This release does not bring any new detection technique to what we already have before, it just allow us to properly start versioning this tool and allow people to download compiled binaries.
What's Changed
- update readme by @LordNoteworthy in #37
- Noteworthy by @LordNoteworthy in #38
- Noteworthy by @LordNoteworthy in #39
- add generic sandboxe loaded dlls check by @LordNoteworthy in #40
- add Win32_NTEventlogFile WMI trick by @LordNoteworthy in #41
- add number of processors check by @LordNoteworthy in #42
- add anti analysis tools - process based by @LordNoteworthy in #43
- Noteworthy by @LordNoteworthy in #44
- add Parallels AntiVM by @LordNoteworthy in #45
- add Xen AntiVM - check process by @LordNoteworthy in #46
- Noteworthy by @LordNoteworthy in #48
- various fixes by @mrexodia in #50
- Noteworthy by @LordNoteworthy in #51
- add task state segment trick via STR by @LordNoteworthy in #52
- add cores number check from WMI by @LordNoteworthy in #53
- add hard disk check using WMI by @LordNoteworthy in #54
- Noteworthy by @LordNoteworthy in #55
- Noteworthy by @LordNoteworthy in #56
- Noteworthy by @LordNoteworthy in #58
- Noteworthy by @LordNoteworthy in #59
- Noteworthy by @LordNoteworthy in #60
- add screenshot and compiled binary by @LordNoteworthy in #61
- push binary by @LordNoteworthy in #62
- add mouse movement trick by @LordNoteworthy in #63
- memory space check by @LordNoteworthy in #64
- Noteworthy by @LordNoteworthy in #65
- Noteworthy by @LordNoteworthy in #66
- push new release by @LordNoteworthy in #67
- Noteworthy by @LordNoteworthy in #68
- Fix mem leak in Generic.cpp by @LordNoteworthy in #70
- add TLS callback trick by @LordNoteworthy in #71
- add timing attack: rdtsc with cpuid (VM Exit) by @LordNoteworthy in #72
- add cpuid vendor id check - hypervisor detection by @LordNoteworthy in #73
- Noteworthy by @LordNoteworthy in #74
- Update Al-khaser.cpp by @y-oyama in #75
- Fix and enable Anti-VM routines by @ntddk in #78
- Update Generic.cpp by @slow-mouse in #80
- Add support for macro based sandbox detection tricks: AutoClose and R… by @LordNoteworthy in #81
- add IcmpSendEcho timing attack seen in Ccleaner malware by @LordNoteworthy in #82
- fix version by @LordNoteworthy in #83
- Add two kernel debugger checks by @Mattiwatti in #85
- Added process job anti-debug check. by @gsuberland in #88
- Firmware checks by @gsuberland in #89
- Noteworthy by @LordNoteworthy in #90
- change location ofchangelog to root dir by @LordNoteworthy in #91
- Fixed PEB offset. by @Nxgr in #92
- Noteworthy by @LordNoteworthy in #96
- VM driver service checks by @gsuberland in #100
- Fix null references in timing.cpp by @gsuberland in #99
- Memory write watch anti-debug by @gsuberland in #101
- Vastly improved VirtualAlloc write watch tests by @gsuberland in #102
- Noteworthy by @LordNoteworthy in #103
- Noteworthy by @LordNoteworthy in #104
- added qemu process check (qemu-ga.exe) by @LordNoteworthy in #106
- Added firmware table checks SMBIOS and ACPI (Qemu) by @LordNoteworthy in #107
- Noteworthy by @LordNoteworthy in #108
- Noteworthy by @LordNoteworthy in #109
- XP Support by @talliberman in #113
- Improved disk size IOCTL checks by @gsuberland in #119
- TLS callback improvements by @gsuberland in #116
- Overhaul of timing attack code + fix the locky timer trick by @gsuberland in #117
- Consolidate APIs by @gsuberland in #122
- Comodo detection added by @kaganisildak in #127
- Detect Hybrid Analysis with mac adress by @kaganisildak in #136
- Detect Hybrid Analysis by @kaganisildak in #135
- Added check to catch CE page exception breakpoints by @gsuberland in #131
- API hook checks, part 1 (bounds based) by @gsuberland in #138
- Fixed a typo in API data structure and move print_os() after API init… by @LordNoteworthy in #143
- Added enumerate_memory function for finding all memory allocations in the process. by @gsuberland in #147
- DLL injection detection by @gsuberland in #148
- add WMI Win32_Fan anti-vm trick by @LordNoteworthy in #150
- Move to Visual Studio 2017 by @LordNoteworthy in #153
- Bug fixes by @hfiref0x in #158
- Bug fixes 2 by @hfiref0x in #159
- bump to version 0.76 by @LordNoteworthy in #160
- Bug fixes 3 by @hfiref0x in #161
- Bug fixes 4 by @hfiref0x in #162
- Bug fixes 5 by @hfiref0x in #163
- VM detects update by @hfiref0x in #165
- Fixed false positive in VirtualBox BIOS serial number WMI check by @gsuberland in #169
- Noteworthy by @LordNoteworthy in #170
- Added ATAIdentifyDump and StructDumpCodegen tools to the repo. by @gsuberland in #171
- Multiple anti-VM checks using WMI by @gsuberland in #173
- Crash fix for 32 bit app running on Win7 x64 by @dvarshavsky in #174
- update CHANGELOG by @LordNoteworthy in #176
- Anti-dump: fix SizeOfImage() modifying the wrong module and field by @Mattiwatti in #183
- Fix VARIANT vartype flags check on WMI properties by @Mattiwatti in #182
- add few anti-disassembly tricks by @LordNoteworthy in #194
- DebugObjectHandle improvements by @Mattiwatti in #197
- add generic anti-sandbox (checking for well file names like malware.exe) by @LordNoteworthy in #199
- add trap flag anti debug by @LordNoteworthy in #200
- Fix string comparaison in check_adapter_name() by @LordNoteworthy in #204
- fix wrong path names in vmware_files() and vbox_files() to adapt to w… by @LordNoteworthy in #205
- Use Wow64DisableWow64FsRedirection/Wow64RevertWow64FsRedirection inst… by @LordNoteworthy in #206
- API fixes related to #198 by @gsuberland in #207
- Fixed the encoding of some files by @not-matthias in #208
- Improve GetOSDisplayString by adding Windows Server 2019 by @LordNoteworthy in #210
- Add Is Windows Genuine Check by @LordNoteworthy in #212
- New Anti-Debug: Low Fragmentation Heap by @LordNoteworthy in #215
- fixed a bug in LowFragmentationHeap by @rdzhaafar in #217
- Fix #189 - Add known hostname / username checks from malware by @recvfrom in #219
- Fix #191 - Add Anti-VM disk enum registry checks by @recvfrom in #220
- Fix wrong comment by @SpriteOvO in #224
- Check for the lack of user input. by @packmad in #226
- Bug fixes and new checks in ThreadHideFromDebugger. by @gsuberland in #235
- Improve parent process check to avoid false positives. by @gsuberland in #236
- Fix ScanForModules_MemoryWalk_Hidden and add new .NET structure scan. by @gsuberland in #238
- This will build and upload binaries by @graysuit in #240
- Add Hyper-V object checks. by @gsuberland in #241
- Add KVM virtio artifacts and QEMU guest agent / spice tools artifacts. by @LordNoteworthy in #244
- Fixed building with VS2019 by @hasherezade in #246
- Bugfix + new anti-disassembly technique by @Yp3rion in #245
- Add NtSystemDebugControl anti-dbg by @stevemk14ebr in #252
- Update Al-khaser.cpp by @hasdhuahd in #253
- Fix spelling mistake in timing.cpp by @SleekZ in #255
- Added Al-Khaser console parameters for test enabling by @Haimasker in #261
- Update README.md by @mrexodia in #262
- Add cheat engine for anti-analysis by @xmaple555 in #264
- Added WaitForMultipleObjects and Frida processes by @Fra-SM in #265
- Spelling cleanup by @iamjplant in #268
- Checking the virtual machine through the number of SMBIOS tables by @CyberGreg05 in #267
- Working with a mounted flash drive by @CyberGreg05 in #270
- Fix incorrect comparison when counting smbios tables by @CyberGreg05 in #271
- Attach project binaries to releases for accessibility by @holysoles in #274
New Contributors
- @mrexodia made their first contribution in #50
- @y-oyama made their first contribution in #75
- @ntddk made their first contribution in #78
- @slow-mouse made their first contribution in #80
- @Mattiwatti made their first contribution in #85
- @gsuberland made their first contribution in #88
- @Nxgr made their first contribution in #92
- @talliberman made their first contribution in #113
- @kaganisildak made their first contribution in #127
- @hfiref0x made their first contribution in #158
- @dvarshavsky made their first contribution in #174
- @not-matthias made their first contribution in #208
- @rdzhaafar made their first contribution in #217
- @recvfrom made their first contribution in #219
- @SpriteOvO made their first contribution in #224
- @packmad made their first contribution in #226
- @graysuit made their first contribution in #240
- @hasherezade made their first contribution in #246
- @Yp3rion made their first contribution in #245
- @stevemk14ebr made their first contribution in #252
- @hasdhuahd made their first contribution in #253
- @SleekZ made their first contribution in #255
- @Haimasker made their first contribution in #261
- @xmaple555 made their first contribution in #264
- @Fra-SM made their first contribution in #265
- @iamjplant made their first contribution in #268
- @CyberGreg05 made their first contribution in #267
- @holysoles made their first contribution in #274
Full Changelog: https://github.com/LordNoteworthy/al-khaser/commits/v1.0.0
Contributors
y-oyama, ntddk, and 27 other contributors