You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be great to have a feature that searches through the running processes and if any debug process is present it doesnt inject the shellcode, something similar to this:
bool analysis_tools_running() {
char* analysis_processes[] = {
AY_OBFUSCATE("vmware.exe"),
AY_OBFUSCATE("ollydbg.exe"), // OllyDebug debugger
AY_OBFUSCATE("ProcessHacker.exe"), // Process Hacker
AY_OBFUSCATE("tcpview.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("autoruns.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("autorunsc.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("filemon.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("procmon.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("regmon.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("procexp.exe"), // Part of Sysinternals Suite
AY_OBFUSCATE("idaq.exe"), // IDA Pro Interactive Disassembler
AY_OBFUSCATE("idaq64.exe"), // IDA Pro Interactive Disassembler
AY_OBFUSCATE("ImmunityDebugger.exe"), // ImmunityDebugger
AY_OBFUSCATE("Wireshark.exe"), // Wireshark packet sniffer
AY_OBFUSCATE("dumpcap.exe"), // Network traffic dump tool
AY_OBFUSCATE("HookExplorer.exe"), // Find various types of runtime hooks
AY_OBFUSCATE("ImportREC.exe"), // Import Reconstructor
AY_OBFUSCATE("PETools.exe"), // PE Tool
AY_OBFUSCATE("LordPE.exe"), // LordPE
AY_OBFUSCATE("SysInspector.exe"), // ESET SysInspector
AY_OBFUSCATE("proc_analyzer.exe"), // Part of SysAnalyzer iDefense
AY_OBFUSCATE("sysAnalyzer.exe"), // Part of SysAnalyzer iDefense
AY_OBFUSCATE("sniff_hit.exe"), // Part of SysAnalyzer iDefense
AY_OBFUSCATE("windbg.exe"), // Microsoft WinDbg
AY_OBFUSCATE("joeboxcontrol.exe"), // Part of Joe Sandbox
AY_OBFUSCATE("joeboxserver.exe"), // Part of Joe Sandbox
AY_OBFUSCATE("joeboxserver.exe"), // Part of Joe Sandbox
AY_OBFUSCATE("ResourceHacker.exe"), // Resource Hacker
AY_OBFUSCATE("x32dbg.exe"), // x32dbg
AY_OBFUSCATE("x64dbg.exe"), // x64dbg
AY_OBFUSCATE("Fiddler.exe"), // Fiddler
AY_OBFUSCATE("httpdebugger.exe"), };
for (int i = 0; i < 32; i++) {
if (getFirstFilteredProcess((unsigned char*)analysis_processes[i]) > 0) {
//printf("check if tool %s is running\n", analysis_processes[i]);
return true;
}
}
return false;
}
Note that it is using the AY_OBFUSCATE function from (https://github.com/adamyaxley/Obfuscate). My concern here would be implementing it being compatible with all possible unhooks, since this would differ from NTDLL.dll unhooking to Syswhispers2-3
The text was updated successfully, but these errors were encountered:
It would be great to have a feature that searches through the running processes and if any debug process is present it doesnt inject the shellcode, something similar to this:
Note that it is using the AY_OBFUSCATE function from (https://github.com/adamyaxley/Obfuscate). My concern here would be implementing it being compatible with all possible unhooks, since this would differ from NTDLL.dll unhooking to Syswhispers2-3
The text was updated successfully, but these errors were encountered: