ayoubfaouzi / al-khaser

Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
GNU General Public License v2.0
5.93k stars 1.18k forks source link

Anti-Debugging Check - Known Window Names #193

Open recvfrom opened 5 years ago

recvfrom commented 5 years ago

It'd be cool to make calls to FindWindow and look for window names associated with debuggers.

From [1]:

OLLYDBG
WinDbgFrameClass
Zeta Debugger
Rock Debugger
ObsidianGUI

From [2] (not including ones mentioned above):

icu_dbg
pe-diy
TDeDeMainForm
TIdaWindow

From [3], used by [4]:

GBDYLLO
pediy06
FilemonClass
File Monitor - Sysinternals: www.sysinternals.com
PROCMON_WINDOW_CLASS
Process Monitor - Sysinternals: www.sysinternals.com
RegmonClass
Registry Monitor - Sysinternals: www.sysinternals.com
18467-41

[1] https://cofense.com/satan/ [2] https://github.com/3val/Athena/blob/master/Source%20-%20Bot/Source/Protection/AntiDebugEmulate.cpp [3] https://github.com/ctxis/CAPE/blob/master/modules/signatures/packer_themida.py [4] https://www.virustotal.com/gui/file/8501700fc094ff0e48ad59f27a034580574b0d11a54eae7aceab65694a99a478/behavior/VirusTotal%20Cuckoofork

lupier commented 5 years ago

This stuff is useless and not widely used in real life. -Zeta Debugger -Rock Debugger -ObsidianGUI -TDeDeMainForm