_ _ _ _____ ___ _ _ _ _ _ __ _______ ___ ____
/ \ | \ | |_ _|_ _| / \ | \ | | / \ | | \ \ / / _____|_ _/ ___|
/ _ \ | \| | | | | |_____ / _ \ | \| | / _ \ | | \ V /\___ \ | |\___ \
/ ___ \| |\ | | | | |_____/ ___ \| |\ |/ ___ \| |___| | ___) || | ___) |
/_/ \_\_| \_| |_| |___| /_/ \_\_| \_/_/ \_\_____|_| |____/___|____/
cat techniques/anti-sandbox.db
| ID | Technique | Description |
|---|---|---|
| AS001 | SetErrorMode | Detects sandbox by inspecting SetErrorMode behavior for hooks |
| AS002 | ForcedRaceConditionSleep | Forces race condition to detect changes in sleep() behavior |
| AS003 | CheckProcessList | Scans process list for known analysis tool names |
| AS004 | CheckLoadedModules | Detects injected DLLs from analysis tools in current process |
| AS005 | CheckRegistryKeys | Searches Windows Registry for VM-related device names |
| AS006 | CopyOfNtdll | Loads clean ntdll.dll copy to bypass hooked functions |
| AS007 | SetTimer | Uses message-driven timer to bypass sandbox time acceleration |
| AS008 | BlockInput | Detects API hooking by analyzing BlockInput behavior |
| AS009 | NtDelayExecution | Evades sandbox analysis by introducing long execution delays via native API |
| AS010 | WaitForSingleObject | Uses event synchronization timeout to bypass sandbox time acceleration |
| AS011 | CreateWaitableTimer | Uses high-resolution waitable timer to evade sandbox time acceleration |
| AS012 | CreateTimerQueueTimer | Uses timer queue callbacks to bypass sandbox time acceleration |
| AS013 | SleepLoop | Evades sandbox time acceleration by splitting delay into many short Sleep calls |
cat techniques/anti-debugging.db
| ID | Technique | Description |
|---|---|---|
| --- PEB & Process Info --- | ||
| AD001 | CheckProcessDebugPort | Queries ProcessDebugPort via NtQueryInformationProcess |
| AD002 | IsDebuggerPresent | Checks PEB debug flag using IsDebuggerPresent API |
| AD003 | CheckRemoteDebuggerPresent | Detects debugger attached to specific process |
| AD004 | ProcessDebugObjectHandle | Queries ProcessDebugObjectHandle to detect debugging |
| AD005 | CheckPEB | Directly inspects debug flags in PEB structure |
| AD015 | NtQueryObject | Enumerates object types looking for DebugObject |
| AD040 | ProcessDebugFlags | Queries ProcessDebugFlags via NtQueryInformationProcess |
| AD041 | NtGlobalFlag | Checks PEB NtGlobalFlag for heap debugging flags set by debugger |
| AD042 | HeapFlags | Inspects heap Flags and ForceFlags for debugger-set values |
| AD047 | SystemKernelDebuggerInformation | Detects kernel-mode debuggers by querying system kernel debugger flags |
| AD050 | KUSER_SHARED_DATA | Reads KdDebuggerEnabled from KUSER_SHARED_DATA to detect kernel debugger |
| AD051 | HEAP_TAIL_CHECKING_ENABLED | Detects debugger by checking for 0xABABABAB heap tail sentinel |
| --- Exception-Based --- | ||
| AD006 | SetUnhandledExceptionFilter | Detects debugger takeover of exception handling chain |
| AD007 | CloseHandle | Checks if CloseHandle raises exception on invalid handle |
| AD008 | SetHandleInformation | Abuses HANDLE_FLAG_PROTECT_FROM_CLOSE to detect debugger |
| AD011 | DbgPrint | Detects debugger via DbgPrint exception behavior |
| AD016 | RaiseException | Raises DBG_CONTROL_C to detect exception interception |
| AD023 | INT3 | Uses vectored exception handler with INT3 instruction |
| AD024 | INT3 Long Form | Uses long form of INT3 (0xCD03) for detection |
| AD025 | INT 2D | Kernel debugger interrupt for detection |
| AD026 | INT1 ICEBP | Uses ICEBP instruction (0xF1) for detection |
| AD027 | INT1 Long Form | Two-byte form of INT 1 (0xCD01) for detection |
| AD028 | POPFD Trap Flag | Manipulates Trap Flag via POPFD to trigger single-step |
| AD029 | INT1 with Prefixes | Uses instruction prefixes before ICEBP |
| AD052 | Instruction Counting | Detects debugger by counting HW breakpoint single-step exceptions |
| AD053 | Stack Segment Register | Detects single-stepping debugger via SS register trap inhibit |
| AD054 | EnumWindowsProc | Detects debuggers by enumerating windows with known tool titles |
| AD055 | DbgSetDebugFilterState | Detects kernel debugger via NtSetDebugFilterState success status |
| --- Memory & Breakpoints --- | ||
| AD012 | GetWriteWatch | Monitors protected memory for debugger modifications |
| AD017 | SoftwareBreakpoint | Scans function memory for breakpoints (0xCC) |
| AD018 | AntiStepOver | Checks for breakpoint at function return address |
| AD019 | MemoryBreakpoint | Uses guard page exception to detect debugger |
| AD020 | NtQueryVirtualMemory | Checks working set page attributes for modifications |
| AD045 | CodeChecksum | Continuously monitors function checksums to detect breakpoints |
| AD049 | DetectAPIPatch | Detects debugger by comparing API function bytes across processes |
| --- Self-Protection --- | ||
| AD014 | NtSetInformationThread | Hides thread from debugger using ThreadHideFromDebugger |
| AD021 | DbgBreakPoint Patch | Patches DbgBreakPoint to prevent debugger attachment |
| AD022 | DbgUiRemoteBreakin Hook | Patches DbgUiRemoteBreakin to block debugger attachment |
| AD030 | Self-Debugging | Attempts to debug itself to detect existing debugger |
| AD034 | SwitchDesktop | Hides process from debugger by switching to a new desktop |
| --- Timing-Based --- | ||
| AD035 | GetLocalTime | Detects debugger by measuring elapsed time of a workload |
| AD036 | GetSystemTime | Detects debugger via UTC timing analysis of a workload |
| AD037 | GetTickCount | Detects debugger by comparing millisecond tick counts |
| AD038 | QueryPerformanceCounter | Detects debugger using high-resolution performance counter |
| AD039 | timeGetTime | Detects debugger using multimedia timer elapsed time |
| AD043 | RDTSC | Detects debugger using CPU timestamp counter cycle measurement |
| --- Other Detection --- | ||
| AD009 | RtlQueryProcessHeapInformation | Detects debugger by examining heap flags |
| AD010 | RtlQueryProcessDebugInformation | Checks heap flags via RtlQueryProcessDebugInformation |
| AD013 | GetThreadContext | Inspects hardware breakpoint registers (Dr0-Dr7) |
| AD031 | GenerateConsoleCtrlEvent | Detects debugger by checking console control event handling |
| AD032 | GetShellWindow | Compares parent PID against Explorer to detect abnormal exec |
| AD033 | FindWindow | Detects debuggers by searching for known window class names |
| AD044 | OpenProcess CSRSS | Detects elevated debugger by attempting to open csrss.exe |
| AD046 | CreateFileA Exclusive | Detects debugger by attempting exclusive file access on executable |
| AD048 | LoadLibrary | Detects debugger via file handle behavior after LoadLibraryA |
| AD056 | SwitchToThread | Detects debugger by exploiting thread scheduler behavior during single-stepping |
| AD057 | TLS Callback | Executes code before main entry point using Thread Local Storage callbacks |
| AD058 | Process Job | Detects debuggers by enumerating processes in the job object |
| AD059 | WudfIsAnyDebuggerPresent | Detects debugger via undocumented UMDF platform API in WudfPlatform.dll |
cat /etc/motd