Skip to content

Commit

Permalink
Add cheat engine for anti-analysis (#264)
Browse files Browse the repository at this point in the history
* Add cheat engine for analysis_tools_process

* Update README.md
  • Loading branch information
xmaple555 authored Oct 30, 2023
1 parent 124f9c9 commit 0f31a38
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 33 deletions.
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -279,12 +279,13 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in

### Anti-Analysis
- **Processes**
- OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
- OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Enigne
- SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
- Wireshark / Dumpcap
- Wireshark / Dumpcap / Fiddler / Http Debugger
- ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
- ImportREC / PETools / LordPE
- JoeBox Sandbox
- Resource Hacker

### Anti-Disassembly
- Jump with constant condition
Expand Down
65 changes: 34 additions & 31 deletions al-khaser/AntiAnalysis/process.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -9,37 +9,40 @@ Check for process list
VOID analysis_tools_process()
{
const TCHAR *szProcesses[] = {
_T("ollydbg.exe"), // OllyDebug debugger
_T("ProcessHacker.exe"), // Process Hacker
_T("tcpview.exe"), // Part of Sysinternals Suite
_T("autoruns.exe"), // Part of Sysinternals Suite
_T("autorunsc.exe"), // Part of Sysinternals Suite
_T("filemon.exe"), // Part of Sysinternals Suite
_T("procmon.exe"), // Part of Sysinternals Suite
_T("regmon.exe"), // Part of Sysinternals Suite
_T("procexp.exe"), // Part of Sysinternals Suite
_T("idaq.exe"), // IDA Pro Interactive Disassembler
_T("idaq64.exe"), // IDA Pro Interactive Disassembler
_T("ImmunityDebugger.exe"), // ImmunityDebugger
_T("Wireshark.exe"), // Wireshark packet sniffer
_T("dumpcap.exe"), // Network traffic dump tool
_T("HookExplorer.exe"), // Find various types of runtime hooks
_T("ImportREC.exe"), // Import Reconstructor
_T("PETools.exe"), // PE Tool
_T("LordPE.exe"), // LordPE
_T("SysInspector.exe"), // ESET SysInspector
_T("proc_analyzer.exe"), // Part of SysAnalyzer iDefense
_T("sysAnalyzer.exe"), // Part of SysAnalyzer iDefense
_T("sniff_hit.exe"), // Part of SysAnalyzer iDefense
_T("windbg.exe"), // Microsoft WinDbg
_T("joeboxcontrol.exe"), // Part of Joe Sandbox
_T("joeboxserver.exe"), // Part of Joe Sandbox
_T("joeboxserver.exe"), // Part of Joe Sandbox
_T("ResourceHacker.exe"), // Resource Hacker
_T("x32dbg.exe"), // x32dbg
_T("x64dbg.exe"), // x64dbg
_T("Fiddler.exe"), // Fiddler
_T("httpdebugger.exe"), // Http Debugger
_T("ollydbg.exe"), // OllyDebug debugger
_T("ProcessHacker.exe"), // Process Hacker
_T("tcpview.exe"), // Part of Sysinternals Suite
_T("autoruns.exe"), // Part of Sysinternals Suite
_T("autorunsc.exe"), // Part of Sysinternals Suite
_T("filemon.exe"), // Part of Sysinternals Suite
_T("procmon.exe"), // Part of Sysinternals Suite
_T("regmon.exe"), // Part of Sysinternals Suite
_T("procexp.exe"), // Part of Sysinternals Suite
_T("idaq.exe"), // IDA Pro Interactive Disassembler
_T("idaq64.exe"), // IDA Pro Interactive Disassembler
_T("ImmunityDebugger.exe"), // ImmunityDebugger
_T("Wireshark.exe"), // Wireshark packet sniffer
_T("dumpcap.exe"), // Network traffic dump tool
_T("HookExplorer.exe"), // Find various types of runtime hooks
_T("ImportREC.exe"), // Import Reconstructor
_T("PETools.exe"), // PE Tool
_T("LordPE.exe"), // LordPE
_T("SysInspector.exe"), // ESET SysInspector
_T("proc_analyzer.exe"), // Part of SysAnalyzer iDefense
_T("sysAnalyzer.exe"), // Part of SysAnalyzer iDefense
_T("sniff_hit.exe"), // Part of SysAnalyzer iDefense
_T("windbg.exe"), // Microsoft WinDbg
_T("joeboxcontrol.exe"), // Part of Joe Sandbox
_T("joeboxserver.exe"), // Part of Joe Sandbox
_T("joeboxserver.exe"), // Part of Joe Sandbox
_T("ResourceHacker.exe"), // Resource Hacker
_T("x32dbg.exe"), // x32dbg
_T("x64dbg.exe"), // x64dbg
_T("Fiddler.exe"), // Fiddler
_T("httpdebugger.exe"), // Http Debugger
_T("cheatengine-i386.exe"), // Cheat Engine
_T("cheatengine-x86_64.exe"), // Cheat Engine
_T("cheatengine-x86_64-SSE4-AVX2.exe"), // Cheat Engine
};

WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
Expand Down

0 comments on commit 0f31a38

Please sign in to comment.