44h],0 ;heap force flags 325 | jne DebuggerDetected 326 | } 327 | } 328 | else{ 329 | __asm 330 | { 331 | mov eax, fs:[18h] ;TEB 332 | mov eax, [eax + 30h] ;PEB 333 | mov eax, [eax + 18h] ;process heap 334 | cmp [eax + 10h],0 ;heap force flags 335 | jne DebuggerDetected 336 | } 337 | } 338 | 339 | return; 340 | __asm{DebuggerDetected:} 341 | printf("Anti-Debug: ForceFlag is on."); 342 | } 343 | 344 | void antidebug::debuggerPrefixCheck(){ 345 | __try 346 | { 347 | __asm __emit 0xF3 // 0xF3 0x64 disassembles as PREFIX REP: 348 | __asm __emit 0x64 349 | __asm __emit 0xF1 // One byte INT 1 350 | } 351 | __except(EXCEPTION_EXECUTE_HANDLER){return;} 352 | 353 | printf("Antidebug: VS2008 Debugger or OllyDbg exists.\n"); 354 | } 355 | 356 | // crash ollydbg when stepping through 357 | void antidebug::isOutputDebugStringCrash(){ 358 | OutputDebugString( TEXT("%s%s%s%s%s%s%s%s%s%s%s") 359 | TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s") 360 | TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s") 361 | TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s") ); 362 | } 363 | 364 | 365 | void antidebug::checkRegistry(){ 366 | // none yet 367 | } 368 | 369 | void antidebug::checkProcess(){ 370 | Helper h; 371 | 372 | if(h.isProcessExists("syserapp.exe")){ 373 | printf("Anti-Debug: syserapp.exe exists.\n"); 374 | } 375 | if(h.isProcessExists("ollydbg.exe")){ 376 | printf("Anti-Debug: ollydbg.exe exists.\n"); 377 | } 378 | if(h.isProcessExists("idag.exe")){ 379 | printf("Anti-Debug: IDA pro exists.\n"); 380 | }// idapro 381 | } 382 | 383 | void antidebug::checkFile(){ 384 | Helper h; 385 | std::string driverPath = "C:\\Windows\\system32\\"; 386 | printf("Check Files.\n"); 387 | h.isFileExists(driverPath + "dbghelp.dll"); 388 | h.isFileExists(driverPath + "drivers\\Syser.sys"); 389 | printf("\n"); 390 | } 391 | 392 | void antidebug::doMaliciousStuff(){ 393 | if(debuggerPresent == 1){ 394 | FILE *pfile = fopen("Debug-createdByMalware.txt", "w"); 395 | fprintf(pfile, "i am created by paranoidmalware.exe because I can't detect debugger"); 396 | } 397 | else{ 398 | // do nothing 399 | printf("test"); 400 | } 401 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/antidebug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | references: http://www.veracode.com/blog/2008/12/anti-debugging-series-part-ii/ 5 | http://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx 6 | http://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx 7 | http://www.codeproject.com/Articles/29469/Introduction-Into-Windows-Anti-Debugging 8 | */ 9 | class antidebug 10 | { 11 | public: 12 | antidebug(void); 13 | ~antidebug(void); 14 | 15 | void startDetect(); 16 | int debuggerPresent; 17 | 18 | private: 19 | void isDebuggerPresent(); 20 | void BeDebugged(); // silent version of isdebuggerpresnt 21 | void isCheckRemoteDebuggerPresent(); 22 | void isOutputDebugString(); 23 | void isOutputDebugStringCrash(); // ollydbg specific 24 | void isProcessDebugPort(); 25 | void detachDebugger(); 26 | void findWindows(); 27 | void checkNtGlobalFlag(); 28 | void isSystemKernelDebuggerInformation(); 29 | void selfDebug(); 30 | void unHandledExceptionFilter(); 31 | void isSeDebugPrivilege(); 32 | void blockInput(); 33 | void multipleDesktop(); 34 | void debuggerPrefixCheck(); 35 | void checkHeapflags(); 36 | 37 | void checkProcess(); 38 | void checkRegistry(); 39 | void checkFile(); 40 | 41 | void doMaliciousStuff(); 42 | 43 | }; 44 | 45 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/antisandbox.cpp: -------------------------------------------------------------------------------- 1 | #include "antisandbox.h" 2 | #include "Helper.h" 3 | 4 | antisandbox::antisandbox(void) 5 | { 6 | } 7 | 8 | 9 | antisandbox::~antisandbox(void) 10 | { 11 | } 12 | 13 | void antisandbox::startDetect(){ 14 | printf("========= Checks for AntiSandbox =======\n"); 15 | isCWSandbox(); 16 | isAnubis(); 17 | checkProcess(); 18 | checkFile(); 19 | checkRegistry(); 20 | findWindows(); 21 | } 22 | 23 | void antisandbox::findWindows(){ 24 | Helper h; 25 | HWND hnd = FindWindow(L"SandboxieControlWndClass", 0); 26 | 27 | if(h.findWindows(L"SandboxieControlWndClass")){ 28 | printf("Anti-Sandbox: Sandboxie exists.\n"); 29 | } 30 | } 31 | 32 | void antisandbox::isCWSandbox(){ 33 | bool result = false; 34 | unsigned char cBuffer; 35 | unsigned long lProc= (unsigned long)GetProcAddress( GetModuleHandle( L"KERNEL32.dll" ), "CreateProcessA" ); 36 | 37 | if( ReadProcessMemory( GetCurrentProcess(), (void *) lProc, &cBuffer, 1, NULL ) ){ 38 | if( cBuffer==0xE9 ){ 39 | result = true; 40 | } 41 | } 42 | 43 | if(result){ 44 | printf("Anti-Sandbox: Is inside CWSandbox.\n"); 45 | } 46 | } 47 | 48 | void antisandbox::isAnubis(){ 49 | Helper h; 50 | int expPID = h.getProcessID("explorer.exe"); 51 | char cFile[MAX_PATH]; 52 | 53 | if( strstr(cFile, "C:\\InsideTm\\") ){ 54 | printf("Anti-Sandbox: Is inside Anubis.\n"); 55 | } 56 | } 57 | 58 | void antisandbox::checkProcess(){ 59 | Helper h; 60 | h.isProcessExists("SbieCtrl.exe"); 61 | } 62 | 63 | void antisandbox::checkFile(){ 64 | 65 | } 66 | 67 | void antisandbox::checkRegistry(){ 68 | Helper h; 69 | 70 | wstring checkString[] = {wstring(L"76487-644-3177037-23510"), 71 | wstring(L"55274-640-2673064-23950"), 72 | wstring(L"76487-337-8429955-22614")}; 73 | 74 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\"), TEXT("ProductId"), checkString, 3)){ 75 | printf("Anti-Sandbox: Process is run in a Sandbox.\n"); 76 | } 77 | 78 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/antisandbox.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "main.h" 3 | 4 | class antisandbox 5 | { 6 | public: 7 | antisandbox(void); 8 | ~antisandbox(void); 9 | 10 | void startDetect(); 11 | 12 | private: 13 | void isCWSandbox(); 14 | void isAnubis(); 15 | void findWindows(); 16 | void checkFile(); 17 | void checkProcess(); 18 | void checkRegistry(); 19 | }; 20 | 21 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/main.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | 20 | #define WORKING_BUFFER_SIZE 15000 21 | #define MAX_TRIES 3 22 | #define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, (x)) 23 | #define FREE(x) HeapFree(GetProcessHeap(), 0, (x)) 24 | #if !defined PROCESSINFOCLASS 25 | typedef LONG PROCESSINFOCLASS; 26 | #endif 27 | 28 | using namespace std; -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/qemu.cpp: -------------------------------------------------------------------------------- 1 | #include "qemu.h" 2 | #include "Helper.h" 3 | 4 | qemu::qemu(void) 5 | { 6 | } 7 | 8 | 9 | qemu::~qemu(void) 10 | { 11 | } 12 | 13 | void qemu::startDetect(){ 14 | printf("========= Checks for QEMU =======\n"); 15 | printf("Registry check.\n"); 16 | checkRegistry(); 17 | printf("\n"); 18 | } 19 | 20 | void qemu::checkRegistry(){ 21 | Helper h; 22 | wstring checkString[] = {wstring(L"qemu")}; 23 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 24 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 25 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 26 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 3\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1)){ 27 | printf("QEMU Registry: QEMU Virtual hardware exists.\n"); 28 | } 29 | } 30 | 31 | void qemu::IRETD(){ 32 | // unsigned int handler = (unsigned int) seh_handler; 33 | /*__asm("movl %0, %%eax\n\t" 34 | "pushl %%eax\n\t":: 35 | "r" (handler) "%eax"); 36 | 37 | __asm("pushl %fs:0\n\t" 38 | "movl %esp, %fs:0\n\t"); 39 | 40 | __asm(".byte 0x26, 0xcf"); 41 | 42 | __asm("movl %esp, %eax"); 43 | __asm("movl %eax, %fs:0"); 44 | __asm("addl $8, %esp");*/ 45 | 46 | } 47 | 48 | int seh_handler(struct _EXCEPTION_RECORD 49 | *exception_record, 50 | void *established_frame, 51 | struct _CONTEXT *context_record, 52 | void *dispatcher_context) 53 | { 54 | printf("Malicious code here.\n"); 55 | exit(0); 56 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/qemu.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | References: http://media.blackhat.com/bh-eu-12/Royal/bh-eu-12-Royal-Entrapment-Slides.pdf 5 | 6 | */ 7 | 8 | class qemu 9 | { 10 | public: 11 | qemu(void); 12 | ~qemu(void); 13 | void startDetect(); 14 | 15 | private: 16 | void IRETD(); 17 | int seh_handler(); 18 | void checkRegistry(); 19 | }; 20 | 21 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/virtualbox.cpp: -------------------------------------------------------------------------------- 1 | #include "virtualbox.h" 2 | #include "Helper.h" 3 | 4 | virtualbox::virtualbox(void) 5 | { 6 | } 7 | 8 | 9 | virtualbox::~virtualbox(void) 10 | { 11 | } 12 | 13 | void virtualbox::startDetect(){ 14 | printf("========= Checks for VirtualBox =======\n"); 15 | printf("Process Checks\n"); 16 | checkProcess(); 17 | printf("\n"); 18 | 19 | printf("Registry Checks\n"); 20 | checkRegistry(); 21 | printf("\n\n"); 22 | 23 | printf("File Checks\n"); 24 | checkFile(); 25 | printf("\n\n"); 26 | 27 | printf("MAC Checks\n"); 28 | checkMAC(); 29 | printf("\n"); 30 | } 31 | 32 | // CHECK FOR RUNNING PROCESS 33 | void virtualbox::checkProcess(){ 34 | Helper h; 35 | if(h.isProcessExists("vboxservice.exe")){ 36 | } 37 | if(h.isProcessExists("vboxtray.exe")){ 38 | printf("VM: vmtoolsd.exe exists\n"); 39 | } 40 | } 41 | 42 | // TODO 43 | void virtualbox::checkRegistry(){ 44 | Helper h; 45 | 46 | if(h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Oracle\\VirtualBox\ Guest Addtion"))){ 47 | printf("VirtualBox Registry: VirtualBox Guest Additions exists.\n"); 48 | } 49 | 50 | if(h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vboxguest")) 51 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vboxmouse")) 52 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vboxsf")) 53 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vboxservice"))){ 54 | printf("VirtualBox Registry: VirtualBox Drivers exists.\n"); 55 | } 56 | 57 | wstring checkString[] = {wstring(L"vbox"), wstring(L"virualbox"), wstring(L"oracle")}; 58 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\\"), TEXT("0"), checkString, 3)){ 59 | printf("VirtualBox Registry: VirtualBox Disk exists.\n"); 60 | } 61 | 62 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\Description\\System\\"), TEXT("SystemBiosSystem"), checkString, 3)){ 63 | printf("VirtualBox Registry: VirtualBox BIOS exists.\n"); 64 | } 65 | 66 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\Description\\System\\"), TEXT("VideoBiosSystem"), checkString, 3)){ 67 | printf("VirtualBox Registry: VirtualBox VideoBIOS exists.\n"); 68 | } 69 | 70 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 3) 71 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 3) 72 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 3) 73 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 3\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 3)){ 74 | printf("VirtualBox Registry: VBox Virtual hardware exists.\n"); 75 | } 76 | } 77 | 78 | void virtualbox::checkFile(){ 79 | Helper h; 80 | 81 | std::string driverPath = "C:\\Windows\\system32\\drivers\\"; 82 | 83 | // Get Program File Path 84 | TCHAR progFilePath[MAX_PATH]; 85 | SHGetFolderPath(NULL, CSIDL_PROGRAM_FILES, NULL, 0, progFilePath); 86 | std::string programFiles = getenv("ProgramFiles"); 87 | 88 | // convert to string 89 | std::wstring arr_w( progFilePath ); 90 | std::string arr_s( arr_w.begin(), arr_w.end() ); 91 | arr_s +="\\"; 92 | 93 | //C:\Program Files\VMware\VMware Tools 94 | string virtualBoxPath = arr_s + "Oracle\\VirtualBox\\Guest Addtions\\"; 95 | 96 | h.isFileExists(driverPath + "vboxmouse.sys"); 97 | h.isFileExists(driverPath + "vboxguest.sys"); 98 | h.isFileExists(driverPath + "vboxsf.sys"); 99 | h.isFileExists(virtualBoxPath + "vboxcontrol.exe"); 100 | h.isFileExists(virtualBoxPath + "vboxtray.exe"); 101 | h.isFileExists(virtualBoxPath + "vboxvideo.sys"); 102 | 103 | } 104 | 105 | void virtualbox::checkMAC(){ 106 | Helper h; 107 | // to demonstrate some format (so later on can try to detect them) 108 | h.isStartWithMac("08-00-27"); 109 | h.isStartWithMac("080027"); 110 | h.isStartWithMac("08:00:27"); 111 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/virtualbox.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | class virtualbox 3 | { 4 | public: 5 | virtualbox(void); 6 | ~virtualbox(void); 7 | void startDetect(); 8 | private: 9 | void checkRegistry(); 10 | void checkProcess(); 11 | void checkFile(); 12 | void checkMAC(); 13 | }; 14 | 15 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/virtualpc.cpp: -------------------------------------------------------------------------------- 1 | #include "virtualpc.h" 2 | #include "Helper.h" 3 | 4 | virtualpc::virtualpc(void) 5 | { 6 | } 7 | 8 | 9 | virtualpc::~virtualpc(void) 10 | { 11 | } 12 | 13 | void virtualpc::startDetect(){ 14 | printf("========= Checks for VirtualPC =======\n"); 15 | printf("Instruction Check.\n"); 16 | checkInvalidInstruction(); 17 | printf("\n"); 18 | } 19 | 20 | void virtualpc::checkInvalidInstruction(){ 21 | __try{ 22 | __asm{ 23 | mov eax, 1 24 | _emit 0x0F 25 | _emit 0x3F 26 | _emit 0x07 27 | _emit 0x0B 28 | _emit 0xC7 29 | _emit 0x45 30 | _emit 0xFC 31 | _emit 0xFF 32 | _emit 0xFF 33 | _emit 0xFF 34 | _emit 0xFF 35 | } 36 | }__except(1){ 37 | return; 38 | } 39 | 40 | printf("VirtualPC: VirtualPC passes this instruction which is supposed to be invalid."); 41 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/virtualpc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "main.h" 3 | 4 | class virtualpc 5 | { 6 | public: 7 | virtualpc(void); 8 | ~virtualpc(void); 9 | void startDetect(); 10 | 11 | private: 12 | void checkInvalidInstruction(); 13 | }; 14 | 15 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/vmware.cpp: -------------------------------------------------------------------------------- 1 | #include "vmware.h" 2 | 3 | 4 | vmware::vmware(void) 5 | { 6 | } 7 | 8 | 9 | vmware::~vmware(void) 10 | { 11 | } 12 | 13 | void vmware::startDetect(){ 14 | printf("========= Checks for VMWARE =======\n"); 15 | printf("Instruction Checks\n"); 16 | sidt(); 17 | sldt(); 18 | smsw(); 19 | str(); 20 | in(); 21 | redpill(); 22 | printf("\n"); 23 | 24 | printf("Process Checks\n"); 25 | checkProcess(); 26 | printf("\n"); 27 | 28 | printf("Registry Checks\n"); 29 | checkRegistry(); 30 | printf("\n\n"); 31 | 32 | printf("File Checks\n"); 33 | checkFile(); 34 | printf("\n\n"); 35 | 36 | printf("MAC Checks\n"); 37 | checkMAC(); 38 | printf("\n"); 39 | } 40 | 41 | void vmware::sidt(){ 42 | unsigned char idtr[6]; 43 | unsigned long idt = 0; 44 | 45 | _asm sidt idtr 46 | idt = *((unsigned long *)&idtr[2]); 47 | 48 | if ((idt >> 24) == 0xff) 49 | printf("SIDT(): VM detected\n"); 50 | } 51 | 52 | void vmware::sldt() { 53 | unsigned char ldtr[5] = "\xef\xbe\xad\xde"; 54 | unsigned long ldt = 0; 55 | 56 | _asm sldt ldtr 57 | ldt = *((unsigned long *)&ldtr[0]); 58 | 59 | if (ldt != 0xdead0000) 60 | printf("SLDT(): VM detected\n"); 61 | } 62 | 63 | void vmware::str() { 64 | unsigned char mem[4] = {0, 0, 0, 0}; 65 | 66 | __asm str mem; 67 | 68 | if ((mem[0] == 0x00) && (mem[1] == 0x40)) 69 | printf ("STR(): VM detected\n"); 70 | } 71 | 72 | void vmware::smsw() { 73 | unsigned int reax = 0; 74 | 75 | __asm 76 | { 77 | mov eax, 0xCCCCCCCC; 78 | smsw eax; 79 | mov DWORD PTR [reax], eax; 80 | } 81 | 82 | if ( (( (reax >> 24) & 0xFF ) == 0xcc) 83 | && (( (reax >> 16) & 0xFF ) == 0xcc)) 84 | printf("SMSW(): VM detected\n"); 85 | } 86 | 87 | // TO CHECK NOT RUNNING 88 | void vmware::redpill(){ 89 | unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; 90 | *((unsigned*)&rpill[3]) = (unsigned)m; 91 | ((void(*)())&rpill)(); 92 | 93 | if (m[5]>0xd0) printf ("Redpill(): VM detected\n", m[5]); 94 | } 95 | 96 | // Reference: http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual 97 | void vmware::in() { 98 | bool rc = true; 99 | _try 100 | { 101 | __asm 102 | { 103 | push edx 104 | push ecx 105 | push ebx 106 | 107 | mov eax, 'VMXh' 108 | mov ebx, 0 // any value but not the MAGIC VALUE 109 | mov ecx, 10 // get VMWare version 110 | mov edx, 'VX' // port number 111 | 112 | in eax, dx // read port 113 | // on return EAX returns the VERSION 114 | cmp ebx, 'VMXh' // is it a reply from VMWare? 115 | setz [rc] // set return value 116 | 117 | pop ebx 118 | pop ecx 119 | pop edx 120 | } 121 | } 122 | __except(EXCEPTION_EXECUTE_HANDLER) 123 | { 124 | rc = false; 125 | } 126 | 127 | if (!rc){ 128 | // for the sake of showing preventer works 129 | FILE *pfile = fopen("Virtual-createdByMalware.txt", "w"); 130 | fprintf(pfile, "i am created by paranoidmalware.exe because i can't detect vmware"); 131 | //pfile->close(); 132 | } 133 | else{ 134 | 135 | printf("IN(): VM detected\n"); 136 | } 137 | } 138 | 139 | // CHECK FOR RUNNING PROCESS 140 | void vmware::checkProcess(){ 141 | Helper h; 142 | if(h.isProcessExists("vmacthlp.exe")){ 143 | printf("VM: vmacthlp.exe exists\n"); 144 | } 145 | if(h.isProcessExists("vmtoolsd.exe")){ 146 | printf("VM: vmtoolsd.exe exists\n"); 147 | } 148 | if(h.isProcessExists("vmwaretray.exe")){ 149 | printf("VM: vmtooltray.exe exists\n"); 150 | } 151 | } 152 | 153 | // TODO 154 | void vmware::checkRegistry(){ 155 | Helper h; 156 | 157 | if(h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\VMWare\\VMTools")) 158 | ||h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\VMWare, Inc.\\VMware Tools"))){ 159 | printf("VM Registry: VMTools exists.\n"); 160 | } 161 | 162 | if(h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmci")) 163 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmhgfs")) 164 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmmouse")) 165 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmusbmouse")) 166 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmxnet")) 167 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\vmtools"))){ 168 | printf("VM Registry: Drivers exists.\n"); 169 | } 170 | 171 | wstring checkString[] = {wstring(L"vmware")}; 172 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\ControlSet001\\Services\\Disk\\Enum\\"), TEXT("0"), checkString, 1)){ 173 | printf("VM Registry: Services exists.\n"); 174 | } 175 | 176 | if(h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 177 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 178 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1) 179 | || h.isRegistryValue(HKEY_LOCAL_MACHINE, TEXT("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 3\\Scsi bus 0\\Target Id 0\\Logical Unit Id 0"), TEXT("Identifier"), checkString, 1)){ 180 | printf("VM Registry: VM Virtual hardware exists.\n"); 181 | } 182 | /* 183 | if(h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\services\\vmci")) 184 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\services\\vmhgfs")) 185 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\services\\VMMEMCTL")) 186 | || h.isRegistryKeyExists(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\VMWare, Inc.\\VMware Tools"))){ 187 | registryKey = 1; 188 | }*/ 189 | 190 | 191 | //HKLM\SYSTEM\CurrentControlSet\Services 192 | 193 | //HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port *x*\Scsi Bus 0\Target Id 0\Logical Unit Id 0 194 | 195 | //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\0000 196 | 197 | 198 | 199 | } 200 | 201 | void vmware::checkFile(){ 202 | Helper h; 203 | std::string driverPath = "C:\\Windows\\system32\\drivers\\"; 204 | 205 | // Get Program File Path 206 | TCHAR progFilePath[MAX_PATH]; 207 | SHGetFolderPath(NULL, CSIDL_PROGRAM_FILES, NULL, 0, progFilePath); 208 | std::string programFiles = getenv("ProgramFiles"); 209 | 210 | // convert to string 211 | std::wstring arr_w( progFilePath ); 212 | std::string arr_s( arr_w.begin(), arr_w.end() ); 213 | arr_s +="\\"; 214 | 215 | //C:\Program Files\VMware\VMware Tools 216 | string vmPath = arr_s + "VMware\\VMware Tools\\"; 217 | string vmPath2 = arr_s + "Common Files\\VMware\\Drivers\\memctl\\"; 218 | 219 | h.isFileExists(driverPath + "vmmouse.sys"); 220 | h.isFileExists(driverPath + "vmx_svga.sys"); 221 | h.isFileExists(driverPath + "vmusbmouse.sys"); 222 | h.isFileExists(driverPath + "vmscsi.sys"); 223 | h.isFileExists(driverPath + "vmci.sys"); 224 | h.isFileExists(driverPath + "vmhgfs.sys"); 225 | h.isFileExists(driverPath + "vmxnet.sys"); 226 | h.isFileExists(vmPath + "vmacthlp.exe"); 227 | h.isFileExists(vmPath + "vmtoolsd.exe"); 228 | h.isFileExists(vmPath2 + "vmmemctl.sys"); 229 | } 230 | 231 | void vmware::checkMAC(){ 232 | Helper h; 233 | // to demonstrate some format (so later on can try to detect them) 234 | h.isStartWithMac("00-0C-29"); 235 | h.isStartWithMac("000C29"); 236 | h.isStartWithMac("00:0C:29"); 237 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidMalware/vmware.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "main.h" 3 | #include "Helper.h" 4 | 5 | /* 6 | Author: Lim Seok Min 7 | Email: a0073541@nus.edu.sg 8 | Purpose: To perform vmware detection via various techniques 9 | 10 | Reference: 11 | http://www.ouah.org/Red_%20Pill.html 12 | http://www.trapkit.de/research/vmm/scoopyng/ 13 | http://www.offensivecomputing.net/dc14/vmdetect.cpp 14 | http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual 15 | 16 | */ 17 | 18 | class vmware 19 | { 20 | public: 21 | vmware(void); 22 | ~vmware(void); 23 | 24 | void startDetect(); 25 | private: 26 | void sidt(); 27 | void sldt(); 28 | void str(); 29 | void smsw(); 30 | void redpill(); 31 | void in(); 32 | 33 | // primitive 34 | 35 | void checkRegistry(); 36 | void checkProcess(); 37 | void checkFile(); 38 | void checkMAC(); 39 | }; 40 | 41 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/CL.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/CL.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.dll -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.exp -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.lastbuildstate: -------------------------------------------------------------------------------- 1 | #v4.0:v100 2 | Debug|Win32|C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\| 3 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.lib -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/ParanoidPreventer.write.1.tlog: -------------------------------------------------------------------------------- 1 | ^C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\MyPinTool.vcxproj 2 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\Debug\ParanoidPreventer.lib 3 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\Debug\ParanoidPreventer.lib 4 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\Debug\ParanoidPreventer.exp 5 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\Debug\ParanoidPreventer.exp 6 | ^C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\ParanoidPreventer\MyPinTool.vcxproj 7 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidPreventer.lib 8 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidPreventer.lib 9 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidPreventer.exp 10 | C:\Documents and Settings\Administrator\Desktop\ParanoidFamily\Debug\ParanoidPreventer.exp 11 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/cl.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/cl.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/link.command.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/link.read.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/Debug/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/atlantis2013/Evasion-Tools/bb5e415ed4e52ea2d4303f60812a9422dba7768e/ParanoidFamily/ParanoidPreventer/Debug/link.write.1.tlog -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/MyPinTool.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 10 | 11 | 14 | 17 | 18 | 19 | 20 | 21 | 28 | 31 | 34 | 37 | 40 | 43 | 64 | 67 | 70 | 73 | 91 | 94 | 97 | 100 | 103 | 106 | 109 | 112 | 115 | 116 | 123 | 126 | 129 | 132 | 135 | 139 | 159 | 162 | 165 | 168 | 186 | 189 | 192 | 195 | 198 | 201 | 204 | 207 | 210 | 211 | 219 | 222 | 225 | 228 | 231 | 234 | 256 | 259 | 262 | 265 | 284 | 287 | 290 | 293 | 296 | 299 | 302 | 305 | 308 | 309 | 317 | 320 | 323 | 326 | 329 | 333 | 354 | 357 | 360 | 363 | 382 | 385 | 388 | 391 | 394 | 397 | 400 | 403 | 406 | 407 | 408 | 409 | 410 | 411 | 416 | 419 | 420 | 421 | 426 | 427 | 431 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/MyPinTool.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {9313CE22-2A07-4311-B806-D90EEA5075E1} 23 | ParanoidPreventer 24 | Win32Proj 25 | ParanoidPreventer 26 | 27 | 28 | 29 | DynamicLibrary 30 | MultiByte 31 | true 32 | 33 | 34 | DynamicLibrary 35 | MultiByte 36 | 37 | 38 | DynamicLibrary 39 | MultiByte 40 | true 41 | 42 | 43 | DynamicLibrary 44 | MultiByte 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | <_ProjectFileVersion>10.0.40219.1 64 | $(SolutionDir)$(Configuration)\ 65 | $(Configuration)\ 66 | false 67 | false 68 | $(ProjectDir)$(Platform)\$(Configuration)\ 69 | $(Platform)\$(Configuration)\ 70 | false 71 | false 72 | $(ProjectDir)$(Configuration)\ 73 | $(Configuration)\ 74 | false 75 | false 76 | $(ProjectDir)$(Platform)\$(Configuration)\ 77 | $(Platform)\$(Configuration)\ 78 | false 79 | false 80 | AllRules.ruleset 81 | 82 | 83 | AllRules.ruleset 84 | 85 | 86 | AllRules.ruleset 87 | 88 | 89 | AllRules.ruleset 90 | 91 | 92 | ParanoidPreventer 93 | 94 | 95 | 96 | /EHs- /EHa- %(AdditionalOptions) 97 | Disabled 98 | C:\pin\source\include;C:\pin\source\include\gen;C:\pin\source\tools\InstLib;C:\pin\extras\xed2-ia32\include;C:\pin\extras\components\include;%(AdditionalIncludeDirectories) 99 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 100 | false 101 | 102 | 103 | Default 104 | MultiThreaded 105 | false 106 | true 107 | NotSet 108 | false 109 | 110 | 111 | Level3 112 | ProgramDatabase 113 | 4530;%(DisableSpecificWarnings) 114 | 115 | 116 | /export:main %(AdditionalOptions) 117 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib;psapi.lib 118 | C:\pin\ia32\lib;C:\pin\ia32\lib-ext;C:\pin\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 119 | true 120 | %(IgnoreSpecificDefaultLibraries) 121 | true 122 | NotSet 123 | false 124 | Ptrace_DllMainCRTStartup%4012 125 | 0x55000000 126 | MachineX86 127 | true 128 | 129 | 130 | 131 | 132 | X64 133 | 134 | 135 | /EHs- /EHa- %(AdditionalOptions) 136 | Disabled 137 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 138 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 139 | false 140 | 141 | 142 | Default 143 | MultiThreaded 144 | false 145 | true 146 | false 147 | 148 | 149 | Level3 150 | ProgramDatabase 151 | 4530;%(DisableSpecificWarnings) 152 | 153 | 154 | /export:main %(AdditionalOptions) 155 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 156 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 157 | true 158 | %(IgnoreSpecificDefaultLibraries) 159 | true 160 | NotSet 161 | false 162 | Ptrace_DllMainCRTStartup 163 | 0xC5000000 164 | MachineX64 165 | true 166 | 167 | 168 | 169 | 170 | /EHs- /EHa- %(AdditionalOptions) 171 | true 172 | false 173 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-ia32\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 174 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 175 | false 176 | 177 | 178 | Default 179 | MultiThreaded 180 | false 181 | true 182 | NotSet 183 | false 184 | 185 | 186 | Level3 187 | 188 | 189 | 4530;%(DisableSpecificWarnings) 190 | 191 | 192 | /export:main %(AdditionalOptions) 193 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-32.lib 194 | ..\..\..\ia32\lib;..\..\..\ia32\lib-ext;..\..\..\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories) 195 | true 196 | %(IgnoreSpecificDefaultLibraries) 197 | true 198 | NotSet 199 | true 200 | 201 | 202 | 203 | 204 | Ptrace_DllMainCRTStartup%4012 205 | 0x55000000 206 | MachineX86 207 | 208 | 209 | 210 | 211 | X64 212 | 213 | 214 | /EHs- /EHa- %(AdditionalOptions) 215 | true 216 | false 217 | ..\..\include;..\..\include\gen;..\InstLib;..\..\..\extras\xed2-intel64\include;..\..\..\extras\components\include;%(AdditionalIncludeDirectories) 218 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;BIGARRAY_MULTIPLIER=1;USING_XED;_CRT_SECURE_NO_DEPRECATE;_SECURE_SCL=0;WIN32 219 | false 220 | 221 | 222 | Default 223 | MultiThreaded 224 | false 225 | true 226 | false 227 | 228 | 229 | Level3 230 | 231 | 232 | 4530;%(DisableSpecificWarnings) 233 | 234 | 235 | /export:main %(AdditionalOptions) 236 | pin.lib;libxed.lib;libcpmt.lib;libcmt.lib;pinvm.lib;kernel32.lib;ntdll-64.lib 237 | ..\..\..\intel64\lib;..\..\..\intel64\lib-ext;..\..\..\extras\xed2-intel64\lib;%(AdditionalLibraryDirectories) 238 | true 239 | %(IgnoreSpecificDefaultLibraries) 240 | true 241 | NotSet 242 | true 243 | 244 | 245 | 246 | 247 | Ptrace_DllMainCRTStartup 248 | 0xC5000000 249 | MachineX64 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/MyPinTool.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {36d60a99-9b59-434c-8eb8-a3907e0547da} 14 | txt;doc;html 15 | 16 | 17 | 18 | 19 | Documents 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/ParanoidPreventer.cpp: -------------------------------------------------------------------------------- 1 | #include "main.h" 2 | 3 | namespace WINDOWS 4 | { 5 | #include 6 | #include 7 | } 8 | 9 | static UINT64 icount = 0; 10 | 11 | VOID docount() { icount++; } 12 | 13 | // Anti-Virtualization Preventer 14 | 15 | void killSLDT(ADDRINT memoryAddr) { 16 | char *d = (char *)memoryAddr; 17 | unsigned int* m = (unsigned int *)(d); 18 | *m = 0xdead0000; 19 | } 20 | 21 | void killSIDT(ADDRINT memoryAddr) { 22 | char *d = (char *)memoryAddr; 23 | unsigned int* m = (unsigned int *)(d+2); 24 | *m = 0xd00dbeef; 25 | } 26 | 27 | void killSTR(ADDRINT memoryAddr) { 28 | char *d = (char *)memoryAddr; 29 | unsigned int* m = (unsigned int *)(d); 30 | *m =0xbebaadde; 31 | } 32 | 33 | //Modify the magic value 34 | void killEAX() { 35 | unsigned int EAX_save; 36 | unsigned short int DX_save; 37 | 38 | __asm { 39 | mov EAX_save, eax 40 | mov DX_save, dx 41 | } 42 | 43 | if ((EAX_save == 0x564D5868) && (DX_save == 0x5658)){ 44 | __asm { 45 | mov dx, 0x0004 46 | } 47 | } 48 | } 49 | 50 | // End of Anti-Virtualization Preventer 51 | 52 | VOID killCreateFile(CHAR * name, CHAR * entry, bool retVal, ADDRINT *addr){ 53 | if(strstr(entry, "vm")!=NULL || strstr(entry, "ORACLE")!=NULL || strstr(entry, "VM")!=NULL){ 54 | if(*addr == 32){ 55 | *addr = -1; 56 | } 57 | } 58 | } 59 | 60 | // Start of Routine Replacement 61 | VOID killOpenProcess(CHAR * name, wchar_t * entry, bool retVal, ADDRINT *addr){ 62 | // just a null function 63 | // of course we 're not supposed to do this. 64 | *addr = NULL; 65 | } 66 | 67 | VOID killRegOpenKey(CHAR * name, wchar_t * entry, bool retVal, ADDRINT *addr){ 68 | wstring w = wstring(entry); 69 | transform(w.begin(), w.end(),w.begin(),towupper); 70 | 71 | // Modify return value 72 | if(w.find(L"VBOX") != w.npos || w.find(L"VMWARE") != w.npos || w.find(L"VM") != w.npos || w.find(L"ENUM")){ 73 | *addr = 2; 74 | } 75 | } 76 | 77 | VOID killIsDebuggerPresent(CHAR * name, wchar_t * entry, bool retVal, ADDRINT *addr){ 78 | wstring w = wstring(entry); 79 | transform(w.begin(), w.end(),w.begin(),towupper); 80 | 81 | wcout << w << endl; 82 | } 83 | 84 | VOID Routine(RTN rtn, VOID *v) 85 | { 86 | string name = RTN_Name(rtn); 87 | 88 | if (name == "OpenProcess") 89 | { 90 | RTN_Open(rtn); 91 | RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)killOpenProcess, 92 | IARG_ADDRINT, "OpenProcess", 93 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 94 | IARG_FUNCRET_EXITPOINT_VALUE, 95 | IARG_FUNCRET_EXITPOINT_REFERENCE, 96 | IARG_END); 97 | RTN_Close(rtn); 98 | } 99 | 100 | if (name == "GetProcAddress") 101 | { 102 | RTN_Open(rtn); 103 | // call killRegOpenKey after RegOpenKeyExW is called 104 | RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)killIsDebuggerPresent, 105 | IARG_ADDRINT, "GetProcAddress", 106 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 107 | IARG_FUNCRET_EXITPOINT_VALUE, 108 | IARG_FUNCRET_EXITPOINT_REFERENCE, 109 | IARG_END); 110 | 111 | RTN_Close(rtn); 112 | } 113 | 114 | if (name == "RegOpenKeyExW"){ 115 | RTN_Open(rtn); 116 | 117 | // call killRegOpenKey after RegOpenKeyExW is called 118 | RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)killRegOpenKey, 119 | IARG_ADDRINT, "RegOpenKeyExW", 120 | IARG_FUNCARG_ENTRYPOINT_VALUE, 1, 121 | IARG_FUNCRET_EXITPOINT_VALUE, 122 | IARG_FUNCRET_EXITPOINT_REFERENCE, 123 | IARG_END); 124 | 125 | RTN_Close(rtn); 126 | } 127 | } 128 | // End of Routine Replacement 129 | 130 | // Start of ShellCode Instrumentation 131 | void traceInst(INS ins, VOID*) 132 | { 133 | ADDRINT address = INS_Address(ins); 134 | 135 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END); // count the number of instruction 136 | 137 | string ss = INS_Disassemble(ins); 138 | if(ss.substr(0,4) == "sldt"){ 139 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)killSLDT, IARG_MEMORYWRITE_EA, IARG_END); 140 | } 141 | else if(ss.substr(0,4) == "sidt"){ 142 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)killSIDT, IARG_MEMORYWRITE_EA, IARG_END); 143 | } 144 | else if(ss.substr(0,6) == "in eax"){ 145 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)killEAX, IARG_END); 146 | } 147 | else if(ss.substr(0,3) == "str"){ 148 | //INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)killSTR, IARG_END); 149 | } 150 | } 151 | 152 | VOID Image(IMG img, VOID *v) 153 | { 154 | RTN cfwRtn = RTN_FindByName(img, "GetFileAttributesA"); 155 | 156 | if (RTN_Valid(cfwRtn)) 157 | { 158 | RTN_Open(cfwRtn); 159 | RTN_InsertCall(cfwRtn, IPOINT_AFTER, (AFUNPTR)killCreateFile, 160 | IARG_ADDRINT, "GetFileAttributesA", 161 | IARG_FUNCARG_ENTRYPOINT_VALUE, 0, 162 | IARG_FUNCRET_EXITPOINT_VALUE, 163 | IARG_FUNCRET_EXITPOINT_REFERENCE, 164 | IARG_END); 165 | RTN_Close(cfwRtn); 166 | } 167 | } 168 | 169 | int main(int argc, char * argv[]) 170 | { 171 | PIN_InitSymbols(); 172 | if(PIN_Init(argc, argv)) { 173 | cerr << "This Pintool modifies return values in certain memory addresses." << endl; 174 | cerr << endl << KNOB_BASE::StringKnobSummary() << endl; 175 | return 0; 176 | } 177 | 178 | INS_AddInstrumentFunction(traceInst, 0); 179 | RTN_AddInstrumentFunction(Routine, 0); 180 | IMG_AddInstrumentFunction(Image, (VOID *) 1); 181 | 182 | PIN_StartProgram(); 183 | return 0; 184 | } -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/main.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "pin.H" -------------------------------------------------------------------------------- /ParanoidFamily/ParanoidPreventer/makefile: -------------------------------------------------------------------------------- 1 | ## 2 | ## This is a sample makefile for building Pin tools outside 3 | ## of the Pin environment. This makefile is suitable for 4 | ## building with the Pin kit, not a Pin source development tree. 5 | ## 6 | ## To build the tool, execute the make command: 7 | ## 8 | ## make 9 | ## or 10 | ## make PIN_HOME= 11 | ## 12 | ## After building your tool, you would invoke Pin like this: 13 | ## 14 | ## $PIN_HOME/pin -t MyPinTool -- /bin/ls 15 | ## 16 | ############################################################## 17 | # 18 | # User-specific configuration 19 | # 20 | ############################################################## 21 | 22 | # 23 | # 1. Change PIN_HOME to point to the top-level directory where 24 | # Pin was installed. This can also be set on the command line, 25 | # or as an environment variable. 26 | # 27 | PIN_HOME ?= ../../.. 28 | 29 | 30 | ############################################################## 31 | # 32 | # set up and include *.config files 33 | # 34 | ############################################################## 35 | 36 | PIN_KIT=$(PIN_HOME) 37 | KIT=1 38 | TESTAPP=$(OBJDIR)cp-pin.exe 39 | 40 | TARGET_COMPILER?=gnu 41 | ifdef OS 42 | ifeq (${OS},Windows_NT) 43 | TARGET_COMPILER=ms 44 | endif 45 | endif 46 | 47 | ifeq ($(TARGET_COMPILER),gnu) 48 | include $(PIN_HOME)/source/tools/makefile.gnu.config 49 | CXXFLAGS ?= -Wall -Werror -Wno-unknown-pragmas $(DBG) $(OPT) 50 | PIN=$(PIN_HOME)/pin 51 | endif 52 | 53 | ifeq ($(TARGET_COMPILER),ms) 54 | include $(PIN_HOME)/source/tools/makefile.ms.config 55 | DBG?= 56 | PIN=$(PIN_HOME)/pin.bat 57 | endif 58 | 59 | 60 | ############################################################## 61 | # 62 | # Tools - you may wish to add your tool name to TOOL_ROOTS 63 | # 64 | ############################################################## 65 | 66 | 67 | TOOL_ROOTS = MyPinTool 68 | 69 | TOOLS = $(TOOL_ROOTS:%=$(OBJDIR)%$(PINTOOL_SUFFIX)) 70 | 71 | 72 | ############################################################## 73 | # 74 | # build rules 75 | # 76 | ############################################################## 77 | 78 | all: tools 79 | tools: $(OBJDIR) $(TOOLS) $(OBJDIR)cp-pin.exe 80 | test: $(OBJDIR) $(TOOL_ROOTS:%=%.test) 81 | 82 | MyPinTool.test: $(OBJDIR)cp-pin.exe 83 | $(MAKE) -k PIN_HOME=$(PIN_HOME) 84 | 85 | $(OBJDIR)cp-pin.exe: 86 | $(CXX) $(PIN_HOME)/source/tools/Tests/cp-pin.cpp $(APP_CXXFLAGS) -o $(OBJDIR)cp-pin.exe 87 | 88 | $(OBJDIR): 89 | mkdir -p $(OBJDIR) 90 | 91 | $(OBJDIR)%.o : %.cpp 92 | $(CXX) -c $(CXXFLAGS) $(PIN_CXXFLAGS) ${OUTOPT}$@ $< 93 | 94 | $(TOOLS): $(PIN_LIBNAMES) 95 | 96 | $(TOOLS): %$(PINTOOL_SUFFIX) : %.o 97 | ${PIN_LD} $(PIN_LDFLAGS) $(LINK_DEBUG) ${LINK_OUT}$@ $< ${PIN_LPATHS} $(PIN_LIBS) $(DBG) 98 | 99 | 100 | ## cleaning 101 | clean: 102 | -rm -rf $(OBJDIR) *.out *.tested *.failed makefile.copy 103 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | CP4101 2 | ====== 3 | 4 | Anti-technique Codes, Detection of Anti-technique codes 5 | 6 | **ParanoidMalware** 7 | 8 | Combination of anti-technique codes to detect certain environment. 9 | 10 | - Anti-Debugging 11 | 12 | - Anti-Sandbox 13 | 14 | - Anti-VirtualPC 15 | 16 | - Anti-VirtualBox 17 | 18 | - Anti-VMWare 19 | 20 | - Anti-QEMU 21 | 22 | **ParanoidDetector** 23 | 24 | Combination of tools to detect anti-technique codes. 25 | 26 | - PINTools 27 | 28 | - Retrieve all routines used in the executable -------------------------------------------------------------------------------- /yaraCheck.py: -------------------------------------------------------------------------------- 1 | import yara 2 | import os 3 | import glob 4 | import shutil 5 | 6 | def mycallback(data): 7 | if(len(data["strings"]) != 0): 8 | print data 9 | yara.CALLBACK_CONTINUE 10 | 11 | 12 | rules = yara.compile('C:\Documents and Settings\Administrator\Desktop\improved_vmdetect.yar') 13 | 14 | os.chdir("C:\Documents and Settings\Administrator\Desktop\Malwares") 15 | for files in glob.glob("*.vir"): 16 | matches = rules.match(files) 17 | if (len(matches)!=0): 18 | path = os.path.join("C:\Documents and Settings\Administrator\Desktop\Malwares", files) 19 | print path 20 | shutil.move(path, 'C:\Documents and Settings\Administrator\Desktop\checks') 21 | --------------------------------------------------------------------------------