MCPcopy Create free account
hub / github.com/ayoubfaouzi/al-khaser

github.com/ayoubfaouzi/al-khaser @v1.1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.1.0 ↗ · + Follow
321 symbols 627 edges 145 files 99 documented · 31% updated 13d agov1.1.0 · 2026-01-27★ 7,05537 open issues

Browse by type

Functions 293 Types & classes 28
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Al-Khaser v0.81

Logo

Content

Introduction

al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.

Logo

Usage

$ ./al-khaser.exe -h
Usage: al-khaser.exe [OPTIONS]
Options:
  --check <type>      Enable specific check(s). Can be used multiple times. Valid types are:
                        TLS              (Thread Local Storage callback checks)
                        DEBUG            (Anti-debugging checks)
                        INJECTION        (Code injection checks)
                        GEN_SANDBOX      (Generic sandbox checks)
                        VBOX             (VirtualBox detection)
                        VMWARE           (VMware detection)
                        VPC              (Virtual PC detection)
                        QEMU             (QEMU detection)
                        KVM              (KVM detection)
                        XEN              (Xen detection)
                        WINE             (Wine detection)
                        PARALLELS        (Parallels detection)
                        HYPERV           (Hyper-V detection)
                        CODE_INJECTIONS  (Additional code injection techniques)
                        TIMING_ATTACKS   (Timing/sleep-based sandbox evasion)
                        DUMPING_CHECK    (Dumping memory/process checks)
                        ANALYSIS_TOOLS   (Analysis tools detection)
                        ANTI_DISASSM     (Anti-disassembly checks)
  --sleep <seconds>   Set sleep/delay duration in seconds (default: 600).
  --delay <seconds>   Alias for --sleep.
  -h, --help          Show this help message and exit.

Examples:
  al-khaser.exe --check DEBUG --check TIMING_ATTACKS --sleep 30
  al-khaser.exe --check VMWARE --check QEMU
  al-khaser.exe --sleep 30

Download

You can download built binaries (x86, x64) from this project's releases page. The password for the 7zs can be found here.

Possible uses

  • You are making an anti-debug plugin and you want to check its effectiveness.
  • You want to ensure that your sandbox solution is hidden enough.
  • Or you want to ensure that your malware analysis environment is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environment Block (BeingDebugged)
  • Process Environment Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • Low Fragmentation Heap (LFH)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • WudfIsAnyDebuggerPresent
  • WudfIsKernelDebuggerPresent
  • WudfIsUserDebuggerPresent
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • SetHandleInformation (Protected Handle)
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Trap Flag
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread
  • TLS callbacks
  • Process jobs
  • Memory write watching
  • Page exception breakpoint detection
  • API hook detection (module bounds based)

Anti-injection

  • Enumerate modules with EnumProcessModulesEx (32-bit, 64-bit, and all options)
  • Enumerate modules with ToolHelp32
  • Enumerate the process LDR structures with LdrEnumerateLoadedModules
  • Enumerate the process LDR structures directly
  • Walk memory with GetModuleInformation
  • Walk memory for hidden modules

Anti-Dumping

  • Erase PE header from memory
  • SizeOfImage

Timing Attacks [Anti-Sandbox]

  • RDTSC (with CPUID to force a VM Exit)
  • RDTSC (Locky version with GetProcessHeap & CloseHandle)
  • Sleep -> SleepEx -> NtDelayExecution
  • Sleep (in a loop a small delay)
  • Sleep and check if time was accelerated (GetTickCount)
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)
  • WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
  • WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects
  • IcmpSendEcho (CCleaner Malware)
  • CreateWaitableTimer
  • CreateTimerQueueTimer
  • Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

  • Mouse movement
  • File names like sample.exe or sandbox.exe.
  • Total Physical memory (GlobalMemoryStatusEx)
  • Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
  • Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
  • Mouse (Single click / Double click) (todo)
  • DialogBox (todo)
  • Scrolling (todo)
  • Execution after reboot (todo)
  • Count of processors (Win32/Tinba - Win32/Dyre)
  • Sandbox known product IDs (todo)
  • Color of background pixel (todo)
  • Keyboard layout (Win32/Banload) (todo)
  • Genuine Windows installation.
  • Known Sandbox hostnames and usernames

Anti-Virtualization / Full-System Emulation

  • Registry key value artifacts
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
  • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
  • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
  • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
  • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
  • SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)
  • Registry Keys artifacts
  • HARDWARE\ACPI\DSDT\VBOX__ (VBOX)
  • HARDWARE\ACPI\FADT\VBOX__ (VBOX)
  • HARDWARE\ACPI\RSDT\VBOX__ (VBOX)
  • SOFTWARE\Oracle\VirtualBox Guest Additions (VBOX)
  • SYSTEM\ControlSet001\Services\VBoxGuest (VBOX)
  • SYSTEM\ControlSet001\Services\VBoxMouse (VBOX)
  • SYSTEM\ControlSet001\Services\VBoxService (VBOX)
  • SYSTEM\ControlSet001\Services\VBoxSF (VBOX)
  • SYSTEM\ControlSet001\Services\VBoxVideo (VBOX)
  • SOFTWARE\VMware, Inc.\VMware Tools (VMWARE)
  • SOFTWARE\Wine (WINE)
  • SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V)
  • SYSTEM\CurrentControlSet\Services\Disk\Enum
  • SYSTEM\CurrentControlSet\Enum\IDE
  • SYSTEM\CurrentControlSet\Enum\SCSI
  • File system artifacts
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
  • "system32\drivers\vmmouse.sys"
  • "system32\drivers\vmhgfs.sys"
  • "system32\drivers\vm3dmp.sys"
  • "system32\drivers\vmci.sys"
  • "system32\drivers\vmhgfs.sys"
  • "system32\drivers\vmmemctl.sys"
  • "system32\drivers\vmmouse.sys"
  • "system32\drivers\vmrawdsk.sys"
  • "system32\drivers\vmusbmouse.sys"

  • Directories artifacts

  • "%PROGRAMFILES%\oracle\virtualbox guest additions\"
  • "%PROGRAMFILES%\VMWare\"
  • Memory artifacts
  • Interupt Descriptor Table (IDT) location
  • Local Descriptor Table (LDT) location
  • Global Descriptor Table (GDT) location
  • Task state segment trick with STR
  • MAC Address
  • "\x08\x00\x27" (VBOX)
  • "\x00\x05\x69" (VMWARE)
  • "\x00\x0C\x29" (VMWARE)
  • "\x00\x1C\x14" (VMWARE)
  • "\x00\x50\x56" (VMWARE)
  • "\x00\x1C\x42" (Parallels)
  • "\x00\x16\x3E" (Xen)
  • "\x0A\x00\x27" (Hybrid Analysis)
  • Virtual devices
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
  • "\\.\HGFS"
  • "\\.\vmci"
  • Hardware Device information
  • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
    • QEMU
    • VMWare
    • VBOX
    • VIRTUAL HD
  • Power policies (S1-S4 states, thermal control)
  • System Firmware Tables
  • SMBIOS string checks (VirtualBox)
  • SMBIOS string checks (VMWare)
  • SMBIOS string checks (Qemu)
  • SMBIOS number of tables (Qemu, VirtualBox)
  • ACPI string checks (WAET table, PNP devices, PM state with battery checks)
  • ACPI string checks (VirtualBox)
  • ACPI string checks (VMWare)
  • ACPI string checks (Qemu)
  • Driver Services
  • VirtualBox
  • VMWare
  • Adapter name
  • VMWare
  • Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
  • Network shares
  • VirtualBox Shared Folders
  • Processes
  • vboxservice.exe (VBOX)
  • vboxtray.exe (VBOX)
  • vmtoolsd.exe(VMWARE)
  • vmwaretray.exe(VMWARE)
  • vmwareuser(VMWARE)
  • VGAuthService.exe (VMWARE)
  • vmacthlp.exe (VMWARE)
  • vmsrvc.exe(VirtualPC)
  • vmusrvc.exe(VirtualPC)
  • prl_cc.exe(Parallels)
  • prl_tools.exe(Parallels)
  • xenservice.exe(Citrix Xen)
  • qemu-ga.exe (QEMU)
  • looking-glass-host.exe (GENERIC)
  • VDDSysTray.exe (GENERIC)
  • WMI
  • SELECT * FROM Win32_Bios (SerialNumber) (GENERIC)
  • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
  • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
  • SELECT * FROM Win32_NTEventlogFile (VBOX)
  • SELECT * FROM Win32_Processor (NumberOfCores and ProcessorId) (GENERIC)
  • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
  • SELECT * FROM Win32_ComputerSystem (Model and Manufacturer) (GENERIC)
  • SELECT * FROM MSAcpi_ThermalZoneTemperature CurrentTemperature) (GENERIC)
  • SELECT * FROM Win32_Fan (GENERIC)
  • DLL Exports and Loaded DLLs
  • avghookx.dll (AVG)
  • avghooka.dll (AVG)
  • snxhk.dll (Avast)
  • kernel32.dll!wine_get_unix_file_nameWine (Wine)
  • sbiedll.dll (Sandboxie)
  • dbghelp.dll (MS debugging support routines)
  • api_log.dll (iDefense Labs)
  • dir_watch.dll (iDefense Labs)
  • pstorec.dll (SunBelt Sandbox)
  • vmcheck.dll (Virtual PC)
  • wpespy.dll (WPE Pro)
  • cmdvrt32.dll (Comodo Container)
  • cmdvrt64.dll (Comodo Container)
  • CPU
  • Hypervisor presence using (EAX=0x1)
  • Hypervisor vendor using (EAX=0x40000000)
    • "KVMKVMKVM\0\0\0" (KVM)
    • "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC)
    • "VMwareVMware"(VMware)
    • "XenVMMXenVMM"(Xen)
    • "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox)
  • NtQueryLicenseValue with Kernel-VMDetection-Private as license value.

Anti-Analysis

  • Processes
  • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine
  • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
  • Wireshark / Dumpcap / Fiddler / Http Debugger
  • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
  • ImportREC / PETools / LordPE
  • JoeBox Sandbox
  • Resource Hacker
  • Frida

Anti-Disassembly

  • Jump with constant condition
  • Jump instruction with same target
  • Impossible disassembly
  • Function Pointers
  • Return Pointer Abuse

Macro malware attacks

  • Document_Close / Auto_Close.
  • Application.RecentFiles.Count

Code/DLL Injections techniques

  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Authors

Pull requests welcome. Please read the Developer Guidelines on our wiki if you wish to contribute to the project.

References

  • An Anti-Reverse Engineering Guide By Josh Jackson.
  • Anti-Unpacker Tricks By Peter Ferrie.
  • The Art Of Unpacking By Mark Vincent Yason.
  • Walied Assar's blog http://waleedassar.blogspot.de/.
  • Pafish tool: https://github.com/a0rtega/pafish.
  • PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro

Core symbols most depended-on inside this repo

Shape

Function 286
Class 22
Method 7
Enum 6

Languages

C++100%

Modules by API surface

al-khaser/AntiVM/Generic.cpp63 symbols
al-khaser/Shared/Utils.cpp31 symbols
al-khaser/AntiVM/VirtualBox.cpp18 symbols
al-khaser/Shared/VersionHelpers.h16 symbols
al-khaser/AntiDebug/ScanForModules.cpp16 symbols
al-khaser/TimingAttacks/timing.cpp14 symbols
al-khaser/Shared/Common.cpp13 symbols
al-khaser/Shared/WinStructs.h12 symbols
al-khaser/AntiVM/VMWare.cpp10 symbols
al-khaser/Shared/APIs.h8 symbols
al-khaser/AntiVM/Qemu.cpp6 symbols
al-khaser/AntiDisassm/AntiDisassm.cpp6 symbols

For agents

$ claude mcp add al-khaser \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page