Giter Club home page Giter Club logo

anti's Introduction

122222

ANTI

Automated Integration of Anti-Reversing methods in PE executables

only x86 support

Currently using the following techniques:

Unhooking:

  • Disables user-mode function hooks by manually loading ntdll.dll from disk and check for modifications.
  • If modifications exist it overwrites with the valid ntdll and calls anti-debug functions based on ntdll from there.
  • Todo:Unhooking for every loaded dll

Anti-debugging:

  • IsDebuggerPresent()
  • PEB.BeingDebugged flag using speculative execution
  • PEB.NtGlobalFlag
  • Heap Flags
  • Self-Debugging
  • Anti-Step-Over
  • NtSetInformationThread()
  • Dynamic TlsCallbacks
  • NtQueryInformationProcess()
  • RDTSC
  • RtlQueryProcessDebugInformation()
  • Selectors
  • Uses NtTerminateProcess() or SwitchDesktop() or NtShutdownSystem() to terminate/crash the debugging/VM session

Anti-VM:

  • CPUID (Hypervisor presence)
  • CPUID (Hypervisor vendor)
  • Number of Processors
  • Device Drivers
  • NtGetTickCount

Process Injection:

  • ANTI automatically migrates in a remote process when it detects a debugger using NtCreateThreadEx technique.

An overview of how ANTI works:

Overview

ANTI bypasses the following debuggers and antidebug solutions:

  • Idapro, Version 7, 5
  • Immunity Debugger, Version 1.85
  • OllyDebugger v1.10, v.2
  • CheatEngine
  • x64dbg, Build Aprl 5 2018
  • Windbg 10
  • Obsidian debugger, Version 0.11
  • Microsoft Visual Studio Debugger, Version 15.4.0
  • PhantOm v1.85
  • StrongOD v0.4.8.892
  • OllyAdvanced v1.27
  • SharpOD v0.6
  • aadp v0.2
  • HideDebugger v1.2.4
  • IDA Stealth
  • OllyExt
  • makin
  • ScyllaHide
  • Apate
  • ApiMonitor v2

Usage:

  • anti.exe <target file> <section name> <pid>

POC: Bypassing ScyllaHide on x32dbg

alt text alt text

License

ANTI is licensed under the MIT License.

Credits to Peter Ferrie for his “Ultimate”Anti-Debugging Reference

anti's People

Contributors

iamasbcx avatar nihilboy avatar

Stargazers

avatar avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.