Posted 25 January 2013 - 06:52 AM
Will that get rid of KAV tags on dll injection as well for example?
no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...
Member
Posted 25 January 2013 - 04:08 PM
no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...
Indeed. Emulation and proactive defense are two completely different things. Something as simple as this will confuse some AV's.
Expert
Posted 25 January 2013 - 07:12 PM
no it wouldn't... classical injection methods are caught by proactive defence (actuall SSDT hooks in kernel mode by klif.sys driver)... there are some injection methods that are undetected with KAV/KIS though...
now I got a bit curious about what exactly is non classical injection methods. Or you mean public injection code are usually detected?
Posted 25 January 2013 - 07:21 PM
now I got a bit curious about what exactly is non classical injection methods. Or you mean public injection code are usually detected?
just to make it clear, I'll be talking about KAV/KIS 2012 now, as haven't yet tried 2013... in particular klif.sys hooks NtCreateThread, NtSetContextThread, NtAllocateVirtualMemory, NtWriteVirtualMemory so you won't able to use CreateRemoteThread, SetThreadContext, VirtualAllocEx, WriteProcessMemory and so on... however one can still use NtMapViewOfSection for example...
Intermediate Member
Posted 26 January 2013 - 09:48 AM
steve10120
asm
RDTSC
MOV EBX, EAX
@Loop:
RDTSC
SUB EAX, EBX
JA @Loop
end;
RDTSC like a one ~sec delay... 
in loop it generete some time delay to confuse emulators... seems very old trick..
p.s. nowdays stopping emulator is not only single problem... if code analyser (after emulating) will get fault at strange non-sample place, av can send your code to it's sandbox (av automatic analysis system), and there is no problem to wait all your time delays or etc... U need find trick to avoid it's sandbox too...
p.s.s. LeFF what about NtCreateSection?
Member
Posted 26 January 2013 - 11:06 AM
playing with memory not very stable bro...
I'm no more using the loop, the actual code (as posted above) uses cmp (you can use VirtualFree after the VirtualAlloc to free the memory)
U need find trick to avoid it's sandbox too...
Intermediate Member
Posted 26 January 2013 - 12:10 PM
cob_258 yes, like so complexly it will give good result...
anyway to make it ud for more every coder must find self trick to avoid it =)
Member
Posted 26 January 2013 - 03:17 PM
steve10120
RDTSC like a one ~sec delay...
The loop can go on for half a second or 10 seconds. Regardless, it still confuses some AV's.
Member
Posted 29 January 2013 - 09:08 PM
This is another code to detect kaspersky emulator (inspired from
's topic : ), I ignore if it's already known, I would to share it
you can check this poc (a downloader)
scans (look at kaspersky) :
/
Intermediate Member
Posted 30 January 2013 - 12:39 PM
FPU is cool xD
I code for $$$
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
Intermediate Member
Posted 30 January 2013 - 09:07 PM
cob_258
bro very nice trcik.. no fucking api's etc... pls tell more were did u get information about fpu opcode results... or u just looked to debugger to get before and after eax result?
Member
Posted 31 January 2013 - 01:47 PM
do someone can check these snippets, they works in my PC and VM, the second one has a strange behavior (read comments below)
detect kaspersky emulator
the following code seems to detect VMware, tested in VMware® Workstation 8.0.4 build-744019 - winXP sp3
-------------------------------------------------
cob_258
bro very nice trcik.. no fucking api's etc... pls tell more were did u get information about fpu opcode results... or u just looked to debugger to get before and after eax result?
after reading karcrack's code, I said : "I didn't knew that fpu and mmx are linked, does kaspersky emulator know this?" (I really had no fpu knowledge so thanks to karcrack)
the idea was taken from the following line, debugged with olly and tested with the POC
Intermediate Member
Posted 31 January 2013 - 09:56 PM
Intermediate Member
Posted 31 January 2013 - 10:14 PM
I code for $$$
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
Member
Posted 05 February 2013 - 02:02 PM
I checked these values and I got this
D9EB FLDLN2 MM7-> B172 17F7 D1CF 79AC
D9E9 FLDLG2 MM7-> 9A20 9A84 FBCF F799
D9EA FLDL2E MM7-> B8AA 3B29 5C17 F0BC
D9EC FLDL2T MM7-> D49A 784B CD1B 8AFE
D9ED FLDPI MM7-> C90F DAA2 2168 C235
Intermediate Member
Posted 05 February 2013 - 08:11 PM
I pasted the opcodes in reverse order haha
Thanks for poiting that out 
I code for $$$
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
Intermediate Member
Contributor
Posted 06 February 2013 - 10:17 PM
so is there any working way to get registers values when application is being emulated ??? ,,, thanks cob
Intermediate Member
Posted 07 February 2013 - 09:50 AM
so is there any working way to get registers values when application is being emulated ???
Member
Posted 07 February 2013 - 04:36 PM
I don't know a direct method to get values from virtual machine, my method is to put a check before the malware code, like in the POC there's a check for some values then execute a downloader code that's detected only by emulator (using GetProcAddress)
example :
Posted 14 February 2013 - 06:41 PM
Anyway, I've noticed that on different W$ versions the registers that are saved differ. By convention (Intel ABI) ESI, EDI, EBX, EBP must be saved, the others may vary.
Yes thats right. Each Windows Version have a different Windows loader. So on my XP SP3 loadup i have the adress value 7C91E514 in my EDX Register (linked to ntdll.fastsystemcall) and in fact that the Register are different on each WinVersion so AV´s have a big problem to emulate simple things like that
 |
Programming →
C & C++ →
Resources →
Process Persistence ProcessBreakOnTerminationStarted by Johannes , 13 Nov 2013  source, snippet
|
|
|
|
|
Programming →
C & C++ →
Resources →
Plain C & Win32 - Playing with windowsStarted by testacc , 02 Nov 2013 source, snippet
|
|
|
|
|
snippet
Programming →
Basic →
Resources →
[VB6/ASM] IsAVSandboxStarted by iCode , 19 Oct 2013 snippet
|
|
|
|
|
snippet
Programming →
Basic →
Resources →
Epic286 EncryptionStarted by truxk , 16 Oct 2013 snippet, encryption
|
|
|
snippet
Programming →
.Net →
Resources →
Runpe (1/35)Started by testacc , 13 Oct 2013 snippet, runpe
|
|
|
