ayoubfaouzi/al-khaser

## Al-Khaser v0.81  ## 目录 - [简介](#introduction) - [用途](#uses) - [功能](#features) - [反调试攻击](#antidebug) - [反转储](#antidump) - [时序攻击](#timingattack) - [人机交互](#antidump) - [反虚拟机](#antivm) - [反反汇编](#antidisassm) - [环境要求](#requirements) - [许可证](#license) ## 简介 al-khaser 是一个出于善意目的的 PoC（概念验证）“恶意软件”应用，旨在对你的反恶意软件系统进行压力测试。 它执行一系列常见的恶意软件技巧，目的是检测你是否能避开检测。  ### 用法 ``` $ ./al-khaser.exe -h Usage: al-khaser.exe [OPTIONS] Options: --check Enable specific check(s). Can be used multiple times. Valid types are: TLS (Thread Local Storage callback checks) DEBUG (Anti-debugging checks) INJECTION (Code injection checks) GEN_SANDBOX (Generic sandbox checks) VBOX (VirtualBox detection) VMWARE (VMware detection) VPC (Virtual PC detection) QEMU (QEMU detection) KVM (KVM detection) XEN (Xen detection) WINE (Wine detection) PARALLELS (Parallels detection) HYPERV (Hyper-V detection) CODE_INJECTIONS (Additional code injection techniques) TIMING_ATTACKS (Timing/sleep-based sandbox evasion) DUMPING_CHECK (Dumping memory/process checks) ANALYSIS_TOOLS (Analysis tools detection) ANTI_DISASSM (Anti-disassembly checks) --sleep Set sleep/delay duration in seconds (default: 600). --delay Alias for --sleep. -h, --help Show this help message and exit. Examples: al-khaser.exe --check DEBUG --check TIMING_ATTACKS --sleep 30 al-khaser.exe --check VMWARE --check QEMU al-khaser.exe --sleep 30 ``` ## 下载 你可以从项目的 [releases 页面](https://github.com/LordNoteworthy/al-khaser/releases) 下载构建好的二进制文件 (x86, x64)。7z 文件的解压密码可以在[这里](https://github.com/LordNoteworthy/al-khaser/blob/master/.github/workflows/release.yml#L25)找到。 ## 用途 - 你正在开发一个反调试插件，想要检查其有效性。 - 你想确保你的沙箱解决方案足够隐蔽。 - 或者你想确保你的恶意软件分析环境隐藏得很好。 如果你遇到了在恶意软件中见过的任何反分析技巧，请不要犹豫，欢迎贡献代码。 ## 功能 ### 反调试攻击 - IsDebuggerPresent - CheckRemoteDebuggerPresent - 进程环境块 (BeingDebugged) - 进程环境块 (NtGlobalFlag) - ProcessHeap (Flags) - ProcessHeap (ForceFlags) - 低碎片堆 (LFH) - NtQueryInformationProcess (ProcessDebugPort) - NtQueryInformationProcess (ProcessDebugFlags) - NtQueryInformationProcess (ProcessDebugObject) - WudfIsAnyDebuggerPresent - WudfIsKernelDebuggerPresent - WudfIsUserDebuggerPresent - NtSetInformationThread (HideThreadFromDebugger) - NtQueryObject (ObjectTypeInformation) - NtQueryObject (ObjectAllTypesInformation) - CloseHanlde (NtClose) 无效句柄 - SetHandleInformation (受保护句柄) - UnhandledExceptionFilter - OutputDebugString (GetLastError()) - 硬件断点 (SEH / GetThreadContext) - 软件断点 (INT3 / 0xCC) - 内存断点 (PAGE_GUARD) - 中断 0x2d - 中断 1 - 陷阱标志 - 父进程 (Explorer.exe) - SeDebugPrivilege (Csrss.exe) - NtYieldExecution / SwitchToThread - TLS 回调 - 进程作业 - 内存写入监控 - 页面异常断点检测 - API 挂钩检测 (基于模块边界) ### 反注入 - 使用 EnumProcessModulesEx 枚举模块 (32位, 64位, 以及所有选项) - 使用 ToolHelp32 枚举模块 - 使用 LdrEnumerateLoadedModules 枚举进程 LDR 结构 - 直接枚举进程 LDR 结构 - 使用 GetModuleInformation 遍历内存 - 遍历内存查找隐藏模块 ### 反转储 - 从内存中擦除 PE 头 - SizeOfImage ### 时序攻击 [反沙箱] - RDTSC (使用 CPUID 强制 VM Exit) - RDTSC (Locky 变种，使用 GetProcessHeap & CloseHandle) - Sleep -> SleepEx -> NtDelayExecution - Sleep (在循环中进行短延时) - Sleep 并检查时间是否被加速 (GetTickCount) - SetTimer (标准 Windows 计时器) - timeSetEvent (多媒体计时器) - WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject - WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects - IcmpSendEcho (CCleaner 恶意软件) - CreateWaitableTimer - CreateTimerQueueTimer - 大型加密循环 (待做) ### 人机交互 / 通用 [反沙箱] - 鼠标移动 - 文件名如 `sample.exe` 或 `sandbox.exe` - 物理内存总量 (GlobalMemoryStatusEx) - 使用 DeviceIoControl 获取磁盘大小 (IOCTL_DISK_GET_LENGTH_INFO) - 使用 GetDiskFreeSpaceEx 获取磁盘大小 (TotalNumberOfBytes) - 鼠标 (单击 / 双击) (待做) - 对话框 (待做) - 滚动 (待做) - 重启后执行 (待做) - 处理器计数 (Win32/Tinba - Win32/Dyre) - 已知的沙箱产品 ID (待做) - 背景色像素颜色 (待做) - 键盘布局 (Win32/Banload) (待做) - 正版 Windows 安装 - 已知的沙箱主机名和用户名 ### 反虚拟化 / 全系统模拟 - **注册表键值痕迹** - HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (VBOX) - HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (QEMU) - HARDWARE\\Description\\System (SystemBiosVersion) (VBOX) - HARDWARE\\Description\\System (SystemBiosVersion) (QEMU) - HARDWARE\\Description\\System (VideoBiosVersion) (VIRTUALBOX) - HARDWARE\\Description\\System (SystemBiosDate) (06/23/99) - HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (VMWARE) - HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (VMWARE) - HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (VMWARE) - SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE) - SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemProductName) (VMWARE) - **注册表键痕迹** - HARDWARE\\ACPI\\DSDT\\VBOX__ (VBOX) - HARDWARE\\ACPI\\FADT\\VBOX__ (VBOX) - HARDWARE\\ACPI\\RSDT\\VBOX__ (VBOX) - SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX) - SYSTEM\\ControlSet001\\Services\\VBoxGuest (VBOX) - SYSTEM\\ControlSet001\\Services\\VBoxMouse (VBOX) - SYSTEM\\ControlSet001\\Services\\VBoxService (VBOX) - SYSTEM\\ControlSet001\\Services\\VBoxSF (VBOX) - SYSTEM\\ControlSet001\\Services\\VBoxVideo (VBOX) - SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE) - SOFTWARE\\Wine (WINE) - SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V) - SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum - SYSTEM\\CurrentControlSet\\Enum\\IDE - SYSTEM\\CurrentControlSet\\Enum\\SCSI - **文件系统痕迹** - "system32\\drivers\\VBoxMouse.sys" - "system32\\drivers\\VBoxGuest.sys" - "system32\\drivers\\VBoxSF.sys" - "system32\\drivers\\VBoxVideo.sys" - "system32\\vboxdisp.dll" - "system32\\vboxhook.dll" - "system32\\vboxmrxnp.dll" - "system32\\vboxogl.dll" - "system32\\vboxoglarrayspu.dll" - "system32\\vboxoglcrutil.dll" - "system32\\vboxoglerrorspu.dll" - "system32\\vboxoglfeedbackspu.dll" - "system32\\vboxoglpackspu.dll" - "system32\\vboxoglpassthroughspu.dll" - "system32\\vboxservice.exe" - "system32\\vboxtray.exe" - "system32\\VBoxControl.exe" - "system32\\drivers\\vmmouse.sys" - "system32\\drivers\\vmhgfs.sys" - "system32\\drivers\\vm3dmp.sys" - "system32\\drivers\\vmci.sys" - "system32\\drivers\\vmhgfs.sys" - "system32\\drivers\\vmmemctl.sys" - "system32\\drivers\\vmmouse.sys" - "system32\\drivers\\vmrawdsk.sys" - "system32\\drivers\\vmusbmouse.sys" - **目录痕迹** - "%PROGRAMFILES%\\oracle\\virtualbox guest additions\\" - "%PROGRAMFILES%\\VMWare\\" - **内存痕迹** - 中断描述符表 (IDT) 位置 - 局部描述符表 (LDT) 位置 - 全局描述符表 (GDT) 位置 - 使用 STR 指令的任务状态段技巧 - **MAC 地址** - "\x08\x00\x27" (VBOX) - "\x00\x05\x69" (VMWARE) - "\x00\x0C\x29" (VMWARE) - "\x00\x1C\x14" (VMWARE) - "\x00\x50\x56" (VMWARE) - "\x00\x1C\x42" (Parallels) - "\x00\x16\x3E" (Xen) - "\x0A\x00\x27" (Hybrid Analysis) - **虚拟设备** - "\\\\.\\VBoxMiniRdrDN" - "\\\\.\\VBoxGuest" - "\\\\.\\pipe\\VBoxMiniRdDN" - "\\\\.\\VBoxTrayIPC" - "\\\\.\\pipe\\VBoxTrayIPC") - "\\\\.\\HGFS" - "\\\\.\\vmci" - **硬件设备信息** - SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE) - QEMU - VMWare - VBOX - VIRTUAL HD - 电源策略 (S1-S4 状态, 温度控制) - **系统固件表** - SMBIOS 字符串检查 (VirtualBox) - SMBIOS 字符串检查 (VMware) - SMBIOS 字符串检查 (Qemu) - SMBIOS 表数量 (Qemu, VirtualBox) - ACPI 字符串检查 (WAET 表, PNP 设备, 带电池检查的 PM 状态) - ACPI 字符串检查 (VirtualBox) - ACPI 字符串检查 (VMware) - ACPI 字符串检查 (Qemu) - **驱动服务** - VirtualBox - VMWare - **适配器名称** - VMWare - **Windows 类** - VBoxTrayToolWndClass - VBoxTrayToolWnd - **网络共享** - VirtualBox Shared Folders - **进程** - vboxservice.exe (VBOX) - vboxtray.exe (VBOX) - vmtoolsd.exe(VMWARE) - vmwaretray.exe(VMWARE) - vmwareuser(VMWARE) - VGAuthService.exe (VMWARE) - vmacthlp.exe (VMWARE) - vmsrvc.exe(VirtualPC) - vmusrvc.exe(VirtualPC) - prl_cc.exe(Parallels) - prl_tools.exe(Parallels) - xenservice.exe(Citrix Xen) - qemu-ga.exe (QEMU) - looking-glass-host.exe (GENERIC) - VDDSysTray.exe (GENERIC) - **WMI** - SELECT * FROM Win32_Bios (SerialNumber) (GENERIC) - SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX) - SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX) - SELECT * FROM Win32_NTEventlogFile (VBOX) - SELECT * FROM Win32_Processor (NumberOfCores and ProcessorId) (GENERIC) - SELECT * FROM Win32_LogicalDisk (Size) (GENERIC) - SELECT * FROM Win32_ComputerSystem (Model and Manufacturer) (GENERIC) - SELECT * FROM MSAcpi_ThermalZoneTemperature CurrentTemperature) (GENERIC) - SELECT * FROM Win32_Fan (GENERIC) - **DLL 导出和已加载 DLL** - avghookx.dll (AVG) - avghooka.dll (AVG) - snxhk.dll (Avast) - kernel32.dll!wine_get_unix_file_nameWine (Wine) - sbiedll.dll (Sandboxie) - dbghelp.dll (MS debugging support routines) - api_log.dll (iDefense Labs) - dir_watch.dll (iDefense Labs) - pstorec.dll (SunBelt Sandbox) - vmcheck.dll (Virtual PC) - wpespy.dll (WPE Pro) - cmdvrt32.dll (Comodo Container) -vrt64.dll (Comodo Container) - **CPU** - Hypervisor presence using (EAX=0x1) - Hypervisor vendor using (EAX=0x40000000) - "KVMKVMKVM\0\0\0" (KVM) - "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC) - "VMwareVMware"(VMware) - "XenVMMXenVMM"(Xen) - "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox) - NtQueryLicenseValue with Kernel-VMDetection-Private as license value. ### 反分析 - **进程** - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine - SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns) - Wireshark / Dumpcap / Fiddler / Http Debugger - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector - ImportREC / PETools / LordPE - JoeBox Sandbox - Resource Hacker - Frida ### 反反汇编 - 常量条件的跳转 - 相同目标的跳转指令 - 无法反汇编 - 函数指针 - 返回指针滥用 ### 宏病毒攻击 - Document_Close / Auto_Close. - Application.RecentFiles.Count ### 代码/DLL 注入技术 - CreateRemoteThread - SetWindowsHooksEx - NtCreateThreadEx - RtlCreateUserThread - APC (QueueUserAPC / NtQueueApcThread) - RunPE (GetThreadContext / SetThreadContext) ## 作者 - [Mattiwatti](https://github.com/Mattiwatti): Matthijs Lavrijsen - [gsuberland](https://twitter.com/gsuberland): Graham Sutherland - [hFireF0x](https://github.com/hfiref0x): hfiref0x 欢迎提交 Pull request。如果你希望为项目做出贡献，请阅读我们 wiki 上的[开发者指南](https://github.com/LordNoteworthy/al-khaser/wiki/Developer-Guidelines)。 ## 参考资料 - An Anti-Reverse Engineering Guide By Josh Jackson. - Anti-Unpacker Tricks By Peter Ferrie. - The Art Of Unpacking By Mark Vincent Yason. - Walied Assar's blog http://waleedassar.blogspot.de/. - Pafish tool: https://github.com/a0rtega/pafish. - PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro

标签：ATT&CK仿真, Conpot, DAST, DNS 反向解析, PoC代码, QEMU检测, UML, VirtualBox检测, VMware检测, Windows安全, 云资产清单, 反虚拟机, 反调试技术, 堆转储检测, 安全防御绕过, 恶意软件分析, 数据包嗅探, 沙箱检测, 沙箱逃逸, 环境感知, 端点可见性, 网络安全审计, 蓝队检测, 蜜罐平台, 计时攻击, 调试器检测, 逆向工程