Unprotect-Project · mlodic · Feb 6, 2025 · Feb 6, 2025
diff --git a/techniques/detect_breakpoints/README.md b/techniques/detect_breakpoints/README.md
@@ -0,0 +1,15 @@
+# Technique Name: Detect Hardware Breakpoints
+
+## Author Information
+
+- Nickname: found ITW by Xavier Mertens, added by Matteo Lodi
+
+## Technique Information
+
+- Technique Category: Anti-Debugging
+- Technique Tags: breakpoint
+- Technique General Detail: Hardware breakpoints are used to avoid patching the program. They contain the address where to pause the execution. Hardware breakpoints are CPU registers: DRO to DR3 (on Intel CPU’s). `RtlCaptureContext()` is used to get the current threat’s execution state which includes the registers. With the help of unpack, the script fills the variable corresponding to the registers, if one of them is not empty, there is a hardware breakpoint defined!
+
+## Additional Resources
+
+- [SANS diary](https://isc.sans.edu/diary/31658)
diff --git a/techniques/detect_breakpoints/detect_breakpoints.py b/techniques/detect_breakpoints/detect_breakpoints.py
@@ -0,0 +1,11 @@
+import ctypes
+import struct
+
+def detect_breakpoints():
+    context = ctypes.create_string_buffer(0x4C)
+    context_ptr = ctypes.byref(context)
+    context_offset = struct.calcsize("Q") * 6
+    ctypes.windll.kernel32.RtlCaptureContext(context_ptr)
+    dr0, dr1, dr2, dr3 = struct.unpack_from("4Q", context.raw, context_offset)
+    if dr0 or dr1 or dr2 or dr3:
+        print("detected hardware breakpoint")
diff --git a/techniques/detect_memory_tampering/README.md b/techniques/detect_memory_tampering/README.md
@@ -0,0 +1,15 @@
+# Technique Name: Detect Memory Tampering
+
+## Author Information
+
+- Nickname: found ITW by Xavier Mertens, added by Matteo Lodi
+
+## Technique Information
+
+- Technique Category: Anti-Debugging
+- Technique Tags: tamper, memory
+- Technique General Detail: With a simple hash check, it is possible to periodically check if the memory of the current process has been tampered.
+
+## Additional Resources
+
+- [SANS diary](https://isc.sans.edu/diary/31658)
diff --git a/techniques/detect_memory_tampering/detect_memory_tampering.py b/techniques/detect_memory_tampering/detect_memory_tampering.py
@@ -0,0 +1,8 @@
+import hashlib
+import sys
+
+def detect_memory_tampering():
+    original_hash = hashlib.md5(open(sys.argv[0], "rb").read()).hexdigest()
+    current_hash = hashlib.md5(open(sys.argv[0], "rb").read()).hexdigest()
+    if current_hash != original_hash:
+        print("memory tampered")
diff --git a/techniques/is_debugger_present_hooked/README.md b/techniques/is_debugger_present_hooked/README.md
@@ -0,0 +1,16 @@
+# Technique Name: Hooked IsDebuggerPresent
+
+## Author Information
+
+- Nickname: found ITW by Xavier Mertens, added by Matteo Lodi
+
+## Technique Information
+
+- Technique Category: Anti-Monitoring
+- Technique Tags: hook
+- Technique General Detail: Sometimes `IsDebuggerPresent()` is hooked to prevent the simple detection of a debugger. This is called "trampoline" technique.
+By detecting that this API has been hooked, the malware author can detect that is being monitored.
+
+## Additional Resources
+
+- [SANS diary](https://isc.sans.edu/diary/31658)
diff --git a/techniques/is_debugger_present_hooked/hook_check.py b/techniques/is_debugger_present_hooked/hook_check.py
@@ -0,0 +1,8 @@
+import ctypes
+
+def detect_api_hooks():
+    kernel32 = ctypes.windll.kernel32
+    original_bytes = ctypes.create_string_buffer(5)
+    kernel32.ReadProcessMemory(kernel32.GetCurrentProcess(), kernel32.IsDebuggerPresent, original_bytes, 5, None)
+    if original_bytes.raw[0] == 0xE9:
+        print("hook detected")
diff --git a/techniques/self_mutation/README.md b/techniques/self_mutation/README.md
@@ -0,0 +1,15 @@
+# Technique Name: Polymorphic self-mutation
+
+## Author Information
+
+- Nickname: found ITW by Xavier Mertens, added by Matteo Lodi
+
+## Technique Information
+
+- Technique Category: Anti-Forensic
+- Technique Tags: python
+- Technique General Detail: Randomly changing the lines of the Python executed file to change the hash and make hunting more difficult.
+
+## Additional Resources
+
+- [SANS diary](https://isc.sans.edu/diary/31658)
diff --git a/techniques/self_mutation/self_mutation.py b/techniques/self_mutation/self_mutation.py
@@ -0,0 +1,9 @@
+import random
+
+def polymorphic_self_mutation():
+    """ ? Self-Mutating Code to Avoid Static Analysis """
+    with open(__file__, "r", encoding="utf-8") as f:
+        lines = f.readlines()
+    with open(__file__, "w", encoding="utf-8") as f:
+        random.shuffle(lines)
+        f.writelines(lines)
diff --git a/techniques/sys_gettrace/README.md b/techniques/sys_gettrace/README.md
@@ -0,0 +1,15 @@
+# Technique Name: Python GetTrace Anti-Debug
+
+## Author Information
+
+- Nickname: found ITW by Xavier Mertens, added by Matteo Lodi
+
+## Technique Information
+
+- Technique Category: Anti-Debugging
+- Technique Tags: python
+- Technique General Detail: If a debugger is attached to the Python process, `sys.gettrace()` will return a trace function.
+
+## Additional Resources
+
+- [SANS diary](https://isc.sans.edu/diary/31658)
diff --git a/techniques/sys_gettrace/sys_gettrace.py b/techniques/sys_gettrace/sys_gettrace.py
@@ -0,0 +1,5 @@
+import sys
+
+def debugger_detect():
+    if sys.gettrace():
+        print("debugger detected")