0ffensiveC0ding updated – Emulation/AV Awareness

March 21, 2009

Hi,

Thanks to Gunther for ARTeam here we have some new Anti-Emulation open source functions, I’ve uploaded these on my OffensiveCOding section:

here a quick list of the functions:

Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized.
Anti-NOD32 -> sse1 instruction which nod32 cannot emulate.
IsEmulator -> Timings Attack to Emulator Environement.
IsCWSandBox -> Check if CreateProcess is hooked.
IsAnubis -> Check whether it is running within Anubis.
IsAnubis2 -> Check whether it is running within Anubis.
IsNormanSandBox -> NormanSandBox Awareness.
IsSunbeltSandBox -> Sunbelt Awareness.
IsVirtualPC -> VirtualPC Awareness.
IsVMware -> VMware Awareness.
DetectVM -> Check whether it is running in VMWare, VirtualBox using registry.
IsRegMonPresent -> Checking for RegMon by checking if the driver is  loaded in memory and by searching    for the window handle.

Here the link:

http://evilcry.netsons.org/OC0/code/EmulationAwareness.c

See you to the next post.. 🙂

1 Comment | (In)Security, C / C++ (Visual Studio Based) Coding | Tagged: , , , , , , , , , , , , , , , , , , , | Permalink
Posted by evilcodecave