antitest.exe is out
As I mentioned in the previous blog post I’ve been working on a binary that contains various anti-debug/tracing/emulation/virtualization tricks. Even though there’d be an eternal list of tricks to be added to it I’m pretty satisfied with the ones it has currently.
The binary is now available for download here:
(Md5: 182D64807EC25CE3B0413D0192B26791)
The binary is not obfuscated in any way and it’s formatted nicely so you can see where a test starts and ends. Note that I am aware that under certain conditions some of the checks may fail even if no debuggers and so on are present. Feel free to ask if you ponder about anything (related to the binary of course, I’m not Dr. Phil). For the countries with strict laws and such I hereby give full authorization to debug/disassemble/reverse engineer the binary, as long as due credit is given in any derivate of such tasks.
A smooth run with nothing being detected will look like this in the console window:
Antitest.exe v1.0 (c) 2008 Toni Koivunen (toni_at_teamfurry.com)
Starting the test…
[+] WinXP KiFastSystemCallRet: ok!
[+] INT 2Dh: ok!
[+] Inlined IsDebuggerPresent: ok!
[+] NtGlobalFlags: ok!
[+] rdtsc_1: ok!
[+] rdtsc_2: ok!
[+] TrapFlag: ok!
[+] CheckRemoteDebuggerPresent: ok!
[+] ProcessHeap flag: ok!
[+] VMWare IO detection: ok!
[+] LDR_MODULE detection: ok!
[+] SoftIce detection: ok!
[+] ApiHook detection: ok!
[+] IsDebuggerPresent modification: ok!
[+] OpenProcess/CSRSS: ok!
[+] Constant rdtsc value: ok!
[+] Constant rdtsc increment: ok!
And yes, I’m aware that the first test makes this pretty much Windows XP bound :)