VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
S. Cesare «Linux anti-debugging techniques (fooling the debugger)» (32765)
Black Jack «Anti heuristic techniques» (18638)
Lord Julus «Anti-Debugger & Anti-Emulator Lair» (17758)
Lord Julus «Anti-debugging in Win32» (16658)
Z0mbie «VMware has you» (13780)

Library: Anti anti-viruses, anti-debugging

«Full Thunderbyte Stealth...» 13.26Kb 11761 hits
What we are trying to do here is to enumerate all the possible Thunderbyte flags, so that you can be certain that your virus will not trigger an alarm under any specific circumstances. This text is essentially the same as the one in the previous issue, only now it's more complete.
«A new, completely transparent method of deactivating/reactivating VSAFE» 2.26Kb 10294 hits
After just a few minutes of analysis several months ago, I discovered a way to bypass VSAFE which is far less detectable than the usual deinstallation. The total removal of VSAFE by a virus would arouse suspicion and would be incredibly obvious if some other TSR had been installed after VSAFE, since VSAFE displays an alert box in such a case warning that VSAFE cannot be removed.
«A brand new way to fool TBScan» 1.67Kb 11493 hits
Vlad [3] (1995)
Today I worked on some features for Antipode: I wanted it to infect a file during a scan by AV software so I added the usual int 21h 3Dh (open) infection. It already infected the files under McAfee's SCAN so I added the 21h 6Ch (extended open) infection and F-PROT became a vector but I was surprised that TBSCAN didn't infect my test files (5 byte .COM just 3 NOPs and an int 20h). I took SoftICE and traced some code and was really surprised as TBSCAN didn't open any file in my directory!
Black Jack
«Anti heuristic techniques» 16.88Kb 18638 hits
Blade Runner
«Chilling Fridrik» 2.65Kb 10375 hits
29a [1] (1996)
Ok, F-Prot, unlike TbScan, uses int 21h for opening, reading, and so on, that is, for scanning files for any infection.
Silvio Cesare
«Linux anti-debugging techniques (fooling the debugger)» 5.55Kb 32765 hits
This article describes anti debugger techniques for x86/Linux (though some of these techniques are not x86 specific). That is techniques to either fool, stop, or modify the process of debugging the target program. This can be useful to the development of viruses and also to those implementing software protection.
Dark Angel
«Scan-strings, how they work and how to avoid them» 7.01Kb 12534 hits
40hex [6] (1992)
The virus author must find encryption techniques which can successfully evade easy detection. This article will show you several such techniques.
«TBMEM FLAWS» 8.35Kb 10714 hits
Vlad [4] (1995)
This document is another example of how to make a program resident in memory without the memory resident of ThunderBYTE Anti-Virus: TbMem detects it. This document also covers which interrupts are hooked by TbMem and which interrupts are monitored by TbMem. All examples in this document will hook interrupt 21h.
«Anti-TBClean code» 3.87Kb 10838 hits
«New anti-debugging possibilities» [SRC] 9.77Kb 13746 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
Nowadays there are plenty anti-debugging tricks, some of them are known, some not. However, all publicly known tricks are Win32-specific and Win64 is still untouched currently. In the first part of article i'm going to demonstrate few new tricks, which are coded for Win64, but can be easily ported to Win32. In the second part i'll show how to implement SEH and TLS on Win64 and also some other new Win64-specific anti-debug techniques.
«A guide to Anti-Heuristics / Shmistics Technology» 25.3Kb 13156 hits
Lord Julus
«Anti-Debugger & Anti-Emulator Lair» 63.54Kb 17758 hits
VX-tasy [articles] (1998)
Due to the fact that I was very anxious to release this, and the fact that while writing it my computer got burned, and that, anyway I was sick and tired of looking at it anymore, I released it in a, let's say for now Version 1.0. As soon as I'll feel again ready to write, I shall come with more ideas and stuff. For now just read this and don't kick me if you find any mistakes I didn't have time to correct... Anyway, during the writing of this I kinda felt a little more on the encryption side, which actually is the basis of a good fight with an AV. You got an unbeatable encryption, you rule! So, don't be frightened by the math involved here: everything is explained. Secondly, also while writing this article I got involved in Win32 programing. This made me leave the mortal's world for a while ;-) and go in higher circles. So, just read along...
«Anti-debugging in Win32» 12.49Kb 16658 hits
I am almost ashamed to open this subject here, but it has to be done. I am ashamed not actually about writing it, but I am ashamed of the anti-virus companies' shame. Because it *IS* a shame not to have after such a long time something which you could call a real Win32 emulator. And don't jump on me because it is true... Each and every win32 virus I wrote and you see in this issue was not discovered at first sight by any AV. After a little work on them, some smart AVs like AVP and DrWeb started to discover them... It was only a matter of adding more laywers of encryption and all was hidden completely. However, even if the fond of the article doesn't really exist (there is *NO* av that would act like good old TBAV in Dos), we must start talking about this, because there is not so long until the AVers will start taking this seriously and programm some real code emulators.
«Dynamic Analysis .. What is it and how to defeat it?!» 9.23Kb 5985 hits
Valhalla #2 (2012)
Dynamic analysis is an important issue today as the number of malware is increasing every year. For example, in the year 2008 Symantec got more than 4000 new unknown sample per day! and MacAfee got about 12,300 per day!. This emphasized the need for automated tools that can scan the submitted samples and try detecting malicious software among them.In this article I’ll try to discuss some of the most frequently used techniques of dynamic analysis with emphasis on how to overcome them.
«Malware Statistical analysis and countermeasures» 8.95Kb 8882 hits
Valhalla #1 (2011)
Metamorphism is becoming complex and harder to detect, so algorithmic approaches for detection is in turn becoming more complex and more infeasible for PCs due to restriction in execution time and memory. The new trend in metamorphic code detection is the statistical analysis. In this article I will give a quick overview on statistical analysis and then explain a new approach appeared in late 2010 called Eigenviruses, and finally, how AVers could beat those techniques.
«SYP.01: Bypassing Online Dynamic Analysis Systems» [SRC] 9.09Kb 6053 hits
Valhalla #4 (2013)
SYP (Simple Yet Powerful) is a series that introduces in each episode a very simple technique to achieve a powerful impact goal. In this article, I'll discuss bypassing online dynamic analysis systems.
«Retro the easy way» [SRC] 3.97Kb 9669 hits
Coderz [1] (2000)
[...] For instance, a certain virus will detect if a certain on-access scanner is in memory, and will issue the correct call to shut it down if it is [...]
«ANTI-Anti-Virus Tricks Version 1.00» 17.93Kb 13470 hits
Improved antivirus programs got you down? Don't worry - with the help of this file you can create a virus that will surpass the protection of most computers out there, computers whose hapless users are convinced are truly 'protected'.
Mouth of Sauron
«Further virus strategies» 27.89Kb 10571 hits
«Ars loricatus novus or A small introduction to retro-armoring» [SRC] 16.65Kb 10163 hits
Ready Rangers Liberation Front [7] (2006)
There are many ways of hiding and protecting your virus from AV analysis, ranging from metamorphism to casual anti-debugging to aggressive attacks on AV products (process termination). With time however, anything can be reversed. But this doesn't mean we can't delay them critically. By using a thick armor of anti-debugging, aggressive and passive anti-AV tricks and general stealth, we can delay analysis. Combine this with a quickly morphing virus, this would mean the virus changes it's appereance and (if it's a virus that would re-write itself on source level) it's armor. This paper will show you some techniques that can be used to Armor your virus.
«About AV-Checker» 18.83Kb 7688 hits
Inception #1 (EN) (2013)
The topic of AV-checkers has been raised on numerous occasions: there are concepts, raw and ready realizations, thoughts and other bullshit. That's why I decided to dump here everything related to the checker's working scheme. I did however add something new and left the unnecessary parts out.An Av-checker is an online-service, checking files/data for viruses/trojans/worms/etc with the help of (prepared in advance) different Anti-Virus (AV) scanners. For starters, we will need a powerful multi-core dedicated server (the more cores, frequency, cache - the better), with a big RAM and supporting hardware virtualization for hypervisor). In addition, we will need wide network channels and unlimited traffic (specific technical characteristics are not provided because it all depends on what you want and can get). A "simple" PC with installed Virtual Machine (VM) could do, but it would directly influence the working speed of AV-checker. After all, the good performance depends directly on the equipment's capacity and its configuration.
«Thunderbyte Residency Test» 2.31Kb 9579 hits
Vlad [3] (1995)
As you may or may not know, the Thunderbyte resident av utilities hook themselves to the device driver chain using the following device names: TBDRVXXX, TBFILXXX, TBDSKXXX, TBMEMXXX, TBCHKXXX and TBLOGXXX. Now, by doing trial handle opens you can detect if those devices do or do not exist et voila, you have a method for testing residency. TBAV itself scans the actual device driver chain for the TB???XXX devices which is unlike this method, pretty much impossible to confuse, but also undocumented and thus it's not guaranteed to work under future versions of DOS! Yes, Frans Veldman calls vile and unsafe functions in his battle against replicating codefragments.
Tiberio Degano
«Anti Virus Detection Strategies and how to overcome them» [SRC] 20.76Kb 12300 hits
Decepticons #1 (2009)
This article will talk about Avers in depth. How they think and what ideas they will use and the most important thing is how to overcome these defenses and put your brain in the straightway.
«A simple way to detect VirtualBox» [SRC] 2.17Kb 11612 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
There are a lot of ways to detect virtualized env, here I will show only a simple trick to detect if you are running inside VirtualBox. This trick requires that guest additions (a component that let you exchange files between a virtualized system and the real one) are installed on the virtualized system because the detection is based on it. If you want to go deeper in VM detection look at ! Now go to the real stuff
«VMware has you» [SRC] 1.79Kb 13780 hits
29a [7] (2004)
When avers catch your virus, they analyze it. In case of complex networking creature, they must learn how it spreads. How it infects computers via network. How it infects files. There exists some programs to emulate virtual OS'es on the single machine. This is the best solution when you need to study some virus without risk to fuckup your own system. So, there appears a question: how to find out if our virus is running under virtual OS.
20 authors, 25 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka