MCPcopy Create free account

hub / github.com/ayoubfaouzi/al-khaser / functions

Functions293 in github.com/ayoubfaouzi/al-khaser

↓ 133 callersFunctionexec_check
al-khaser/Shared/Common.h:21
↓ 66 callersFunctionprint_results
al-khaser/Shared/Common.cpp:77
↓ 55 callersFunctionprint_last_error
al-khaser/Shared/Common.cpp:120
↓ 18 callersFunctionExecWMIQuery
al-khaser/Shared/Utils.cpp:847
↓ 18 callersFunctionInitWMI
al-khaser/Shared/Utils.cpp:785
↓ 17 callersFunctionprint_category
al-khaser/Shared/Common.cpp:36
↓ 16 callersFunctionIsWoW64
al-khaser/Shared/Utils.cpp:4
↓ 15 callersFunctionGetProcessIdFromName
al-khaser/Shared/Utils.cpp:697
↓ 15 callersFunctionwmi_query_count
al-khaser/AntiVM/Generic.cpp:1528
↓ 14 callersFunctionfind_str_in_data
al-khaser/Shared/Utils.cpp:964
↓ 12 callersFunctionIsWindowsVersionOrGreater
al-khaser/Shared/VersionHelpers.h:37
↓ 12 callersFunctionis_FileExists
al-khaser/Shared/Utils.cpp:127
↓ 9 callersFunctionget_system_firmware
al-khaser/Shared/Utils.cpp:988
↓ 8 callersFunctionIs_RegKeyExists
al-khaser/Shared/Utils.cpp:61
↓ 7 callersFunctionIsBadLibrary
al-khaser/AntiDebug/ScanForModules.cpp:75
↓ 6 callersFunctionIsWindowsVistaOrGreater
al-khaser/Shared/VersionHelpers.h:95
↓ 5 callersFunctionattempt_to_read_memory_wow64
al-khaser/Shared/Utils.cpp:1042
↓ 5 callersFunctioncheck_mac_addr
al-khaser/Shared/Utils.cpp:141
↓ 4 callersFunctionIs_RegKeyValueExists
al-khaser/Shared/Utils.cpp:40
↓ 4 callersFunctionenum_system_firmware_tables
al-khaser/Shared/Utils.cpp:975
↓ 4 callersFunctionis_DirectoryExists
al-khaser/Shared/Utils.cpp:134
↓ 3 callersFunctionModuleBoundsHookCheckSingle
al-khaser/AntiDebug/ModuleBoundsHookCheck.cpp:65
↓ 3 callersFunctionScanForModules_EnumProcessModulesEx_Internal
al-khaser/AntiDebug/ScanForModules.cpp:159
↓ 3 callersFunction_print_check_result
al-khaser/Shared/Common.cpp:64
↓ 3 callersFunction_print_check_text
al-khaser/Shared/Common.cpp:52
↓ 3 callersFunctionenumerate_memory
al-khaser/Shared/Utils.cpp:1075
↓ 2 callersFunctionIsElevated
Check if a process is running with admin rights */
al-khaser/Shared/Utils.cpp:945
↓ 2 callersFunctionNormalizeNTPath
al-khaser/AntiDebug/ScanForModules.cpp:36
↓ 2 callersFunctionWalkLDR
al-khaser/AntiDebug/ScanForModules.cpp:496
↓ 2 callersFunctionascii_to_wide_str
al-khaser/Shared/Common.cpp:161
↓ 2 callersFunctionenumerate_object_directory
al-khaser/Shared/Utils.cpp:1139
↓ 2 callersFunctionget_dns_hostname
al-khaser/AntiVM/Generic.cpp:195
↓ 2 callersFunctionget_netbios_hostname
al-khaser/AntiVM/Generic.cpp:179
↓ 2 callersFunctionget_username
al-khaser/AntiVM/Generic.cpp:103
↓ 1 callersFunctionAntiDisassmAsmJmpSameTarget
The most common anti-disassembly technique seen in the wild is two back-to back conditional jump instructions that both point to the same target. For
al-khaser/AntiDisassm/AntiDisassm.cpp:29
↓ 1 callersFunctionAntiDisassmConstantCondition
This technique is composed of a single conditional jump instruction placed where the condition will always be the same. */
al-khaser/AntiDisassm/AntiDisassm.cpp:19
↓ 1 callersFunctionAntiDisassmFunctionPointer
If function pointers are used in handwritten assembly or crafted in a nonstandard way in source code, the results can be difficult to reverse enginee
al-khaser/AntiDisassm/AntiDisassm.cpp:52
↓ 1 callersFunctionAntiDisassmImpossibleDiasassm
By using a data byte placed strategically after a conditional jump instruction with the idea that disassembly starting at this byte will prevent the
al-khaser/AntiDisassm/AntiDisassm.cpp:42
↓ 1 callersFunctionAntiDisassmReturnPointerAbuse
The most obvious result of this technique is that the disassembler doesn�t show any code cross - reference to the target being jumped to. */
al-khaser/AntiDisassm/AntiDisassm.cpp:64
↓ 1 callersFunctionAntiDisassmSEHMisuse
al-khaser/AntiDisassm/AntiDisassm.cpp:70
↓ 1 callersFunctionCreateRemoteThread_Injection
al-khaser/CodeInjection/CreateRemoteThread.cpp:5
↓ 1 callersFunctionEnableChecks
al-khaser/Al-khaser.cpp:49
↓ 1 callersFunctionEnableDefaultChecks
al-khaser/Al-khaser.cpp:28
↓ 1 callersFunctionErasePEHeaderFromMemory
al-khaser/AntiDump/ErasePEHeaderFromMemory.cpp:8
↓ 1 callersFunctionGetCsrssProcessId
al-khaser/AntiDebug/SeDebugPrivilege.cpp:13
↓ 1 callersFunctionGetExplorerPIDbyShellWindow
al-khaser/AntiDebug/ParentProcess.cpp:7
↓ 1 callersFunctionGetForceFlags_x64
al-khaser/AntiDebug/ProcessHeap_ForceFlags.cpp:14
↓ 1 callersFunctionGetForceFlags_x86
al-khaser/AntiDebug/ProcessHeap_ForceFlags.cpp:32
↓ 1 callersFunctionGetHeapFlags_x64
al-khaser/AntiDebug/ProcessHeap_Flags.cpp:13
↓ 1 callersFunctionGetHeapFlags_x86
al-khaser/AntiDebug/ProcessHeap_Flags.cpp:31
↓ 1 callersFunctionGetMainThreadId
al-khaser/Shared/Utils.cpp:751
↓ 1 callersFunctionGetOSDisplayString
al-khaser/Shared/Utils.cpp:250
↓ 1 callersFunctionGetParentProcessId
al-khaser/AntiDebug/ParentProcess.cpp:17
↓ 1 callersFunctionGetPeb64
al-khaser/Shared/Utils.cpp:19
↓ 1 callersFunctionGetSetThreadContext_Injection
al-khaser/CodeInjection/GetSetThreadContext.cpp:5
↓ 1 callersFunctionIsDllInjected
Check whatever InjectedDLL.dll was loaded, because this dll does not provide any other way of caller notification.
al-khaser/CodeInjection/QueueUserAPC.cpp:9
↓ 1 callersFunctionIsGlobalizationNls
al-khaser/AntiDebug/ScanForModules.cpp:67
↓ 1 callersFunctionIsHexString
al-khaser/Shared/Common.cpp:192
↓ 1 callersFunctionIsWindows7
al-khaser/Shared/Utils.cpp:532
↓ 1 callersFunctionIsWindows8or8PointOne
al-khaser/Shared/Utils.cpp:556
↓ 1 callersFunctionIsWindowsVersionOrLesser
al-khaser/Shared/VersionHelpers.h:55
↓ 1 callersFunctionIsWindowsVista
al-khaser/Shared/Utils.cpp:508
↓ 1 callersFunctionIsWindowsXPOr2k
al-khaser/Shared/VersionHelpers.h:154
↓ 1 callersFunctionMy_Critical_Function
al-khaser/AntiDebug/SoftwareBreakpoints.cpp:12
↓ 1 callersFunctionNtClose_InvalideHandle
al-khaser/AntiDebug/CloseHandle_InvalidHandle.cpp:12
↓ 1 callersFunctionNtCreateThreadEx_Injection
al-khaser/CodeInjection/NtCreateThreadEx.cpp:5
↓ 1 callersFunctionPageExceptionInitialEnum
al-khaser/AntiDebug/PageExceptionBreakpointCheck.cpp:11
↓ 1 callersFunctionQueueUserAPC_Injection
al-khaser/CodeInjection/QueueUserAPC.cpp:39
↓ 1 callersFunctionRtlCreateUserThread_Injection
al-khaser/CodeInjection/RtlCreateUserThread.cpp:5
↓ 1 callersFunctionSetDebugPrivileges
al-khaser/Shared/Utils.cpp:668
↓ 1 callersFunctionSetWindowsHooksEx_Injection
al-khaser/CodeInjection/SetWindowsHooksEx.cpp:5
↓ 1 callersFunctionSizeOfImage
al-khaser/AntiDump/SizeOfImage.cpp:7
↓ 1 callersFunctionanalysis_tools_process
al-khaser/AntiAnalysis/process.cpp:9
↓ 1 callersFunctionattempt_to_read_memory
al-khaser/Shared/Utils.cpp:1035
↓ 1 callersFunctioncheckDriveType
Filter for removable disk, CD-ROM, network drive or RAM disk */
al-khaser/AntiVM/Generic.cpp:528
↓ 1 callersFunctioncheck_adapter_name
al-khaser/Shared/Utils.cpp:196
↓ 1 callersFunctioncheck_tables_number
al-khaser/AntiVM/Generic.cpp:2001
↓ 1 callersFunctionget_gdt_base
al-khaser/Shared/Utils.cpp:924
↓ 1 callersFunctionget_idt_base
al-khaser/Shared/Utils.cpp:880
↓ 1 callersFunctionget_ldt_base
al-khaser/Shared/Utils.cpp:899
↓ 1 callersFunctionget_services
al-khaser/AntiVM/Services.cpp:68
↓ 1 callersFunctionhandle_one_table
al-khaser/AntiVM/Generic.cpp:1967
↓ 1 callersFunctionknown_file_names
Check if the file name contains any of the following strings. This is likely an automated malware sandbox. */
al-khaser/AntiVM/Generic.cpp:50
↓ 1 callersFunctionknown_hostnames
Check for hostnames associated with sandboxes */
al-khaser/AntiVM/Generic.cpp:215
↓ 1 callersFunctionknown_usernames
Check for usernames associated with sandboxes */
al-khaser/AntiVM/Generic.cpp:122
↓ 1 callersFunctionkvm_files
Check against kvm blacklisted files */
al-khaser/AntiVM/KVM.cpp:38
↓ 1 callersFunctionkvm_reg_keys
Check against kvm registry keys */
al-khaser/AntiVM/KVM.cpp:7
↓ 1 callersFunctionloaded_dlls
Check if the DLL is loaded in the context of the process */
al-khaser/AntiVM/Generic.cpp:8
↓ 1 callersFunctionlooking_glass_vdd_processes
Check for looking-glass-host & VDD processes list.exe https://looking-glass.io (Used in Hypervisor Phantom) https://github.com/Scrut1ny/Hypervisor-Pha
al-khaser/AntiVM/Generic.cpp:2239
↓ 1 callersFunctionother_known_sandbox_environment_checks
Check for a combination of environmental conditions, replicating what malware could/has used to detect that it's running in a sandbox. */
al-khaser/AntiVM/Generic.cpp:277
↓ 1 callersFunctionparallels_process
al-khaser/AntiVM/Parallels.cpp:34
↓ 1 callersFunctionparallels_reg_keys
Check against Parallels registry keys */
al-khaser/AntiVM/Parallels.cpp:8
↓ 1 callersFunctionprint_detected
al-khaser/Shared/Common.cpp:4
↓ 1 callersFunctionprint_help
al-khaser/Al-khaser.cpp:70
↓ 1 callersFunctionprint_not_detected
al-khaser/Shared/Common.cpp:20
↓ 1 callersFunctionprint_os
al-khaser/Shared/Common.cpp:110
↓ 1 callersFunctionprint_time
al-khaser/Shared/log.cpp:6
↓ 1 callersFunctionqemu_dir
Check against blacklisted directories. */
al-khaser/AntiVM/Qemu.cpp:83
↓ 1 callersFunctionqemu_processes
al-khaser/AntiVM/Qemu.cpp:60
↓ 1 callersFunctionqemu_reg_key_value
al-khaser/AntiVM/Qemu.cpp:9
next →1–100 of 293, ranked by callers