[ ANTI-ANALYSIS ] - Technique Collection

    _    _   _ _____ ___        _    _   _    _    _  __   _______ ___ ____
   / \  | \ | |_   _|_ _|      / \  | \ | |  / \  | | \ \ / / _____|_ _/ ___|
  / _ \ |  \| | | |  | |_____ / _ \ |  \| | / _ \ | |  \ V /\___ \ | |\___ \
 / ___ \| |\  | | |  | |_____/ ___ \| |\  |/ ___ \| |___| |  ___) || | ___) |
/_/   \_\_| \_| |_| |___|   /_/   \_\_| \_/_/   \_\_____|_| |____/___|____/

[ ANTI-ANALYSIS TECHNIQUE COLLECTION ]

- 47 techniques for the curious mind -

TECHNIQUES

ANTI-DEBUG

ANTI-SANDBOX

> ABOUT
A collection of real-world anti-analysis techniques discovered during malware research and reverse engineering. Each technique is implemented as a standalone proof-of-concept in C with source code, build instructions, and documentation.

Purpose: Educational resource for security researchers, malware analysts, and reverse engineers.
Platform: Windows | Language: C | License: MIT

/!\ FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY /!\
Do not use these techniques for malicious purposes.

cat techniques/anti-sandbox.db

ANTI-SANDBOX :: 8 techniques

ANTI-SANDBOX

ID	Technique	Description
AS001	SetErrorMode	Detects sandbox by inspecting SetErrorMode behavior for hooks
AS002	ForcedRaceConditionSleep	Forces race condition to detect changes in sleep() behavior
AS003	CheckProcessList	Scans process list for known analysis tool names
AS004	CheckLoadedModules	Detects injected DLLs from analysis tools in current process
AS005	CheckRegistryKeys	Searches Windows Registry for VM-related device names
AS006	CopyOfNtdll	Loads clean ntdll.dll copy to bypass hooked functions
AS007	EnumWindowsProc	Searches for windows with known analysis tool names
AS008	BlockInput	Detects API hooking by analyzing BlockInput behavior

cat techniques/anti-debugger.db

ANTI-DEBUGGER :: 39 techniques

ANTI-DEBUGGER

ID	Technique	Description
--- PEB & Process Info ---
AD001	CheckProcessDebugPort	Queries ProcessDebugPort via NtQueryInformationProcess
AD002	IsDebuggerPresent	Checks PEB debug flag using IsDebuggerPresent API
AD003	CheckRemoteDebuggerPresent	Detects debugger attached to specific process
AD004	ProcessDebugObjectHandle	Queries ProcessDebugObjectHandle to detect debugging
AD005	CheckPEB	Directly inspects debug flags in PEB structure
AD015	NtQueryObject	Enumerates object types looking for DebugObject
--- Exception-Based ---
AD006	SetUnhandledExceptionFilter	Detects debugger takeover of exception handling chain
AD007	CloseHandle	Checks if CloseHandle raises exception on invalid handle
AD008	SetHandleInformation	Abuses HANDLE_FLAG_PROTECT_FROM_CLOSE to detect debugger
AD011	DbgPrint	Detects debugger via DbgPrint exception behavior
AD016	RaiseException	Raises DBG_CONTROL_C to detect exception interception
AD023	INT3	Uses vectored exception handler with INT3 instruction
AD024	INT3 Long Form	Uses long form of INT3 (0xCD03) for detection
AD025	INT 2D	Kernel debugger interrupt for detection
AD026	INT1 ICEBP	Uses ICEBP instruction (0xF1) for detection
AD027	INT1 Long Form	Two-byte form of INT 1 (0xCD01) for detection
AD028	POPFD Trap Flag	Manipulates Trap Flag via POPFD to trigger single-step
AD029	INT1 with Prefixes	Uses instruction prefixes before ICEBP
--- Memory & Breakpoints ---
AD012	GetWriteWatch	Monitors protected memory for debugger modifications
AD017	SoftwareBreakpoint	Scans function memory for breakpoints (0xCC)
AD018	AntiStepOver	Checks for breakpoint at function return address
AD019	MemoryBreakpoint	Uses guard page exception to detect debugger
AD020	NtQueryVirtualMemory	Checks working set page attributes for modifications
--- Self-Protection ---
AD014	NtSetInformationThread	Hides thread from debugger using ThreadHideFromDebugger
AD021	DbgBreakPoint Patch	Patches DbgBreakPoint to prevent debugger attachment
AD022	DbgUiRemoteBreakin Hook	Patches DbgUiRemoteBreakin to block debugger attachment
AD030	Self-Debugging	Attempts to debug itself to detect existing debugger
AD034	SwitchDesktop	Hides process from debugger by switching to a new desktop
--- Timing-Based ---
AD035	GetLocalTime	Detects debugger by measuring elapsed time of a workload
AD036	GetSystemTime	Detects debugger via UTC timing analysis of a workload
AD037	GetTickCount	Detects debugger by comparing millisecond tick counts
AD038	QueryPerformanceCounter	Detects debugger using high-resolution performance counter
AD039	timeGetTime	Detects debugger using multimedia timer elapsed time
--- Other Detection ---
AD009	RtlQueryProcessHeapInformation	Detects debugger by examining heap flags
AD010	RtlQueryProcessDebugInformation	Checks heap flags via RtlQueryProcessDebugInformation
AD013	GetThreadContext	Inspects hardware breakpoint registers (Dr0-Dr7)
AD031	GenerateConsoleCtrlEvent	Detects debugger by checking console control event handling
AD032	GetShellWindow	Compares parent PID against Explorer to detect abnormal exec
AD033	FindWindow	Detects debuggers by searching for known window class names

cat /etc/motd

> RESOURCES

> CheckPoint Anti-Debug Techniques
> Al-Khaser Anti-Malware Scanner
> Unprotect Project
> Microsoft Win32 API Documentation
> Undocumented NT Internals

YOU ARE VISITOR #000000 SINCE 1997

[ GITHUB ] | [ CONTACT ]

<-- BEST VIEWED IN NETSCAPE NAVIGATOR 4.0 AT 800x600 -->