Skip to content

Releases: ayoubfaouzi/al-khaser

v1.0.0

22 Sep 01:08
680b623
Compare
Choose a tag to compare

This release does not bring any new detection technique to what we already have before, it just allow us to properly start versioning this tool and allow people to download compiled binaries.

What's Changed

  • update readme by @LordNoteworthy in #37
  • Noteworthy by @LordNoteworthy in #38
  • Noteworthy by @LordNoteworthy in #39
  • add generic sandboxe loaded dlls check by @LordNoteworthy in #40
  • add Win32_NTEventlogFile WMI trick by @LordNoteworthy in #41
  • add number of processors check by @LordNoteworthy in #42
  • add anti analysis tools - process based by @LordNoteworthy in #43
  • Noteworthy by @LordNoteworthy in #44
  • add Parallels AntiVM by @LordNoteworthy in #45
  • add Xen AntiVM - check process by @LordNoteworthy in #46
  • Noteworthy by @LordNoteworthy in #48
  • various fixes by @mrexodia in #50
  • Noteworthy by @LordNoteworthy in #51
  • add task state segment trick via STR by @LordNoteworthy in #52
  • add cores number check from WMI by @LordNoteworthy in #53
  • add hard disk check using WMI by @LordNoteworthy in #54
  • Noteworthy by @LordNoteworthy in #55
  • Noteworthy by @LordNoteworthy in #56
  • Noteworthy by @LordNoteworthy in #58
  • Noteworthy by @LordNoteworthy in #59
  • Noteworthy by @LordNoteworthy in #60
  • add screenshot and compiled binary by @LordNoteworthy in #61
  • push binary by @LordNoteworthy in #62
  • add mouse movement trick by @LordNoteworthy in #63
  • memory space check by @LordNoteworthy in #64
  • Noteworthy by @LordNoteworthy in #65
  • Noteworthy by @LordNoteworthy in #66
  • push new release by @LordNoteworthy in #67
  • Noteworthy by @LordNoteworthy in #68
  • Fix mem leak in Generic.cpp by @LordNoteworthy in #70
  • add TLS callback trick by @LordNoteworthy in #71
  • add timing attack: rdtsc with cpuid (VM Exit) by @LordNoteworthy in #72
  • add cpuid vendor id check - hypervisor detection by @LordNoteworthy in #73
  • Noteworthy by @LordNoteworthy in #74
  • Update Al-khaser.cpp by @y-oyama in #75
  • Fix and enable Anti-VM routines by @ntddk in #78
  • Update Generic.cpp by @slow-mouse in #80
  • Add support for macro based sandbox detection tricks: AutoClose and R… by @LordNoteworthy in #81
  • add IcmpSendEcho timing attack seen in Ccleaner malware by @LordNoteworthy in #82
  • fix version by @LordNoteworthy in #83
  • Add two kernel debugger checks by @Mattiwatti in #85
  • Added process job anti-debug check. by @gsuberland in #88
  • Firmware checks by @gsuberland in #89
  • Noteworthy by @LordNoteworthy in #90
  • change location ofchangelog to root dir by @LordNoteworthy in #91
  • Fixed PEB offset. by @Nxgr in #92
  • Noteworthy by @LordNoteworthy in #96
  • VM driver service checks by @gsuberland in #100
  • Fix null references in timing.cpp by @gsuberland in #99
  • Memory write watch anti-debug by @gsuberland in #101
  • Vastly improved VirtualAlloc write watch tests by @gsuberland in #102
  • Noteworthy by @LordNoteworthy in #103
  • Noteworthy by @LordNoteworthy in #104
  • added qemu process check (qemu-ga.exe) by @LordNoteworthy in #106
  • Added firmware table checks SMBIOS and ACPI (Qemu) by @LordNoteworthy in #107
  • Noteworthy by @LordNoteworthy in #108
  • Noteworthy by @LordNoteworthy in #109
  • XP Support by @talliberman in #113
  • Improved disk size IOCTL checks by @gsuberland in #119
  • TLS callback improvements by @gsuberland in #116
  • Overhaul of timing attack code + fix the locky timer trick by @gsuberland in #117
  • Consolidate APIs by @gsuberland in #122
  • Comodo detection added by @kaganisildak in #127
  • Detect Hybrid Analysis with mac adress by @kaganisildak in #136
  • Detect Hybrid Analysis by @kaganisildak in #135
  • Added check to catch CE page exception breakpoints by @gsuberland in #131
  • API hook checks, part 1 (bounds based) by @gsuberland in #138
  • Fixed a typo in API data structure and move print_os() after API init… by @LordNoteworthy in #143
  • Added enumerate_memory function for finding all memory allocations in the process. by @gsuberland in #147
  • DLL injection detection by @gsuberland in #148
  • add WMI Win32_Fan anti-vm trick by @LordNoteworthy in #150
  • Move to Visual Studio 2017 by @LordNoteworthy in #153
  • Bug fixes by @hfiref0x in #158
  • Bug fixes 2 by @hfiref0x in #159
  • bump to version 0.76 by @LordNoteworthy in #160
  • Bug fixes 3 by @hfiref0x in #161
  • Bug fixes 4 by @hfiref0x in #162
  • Bug fixes 5 by @hfiref0x in #163
  • VM detects update by @hfiref0x in #165
  • Fixed false positive in VirtualBox BIOS serial number WMI check by @gsuberland in #169
  • Noteworthy by @LordNoteworthy in #170
  • Added ATAIdentifyDump and StructDumpCodegen tools to the repo. by @gsuberland in #171
  • Multiple anti-VM checks using WMI by @gsuberland in #173
  • Crash fix for 32 bit app running on Win7 x64 by @dvarshavsky in #174
  • update CHANGELOG by @LordNoteworthy in #176
  • Anti-dump: fix SizeOfImage() modifying the wrong module and field by @Mattiwatti in #183
  • Fix VARIANT vartype flags check on WMI properties by @Mattiwatti in #182
  • add few anti-disassembly tricks by @LordNoteworthy in #194
  • DebugObjectHandle improvements by @Mattiwatti in #197
  • add generic anti-sandbox (checking for well file names like malware.exe) by @LordNoteworthy in #199
  • add trap flag anti debug by @LordNoteworthy in #200
  • Fix string comparaison in check_adapter_name() by @LordNoteworthy in #204
  • fix wrong path names in vmware_files() and vbox_files() to adapt to w… by @LordNoteworthy in #205
  • Use Wow64DisableWow64FsRedirection/Wow64RevertWow64FsRedirection inst… by @LordNotew...
Read more