diff --git a/README.md b/README.md index 7b3d8a9..fab6fd5 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,17 @@ -# Evasions -### Words of gratitude +# Encyclopedia of Evasions + +## Words of gratitude This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers: * Aliaksandr Trafimchuk ([@a14xt][a14xt]) -* Alexey Bukhteyev +* Bohdan Melnykov ([@\_mbv06\_][\_mbv06\_]) -### Site +## Site Compiled encyclopedia resides here: https://evasions.checkpoint.com. -### Description +## Windows Evasions repository As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. It's a very common case when malware samples are executed in some kind of virtualized environment. @@ -38,12 +39,65 @@ If you want to contribute to this encyclopedia, you're more than welcome to crea So check out all the repositories, browse through evasions encyclopedia and enjoy the journey! -Raman Ladutska ([@DaCuriousBro][DaCuriousBro]) - - -[a14xt]: [al-khaser]: [pafish]: [vmde]: [invizzzible]: + + +## Windows Anti-Debug repository + +Debugging is the essential part of malware analysis. Every time we need to drill down into malware behavior, restore encryption methods or examine communication protocols – generally, whenever we need to examine memory at a certain moment of time – we use debuggers. + +Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. In turn knowledge of anti-debug techniques helps us detect when the malware tries to prevent us from debugging it and mitigate the interference. + +This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg). Deprecated techniques (e.g. for SoftICE, etc.) are not included (despite all the love to SoftICE). + +Anti-Debug tricks are grouped by the way in which they trigger side-effects (“meh, yet another classification”, you might think). Each group includes the description of corresponding tricks, their implementation in C/C++ or x86/x86-64 Assembly language, and recommendations of how to mitigate the trick for developers who want to create their own anti-anti-debug solution. In general, for bypassing anti-debug techniques we recommend using the [ScyllaHide][scylla_link] plugin which supports OllyDbg, x64dbg and IDA Pro. + +All the techniques which are described in this encyclopedia are implemented in our [ShowStopper][showstopper_link] open-source project. The encyclopedia can help you to better understand how these techniques work or to assess debuggers and anti-anti-debug plugins. + +### References +* [P. Ferrie. The “Ultimate”Anti-Debugging Reference][ferrie] +* [N. Falliere. Windows Anti-Debug Reference][falliere] +* [J. Jackson. An Anti-Reverse Engineering Guide][jackson] +* [Anti Debugging Protection Techniques with Examples][apriorit] +* [simpliFiRE.AntiRE][simplifire] + +[ferrie]: +[falliere]: +[jackson]: +[apriorit]: +[simplifire]: + +[scylla_link]: +[showstopper_link]: + +## macOS Evasions repository + +This repository is made in the same style and format as its Windows counterparts. However, due to the specifics of the macOS platform, only evasion techniques are present, without anti-debug tricks. Code examples are provided for each of the included groups, along with countermeasures advice. + +## Android Evasions repository + +This repository is made in the same style and format as its Windows couterparts. However, due to the specifics of the Android platform and low number of techniques in comparison to Windows, evasions and anti-debug are present in one repository. Where applicable, the code examples are provided. + +## Authors + +The author of Windows Anti-Debug repository and the corresponding "About" section: + + +The author of macOS Evasions repository and the corresponding "About" section: +
    +
  • Alexey Bukhteyev
    • +
+ +The author of other encyclopedia parts: + + +[a14xt]: +[\_mbv06\_]: [DaCuriousBro]: diff --git a/_src/Android/index.html b/_src/Android/index.html index cf73e5a..65909b3 100644 --- a/_src/Android/index.html +++ b/_src/Android/index.html @@ -33,22 +33,22 @@ .flex-container > div { flex: 0 0 25%; text-align: center; - font-size: 18px; + font-size: 17px; margin-bottom: 30px; display: grid; } .outer-img-pink { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(255,86,136); padding: 10px; border: 0px; } .outer-img-pink:hover { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(255,86,136); padding: 10px; @@ -56,16 +56,16 @@ } .outer-img-grey { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(159,159,159); padding: 10px; border: 0px; } .outer-img-grey:hover { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(159,159,159); padding: 10px; @@ -73,16 +73,16 @@ } .inner-img { - width: 160px; - height: 160px; + width: 140px; + height: 140px; display: inline-flex; - background-size: 160px 160px; + background-size: 140px 140px; } .inner-img-grey { - width: 160px; - height: 160px; + width: 140px; + height: 140px; display: inline-flex; - background-size: 160px 160px; + background-size: 140px 140px; } .grey-text { @@ -91,7 +91,7 @@ } .icon { - min-width: 180px; + min-width: 160px; height: 140px; } @@ -132,7 +132,7 @@ - Environment detection [coming soon] + Environment detection
[coming soon] @@ -143,7 +143,7 @@ - Emulator & debug flags [planned] + Emulator & debug flags
[planned] @@ -160,6 +160,7 @@ +

Go to the title page
diff --git a/_src/MacOS/macos.md b/_src/MacOS/macos.md index 7304ecb..00a20bb 100644 --- a/_src/MacOS/macos.md +++ b/_src/MacOS/macos.md @@ -216,5 +216,5 @@ echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))

Countermeasures

Apple software licensing policy doesn't allow emulating macOS on hardware other than the original Apple hardware. -It is also doesn't not allow more than 2 virtual machines to run on one host machine. +It also doesn't not allow more than 2 virtual machines to run on one host machine. Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used. \ No newline at end of file diff --git a/about.md b/about.md index 546bc44..4d6c668 100644 --- a/about.md +++ b/about.md @@ -9,7 +9,6 @@ permalink: /about/ This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:
  • Aliaksandr Trafimchuk ( @a14xt)
    • -
  • Alexey Bukhteyev
  • Bohdan Melnykov ( @_mbv06_)
@@ -72,6 +71,12 @@ All the techniques which are described in this encyclopedia are implemented in o
+

macOS evasions repository

+ +This repository is made in the same style and format as its Windows counterparts. However, due to the specifics of the macOS platform, only evasion techniques are present, without anti-debug tricks. Code examples are provided for each of the included groups, along with countermeasures advice. + +
+

Android evasions repository

This repository is made in the same style and format as its Windows couterparts. However, due to the specifics of the Android platform and low number of techniques in comparison to Windows, evasions and anti-debug are present in one repository. Where applicable, the code examples are provided. @@ -85,6 +90,11 @@ The author of Windows Anti-Debug repository and the corresponding "About" sectio
  • Yaraslau Harakhavik ( @slevin_by)
    • +The author of macOS Evasions repository and the corresponding "About" section: +
      +
    • Alexey Bukhteyev
      • +
    + The author of other encyclopedia parts:
    • Raman Ladutska ( @DaCuriousBro)
      • diff --git a/index.html b/index.html index 5a7b51f..1db300c 100644 --- a/index.html +++ b/index.html @@ -27,7 +27,7 @@ align-content: space-around; align-items: center; justify-content: space-evenly; - min-width: 1400px; + min-width: 1200px; } .flex-container > div { @@ -39,16 +39,16 @@ } .outer-img-pink { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(255,86,136); padding: 10px; border: 0px; } .outer-img-pink:hover { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(255,86,136); padding: 10px; @@ -56,16 +56,16 @@ } .outer-img-grey { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(159,159,159); padding: 10px; border: 0px; } .outer-img-grey:hover { - height: 180px; - width: 180px; + height: 160px; + width: 160px; display: inline-flex; background-color: rgb(159,159,159); padding: 10px; @@ -73,16 +73,16 @@ } .inner-img { - width: 160px; - height: 160px; + width: 140px; + height: 140px; display: inline-flex; - background-size: 160px 160px; + background-size: 140px 140px; } .inner-img-grey { - width: 160px; - height: 160px; + width: 140px; + height: 140px; display: inline-flex; - background-size: 160px 160px; + background-size: 140px 140px; } .grey-text { @@ -91,7 +91,7 @@ } .icon { - min-width: 160px; + min-width: 140px; height: 140px; }