Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Deutsch][English][Español][Italiano][Français][Polski][Русский][Українська]
Top 5 articles
S. Cesare «Linux anti-debugging techniques (fooling the debugger)» (21759)
Black Jack «Anti heuristic techniques» (11413)
Lord Julus «Anti-debugging in Win32» (10768)
Lord Julus «Anti-Debugger & Anti-Emulator Lair» (10456)
MnemoniX «ANTI-Anti-Virus Tricks Version 1.00» (7488)

Library: Anti anti-viruses, anti-debugging


uknown
«Full Thunderbyte Stealth...» (3) 13.26Kb 6146 hits
What we are trying to do here is to enumerate all the possible Thunderbyte flags, so that you can be certain that your virus will not trigger an alarm under any specific circumstances. This text is essentially the same as the one in the previous issue, only now it's more complete.
«A new, completely transparent method of deactivating/reactivating VSAFE» (0) 2.26Kb 5454 hits
After just a few minutes of analysis several months ago, I discovered a way to bypass VSAFE which is far less detectable than the usual deinstallation. The total removal of VSAFE by a virus would arouse suspicion and would be incredibly obvious if some other TSR had been installed after VSAFE, since VSAFE displays an alert box in such a case warning that VSAFE cannot be removed.
Automag
«A brand new way to fool TBScan» (0) 1.67Kb 6406 hits
Vlad [3] (1995)
Today I worked on some features for Antipode: I wanted it to infect a file during a scan by AV software so I added the usual int 21h 3Dh (open) infection. It already infected the files under McAfee's SCAN so I added the 21h 6Ch (extended open) infection and F-PROT became a vector but I was surprised that TBSCAN didn't infect my test files (5 byte .COM just 3 NOPs and an int 20h). I took SoftICE and traced some code and was really surprised as TBSCAN didn't open any file in my directory!
Black Jack
«Anti heuristic techniques» (0) 16.88Kb 11413 hits
Blade Runner
«Chilling Fridrik» (0) 2.65Kb 5470 hits
29a [1] (1996)
Ok, F-Prot, unlike TbScan, uses int 21h for opening, reading, and so on, that is, for scanning files for any infection.
Silvio Cesare
«Linux anti-debugging techniques (fooling the debugger)» (0) 5.55Kb 21759 hits
(1999)
This article describes anti debugger techniques for x86/Linux (though some of these techniques are not x86 specific). That is techniques to either fool, stop, or modify the process of debugging the target program. This can be useful to the development of viruses and also to those implementing software protection.
Dark Angel
«Scan-strings, how they work and how to avoid them» (0) 7.01Kb 6364 hits
40hex [6] (1992)
The virus author must find encryption techniques which can successfully evade easy detection. This article will show you several such techniques.
Darkman
«TBMEM FLAWS» (0) 8.35Kb 6137 hits
Vlad [4] (1995)
This document is another example of how to make a program resident in memory without the memory resident of ThunderBYTE Anti-Virus: TbMem detects it. This document also covers which interrupts are hooked by TbMem and which interrupts are monitored by TbMem. All examples in this document will hook interrupt 21h.
Ghost
«Anti-TBClean code» (0) 3.87Kb 5816 hits
izee
«New anti-debugging possibilities» [SRC] (0) 9.77Kb 6691 hits
Electrical Ordered Freedom EOF-DR-RRLF (2008)
Nowadays there are plenty anti-debugging tricks, some of them are known, some not. However, all publicly known tricks are Win32-specific and Win64 is still untouched currently. In the first part of article i'm going to demonstrate few new tricks, which are coded for Win64, but can be easily ported to Win32. In the second part i'll show how to implement SEH and TLS on Win64 and also some other new Win64-specific anti-debug techniques.
Kohntark
«A guide to Anti-Heuristics / Shmistics Technology» (0) 25.3Kb 7207 hits
Lord Julus
«Anti-Debugger & Anti-Emulator Lair» (0) 63.54Kb 10456 hits
VX-tasy [articles] (1998)
Due to the fact that I was very anxious to release this, and the fact that while writing it my computer got burned, and that, anyway I was sick and tired of looking at it anymore, I released it in a, let's say for now Version 1.0. As soon as I'll feel again ready to write, I shall come with more ideas and stuff. For now just read this and don't kick me if you find any mistakes I didn't have time to correct... Anyway, during the writing of this I kinda felt a little more on the encryption side, which actually is the basis of a good fight with an AV. You got an unbeatable encryption, you rule! So, don't be frightened by the math involved here: everything is explained. Secondly, also while writing this article I got involved in Win32 programing. This made me leave the mortal's world for a while ;-) and go in higher circles. So, just read along...
«Anti-debugging in Win32» (0) 12.49Kb 10768 hits
(1999)
I am almost ashamed to open this subject here, but it has to be done. I am ashamed not actually about writing it, but I am ashamed of the anti-virus companies' shame. Because it *IS* a shame not to have after such a long time something which you could call a real Win32 emulator. And don't jump on me because it is true... Each and every win32 virus I wrote and you see in this issue was not discovered at first sight by any AV. After a little work on them, some smart AVs like AVP and DrWeb started to discover them... It was only a matter of adding more laywers of encryption and all was hidden completely. However, even if the fond of the article doesn't really exist (there is *NO* av that would act like good old TBAV in Dos), we must start talking about this, because there is not so long until the AVers will start taking this seriously and programm some real code emulators.
M0SA
«Malware Statistical analysis and countermeasures» (0) 8.95Kb 2266 hits
Valhalla #1 (2011)
Metamorphism is becoming complex and harder to detect, so algorithmic approaches for detection is in turn becoming more complex and more infeasible for PCs due to restriction in execution time and memory. The new trend in metamorphic code detection is the statistical analysis. In this article I will give a quick overview on statistical analysis and then explain a new approach appeared in late 2010 called Eigenviruses, and finally, how AVers could beat those techniques.
MidNyte
«Retro the easy way» [SRC] (0) 3.97Kb 5388 hits
Coderz [1] (2000)
[...] For instance, a certain virus will detect if a certain on-access scanner is in memory, and will issue the correct call to shut it down if it is [...]
MnemoniX
«ANTI-Anti-Virus Tricks Version 1.00» (0) 17.93Kb 7488 hits
(1996)
Improved antivirus programs got you down? Don't worry - with the help of this file you can create a virus that will surpass the protection of most computers out there, computers whose hapless users are convinced are truly 'protected'.
Mouth of Sauron
«Further virus strategies» (0) 27.89Kb 5718 hits
Nomenumbra
«Ars loricatus novus or A small introduction to retro-armoring» [SRC] (0) 16.65Kb 3798 hits
Ready Rangers Liberation Front [7] (2006)
There are many ways of hiding and protecting your virus from AV analysis, ranging from metamorphism to casual anti-debugging to aggressive attacks on AV products (process termination). With time however, anything can be reversed. But this doesn't mean we can't delay them critically. By using a thick armor of anti-debugging, aggressive and passive anti-AV tricks and general stealth, we can delay analysis. Combine this with a quickly morphing virus, this would mean the virus changes it's appereance and (if it's a virus that would re-write itself on source level) it's armor. This paper will show you some techniques that can be used to Armor your virus.
Rhincewind
«Thunderbyte Residency Test» (0) 2.31Kb 5104 hits
Vlad [3] (1995)
As you may or may not know, the Thunderbyte resident av utilities hook themselves to the device driver chain using the following device names: TBDRVXXX, TBFILXXX, TBDSKXXX, TBMEMXXX, TBCHKXXX and TBLOGXXX. Now, by doing trial handle opens you can detect if those devices do or do not exist et voila, you have a method for testing residency. TBAV itself scans the actual device driver chain for the TB???XXX devices which is unlike this method, pretty much impossible to confuse, but also undocumented and thus it's not guaranteed to work under future versions of DOS! Yes, Frans Veldman calls vile and unsafe functions in his battle against replicating codefragments.
Tiberio Degano
«Anti Virus Detection Strategies and how to overcome them» [SRC] (0) 20.76Kb 5596 hits
Decepticons #1 (2009)
This article will talk about Avers in depth. How they think and what ideas they will use and the most important thing is how to overcome these defenses and put your brain in the straightway.
WarGame
«A simple way to detect VirtualBox» [SRC] (0) 2.17Kb 5742 hits
EOF#2 (2008)
There are a lot of ways to detect virtualized env, here I will show only a simple trick to detect if you are running inside VirtualBox. This trick requires that guest additions (a component that let you exchange files between a virtualized system and the real one) are installed on the virtualized system because the detection is based on it. If you want to go deeper in VM detection look at http://www.invisiblethings.org/papers/redpill.html ! Now go to the real stuff
Z0mbie
«VMware has you» [SRC] (0) 1.79Kb 6956 hits
29a [7] (2004)
When avers catch your virus, they analyze it. In case of complex networking creature, they must learn how it spreads. How it infects computers via network. How it infects files. There exists some programs to emulate virtual OS'es on the single machine. This is the best solution when you need to study some virus without risk to fuckup your own system. So, there appears a question: how to find out if our virus is running under virtual OS.
19 authors, 22 titles
deenesitfrplruua