Merge pull request #15 from chkp-ramanl/minor-fixes-1

Minor fixes
CheckPointSW · Apr 19, 2024 · 639b468 · 639b468
2 parents 7662bd9 + 7dba571
commit 639b468
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 45 deletions.
diff --git a/README.md b/README.md
@@ -1,16 +1,17 @@
-# Evasions
 
-### Words of gratitude
+# Encyclopedia of Evasions
+
+## Words of gratitude
 
 This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:
 * Aliaksandr Trafimchuk ([@a14xt][a14xt])
-* Alexey Bukhteyev
+* Bohdan Melnykov ([@\_mbv06\_][\_mbv06\_])
 
-### Site
+## Site
 
 Compiled encyclopedia resides here: https://evasions.checkpoint.com.
 
-### Description
+## Windows Evasions repository
 
 As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. It's a very common case when malware samples are executed in some kind of virtualized environment.
 
@@ -38,12 +39,65 @@ If you want to contribute to this encyclopedia, you're more than welcome to crea
 
 So check out all the repositories, browse through evasions encyclopedia and enjoy the journey!
 
-Raman Ladutska ([@DaCuriousBro][DaCuriousBro])
-
-
-[a14xt]: <https://twitter.com/a14xt>
 [al-khaser]: <https://github.com/LordNoteworthy/al-khaser>
 [pafish]: <https://github.com/a0rtega/pafish>
 [vmde]: <https://github.com/hfiref0x/VMDE>
 [invizzzible]: <https://github.com/CheckPointSW/InviZzzible>
+
+
+## Windows Anti-Debug repository
+
+Debugging is the essential part of malware analysis. Every time we need to drill down into malware behavior, restore encryption methods or examine communication protocols – generally, whenever we need to examine memory at a certain moment of time – we use debuggers.
+
+Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. In turn knowledge of anti-debug techniques helps us detect when the malware tries to prevent us from debugging it and mitigate the interference.
+
+This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg). Deprecated techniques (e.g. for SoftICE, etc.) are not included (despite all the love to SoftICE).
+
+Anti-Debug tricks are grouped by the way in which they trigger side-effects (“meh, yet another classification”, you might think). Each group includes the description of corresponding tricks, their implementation in C/C++ or x86/x86-64 Assembly language, and recommendations of how to mitigate the trick for developers who want to create their own anti-anti-debug solution. In general, for bypassing anti-debug techniques we recommend using the [ScyllaHide][scylla_link] plugin which supports OllyDbg, x64dbg and IDA Pro.
+
+All the techniques which are described in this encyclopedia are implemented in our [ShowStopper][showstopper_link] open-source project. The encyclopedia can help you to better understand how these techniques work or to assess debuggers and anti-anti-debug plugins.
+
+### References
+* [P. Ferrie. The “Ultimate”Anti-Debugging Reference][ferrie]
+* [N. Falliere. Windows Anti-Debug Reference][falliere]
+* [J. Jackson. An Anti-Reverse Engineering Guide][jackson]
+* [Anti Debugging Protection Techniques with Examples][apriorit]
+* [simpliFiRE.AntiRE][simplifire]
+
+[ferrie]: <http://pferrie.epizy.com/papers/antidebug.pdf>
+[falliere]: <https://www.symantec.com/connect/articles/windows-anti-debug-reference>
+[jackson]: <https://forum.tuts4you.com/files/file/1218-anti-reverse-engineering-guide/>
+[apriorit]: <https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software>
+[simplifire]: <https://bitbucket.org/fkie_cd_dare/simplifire.antire/src/master/>
+
+[scylla_link]: <https://github.com/x64dbg/ScyllaHide>
+[showstopper_link]: <https://github.com/CheckPointSW/showstopper>
+
+## macOS Evasions repository
+
+This repository is made in the same style and format as its Windows counterparts. However, due to the specifics of the macOS platform, only evasion techniques are present, without anti-debug tricks. Code examples are provided for each of the included groups, along with countermeasures advice.
+
+## Android Evasions repository
+
+This repository is made in the same style and format as its Windows couterparts. However, due to the specifics of the Android platform and low number of techniques in comparison to Windows, evasions and anti-debug are present in one repository. Where applicable, the code examples are provided.
+
+## Authors
+
+The author of Windows Anti-Debug repository and the corresponding "About" section:
+<ul>
+<li>Yaraslau Harakhavik (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/slevin_by">@slevin_by</a>)</li>
+</ul>
+
+The author of macOS Evasions repository and the corresponding "About" section:
+<ul>
+<li>Alexey Bukhteyev</li>
+</ul>
+
+The author of other encyclopedia parts:
+<ul>
+<li>Raman Ladutska (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/DaCuriousBro">@DaCuriousBro</a>)</li>
+</ul>
+
+[a14xt]: <https://twitter.com/a14xt>
+[\_mbv06\_]: <https://twitter.com/_mbv06_>
 [DaCuriousBro]: <https://twitter.com/DaCuriousBro>
diff --git a/_src/Android/index.html b/_src/Android/index.html
@@ -33,56 +33,56 @@
 .flex-container > div {
   flex: 0 0 25%;
   text-align: center;
-  font-size: 18px;
+  font-size: 17px;
   margin-bottom: 30px;
   display: grid;
 }
 
 .outer-img-pink {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(255,86,136);
     padding: 10px;
     border: 0px;
 }
 .outer-img-pink:hover {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(255,86,136);
     padding: 10px;
     border: 0px;
 }
 
 .outer-img-grey {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(159,159,159);
     padding: 10px;
     border: 0px;
 }
 .outer-img-grey:hover {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(159,159,159);
     padding: 10px;
     border: 0px;
 }
 
 .inner-img {
-    width: 160px;
-    height: 160px;
+    width: 140px;
+    height: 140px;
     display: inline-flex;
-    background-size: 160px 160px;
+    background-size: 140px 140px;
 }
 .inner-img-grey {
-    width: 160px;
-    height: 160px;
+    width: 140px;
+    height: 140px;
     display: inline-flex;
-    background-size: 160px 160px;
+    background-size: 140px 140px;
 }
 
 .grey-text {
@@ -91,7 +91,7 @@
 }
 
 .icon {
-  min-width: 180px;
+  min-width: 160px;
   height: 140px;
 }
 
@@ -132,7 +132,7 @@
             <span class="inner-img" style='background-image:url("assets/icons/environment_gray.png")' />
           </a>
         </span>
-      <a class="grey-text">Environment detection [coming soon]</a>
+      <a class="grey-text">Environment detection<br />[coming soon]</a>
      </div>
     </div>
 
@@ -143,7 +143,7 @@
             <span class="inner-img" style='background-image:url("assets/icons/emulator_flags_gray.svg")' />
           </a>
         </span>
-        <a class="grey-text">Emulator & debug flags [planned]</a>
+        <a class="grey-text">Emulator & debug flags<br />[planned]</a>
       </div>
     </div>
 
@@ -160,6 +160,7 @@
 
   </div>
 </div>
+<br />
 <a href={{ site.url }}{{ site.baseurl }}><p style="text-align:center">Go to the title page</a>
 
 <br />

diff --git a/_src/MacOS/macos.md b/_src/MacOS/macos.md
@@ -216,5 +216,5 @@ echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))
 
 <h3><a class="a-dummy" name="countermeasures">Countermeasures</a></h3>
 Apple software licensing policy doesn't allow emulating macOS on hardware other than the original Apple hardware. 
-It is also doesn't not allow more than 2 virtual machines to run on one host machine.
+It also doesn't not allow more than 2 virtual machines to run on one host machine.
 Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.
diff --git a/about.md b/about.md
@@ -9,7 +9,6 @@ permalink: /about/
 This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:
 <ul>
 <li>Aliaksandr Trafimchuk (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/a14xt">@a14xt</a>)</li>
-<li>Alexey Bukhteyev</li>
 <li>Bohdan Melnykov (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/_mbv06_">@_mbv06_</a>)</li>
 </ul>
 
@@ -72,6 +71,12 @@ All the techniques which are described in this encyclopedia are implemented in o
 
 <br />
 
+<h2>macOS evasions repository</h2>
+
+This repository is made in the same style and format as its Windows counterparts. However, due to the specifics of the macOS platform, only evasion techniques are present, without anti-debug tricks. Code examples are provided for each of the included groups, along with countermeasures advice.
+
+<br />
+
 <h2>Android evasions repository</h2>
 
 This repository is made in the same style and format as its Windows couterparts. However, due to the specifics of the Android platform and low number of techniques in comparison to Windows, evasions and anti-debug are present in one repository. Where applicable, the code examples are provided.
@@ -85,6 +90,11 @@ The author of Windows Anti-Debug repository and the corresponding "About" sectio
 <li>Yaraslau Harakhavik (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/slevin_by">@slevin_by</a>)</li>
 </ul>
 
+The author of macOS Evasions repository and the corresponding "About" section:
+<ul>
+<li>Alexey Bukhteyev</li>
+</ul>
+
 The author of other encyclopedia parts:
 <ul>
 <li>Raman Ladutska (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/DaCuriousBro">@DaCuriousBro</a>)</li>

diff --git a/index.html b/index.html
@@ -27,7 +27,7 @@
   align-content: space-around;
   align-items: center;
   justify-content: space-evenly;
-  min-width: 1400px;
+  min-width: 1200px;
 }
 
 .flex-container > div {
@@ -39,50 +39,50 @@
 }
 
 .outer-img-pink {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(255,86,136);
     padding: 10px;
     border: 0px;
 }
 .outer-img-pink:hover {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(255,86,136);
     padding: 10px;
     border: 0px;
 }
 
 .outer-img-grey {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(159,159,159);
     padding: 10px;
     border: 0px;
 }
 .outer-img-grey:hover {
-    height: 180px;
-    width: 180px;
+    height: 160px;
+    width: 160px;
     display: inline-flex;
     background-color: rgb(159,159,159);
     padding: 10px;
     border: 0px;
 }
 
 .inner-img {
-    width: 160px;
-    height: 160px;
+    width: 140px;
+    height: 140px;
     display: inline-flex;
-    background-size: 160px 160px;
+    background-size: 140px 140px;
 }
 .inner-img-grey {
-    width: 160px;
-    height: 160px;
+    width: 140px;
+    height: 140px;
     display: inline-flex;
-    background-size: 160px 160px;
+    background-size: 140px 140px;
 }
 
 .grey-text {
@@ -91,7 +91,7 @@
 }
 
 .icon {
-  min-width: 160px;
+  min-width: 140px;
   height: 140px;
 }