From 0f31a3866bafdfa703d2ed1ee1a242ab31bf5ef0 Mon Sep 17 00:00:00 2001 From: xmaple555 <54590608+xmaple555@users.noreply.github.com> Date: Mon, 30 Oct 2023 17:35:17 +0800 Subject: [PATCH] Add cheat engine for anti-analysis (#264) * Add cheat engine for analysis_tools_process * Update README.md --- README.md | 5 ++- al-khaser/AntiAnalysis/process.cpp | 65 ++++++++++++++++-------------- 2 files changed, 37 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 659a89e9..34293c58 100644 --- a/README.md +++ b/README.md @@ -279,12 +279,13 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in ### Anti-Analysis - **Processes** - - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro + - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Enigne - SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns) - - Wireshark / Dumpcap + - Wireshark / Dumpcap / Fiddler / Http Debugger - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector - ImportREC / PETools / LordPE - JoeBox Sandbox + - Resource Hacker ### Anti-Disassembly - Jump with constant condition diff --git a/al-khaser/AntiAnalysis/process.cpp b/al-khaser/AntiAnalysis/process.cpp index c07cc4be..25377bff 100644 --- a/al-khaser/AntiAnalysis/process.cpp +++ b/al-khaser/AntiAnalysis/process.cpp @@ -9,37 +9,40 @@ Check for process list VOID analysis_tools_process() { const TCHAR *szProcesses[] = { - _T("ollydbg.exe"), // OllyDebug debugger - _T("ProcessHacker.exe"), // Process Hacker - _T("tcpview.exe"), // Part of Sysinternals Suite - _T("autoruns.exe"), // Part of Sysinternals Suite - _T("autorunsc.exe"), // Part of Sysinternals Suite - _T("filemon.exe"), // Part of Sysinternals Suite - _T("procmon.exe"), // Part of Sysinternals Suite - _T("regmon.exe"), // Part of Sysinternals Suite - _T("procexp.exe"), // Part of Sysinternals Suite - _T("idaq.exe"), // IDA Pro Interactive Disassembler - _T("idaq64.exe"), // IDA Pro Interactive Disassembler - _T("ImmunityDebugger.exe"), // ImmunityDebugger - _T("Wireshark.exe"), // Wireshark packet sniffer - _T("dumpcap.exe"), // Network traffic dump tool - _T("HookExplorer.exe"), // Find various types of runtime hooks - _T("ImportREC.exe"), // Import Reconstructor - _T("PETools.exe"), // PE Tool - _T("LordPE.exe"), // LordPE - _T("SysInspector.exe"), // ESET SysInspector - _T("proc_analyzer.exe"), // Part of SysAnalyzer iDefense - _T("sysAnalyzer.exe"), // Part of SysAnalyzer iDefense - _T("sniff_hit.exe"), // Part of SysAnalyzer iDefense - _T("windbg.exe"), // Microsoft WinDbg - _T("joeboxcontrol.exe"), // Part of Joe Sandbox - _T("joeboxserver.exe"), // Part of Joe Sandbox - _T("joeboxserver.exe"), // Part of Joe Sandbox - _T("ResourceHacker.exe"), // Resource Hacker - _T("x32dbg.exe"), // x32dbg - _T("x64dbg.exe"), // x64dbg - _T("Fiddler.exe"), // Fiddler - _T("httpdebugger.exe"), // Http Debugger + _T("ollydbg.exe"), // OllyDebug debugger + _T("ProcessHacker.exe"), // Process Hacker + _T("tcpview.exe"), // Part of Sysinternals Suite + _T("autoruns.exe"), // Part of Sysinternals Suite + _T("autorunsc.exe"), // Part of Sysinternals Suite + _T("filemon.exe"), // Part of Sysinternals Suite + _T("procmon.exe"), // Part of Sysinternals Suite + _T("regmon.exe"), // Part of Sysinternals Suite + _T("procexp.exe"), // Part of Sysinternals Suite + _T("idaq.exe"), // IDA Pro Interactive Disassembler + _T("idaq64.exe"), // IDA Pro Interactive Disassembler + _T("ImmunityDebugger.exe"), // ImmunityDebugger + _T("Wireshark.exe"), // Wireshark packet sniffer + _T("dumpcap.exe"), // Network traffic dump tool + _T("HookExplorer.exe"), // Find various types of runtime hooks + _T("ImportREC.exe"), // Import Reconstructor + _T("PETools.exe"), // PE Tool + _T("LordPE.exe"), // LordPE + _T("SysInspector.exe"), // ESET SysInspector + _T("proc_analyzer.exe"), // Part of SysAnalyzer iDefense + _T("sysAnalyzer.exe"), // Part of SysAnalyzer iDefense + _T("sniff_hit.exe"), // Part of SysAnalyzer iDefense + _T("windbg.exe"), // Microsoft WinDbg + _T("joeboxcontrol.exe"), // Part of Joe Sandbox + _T("joeboxserver.exe"), // Part of Joe Sandbox + _T("joeboxserver.exe"), // Part of Joe Sandbox + _T("ResourceHacker.exe"), // Resource Hacker + _T("x32dbg.exe"), // x32dbg + _T("x64dbg.exe"), // x64dbg + _T("Fiddler.exe"), // Fiddler + _T("httpdebugger.exe"), // Http Debugger + _T("cheatengine-i386.exe"), // Cheat Engine + _T("cheatengine-x86_64.exe"), // Cheat Engine + _T("cheatengine-x86_64-SSE4-AVX2.exe"), // Cheat Engine }; WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);