al-khaser v0.77 releases: Public malware techniques used in the wild

al-khaser is a PoC “malware” application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.


Anti-debugging attacks

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environement Block (BeingDebugged)
  • Process Environement Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • SetHandleInformation (Protected Handle)
  • More….


  • Erase PE header from memory
  • SizeOfImage

Timing Attacks

  • RDTSC (with CPUID to force a VM Exit)
  • RDTSC (Locky version with GetProcessHeap & CloseHandle)
  • Sleep -> SleepEx -> NtDelayExecution
  • Sleep (in a loop a small delay)
  • Sleep and check if time was accelerated (GetTickCount)
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)
  • WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
  • WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
  • IcmpSendEcho (CCleaner Malware)
  • CreateWaitableTimer (todo)
  • CreateTimerQueueTimer (todo)
  • Big crypto loops (todo)

Human Interaction

  • Mouse movement
  • Total Physical memory (GlobalMemoryStatusEx)
  • Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
  • Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
  • Mouse (Single click / Double click) (todo)
  • DialogBox (todo)
  • Scrolling (todo)
  • Execution after reboot (todo)
  • Count of processors (Win32/Tinba – Win32/Dyre)
  • Sandbox known product IDs (todo)
  • Color of background pixel (todo)
  • Keyboard layout (Win32/Banload) (todo)


Changelog v0.77

  • Add a gitattributes to normalize line endings.
  • Update VMDriverServices routine thanks to @hfiref0x
  • Add virtual machine detect by license thanks to @hfiref0x
  • Fix for HardwareBreakpoints routine thanks to @hfiref0x
  • Fix memory leak in check_mac_addr routine thanks to @hfiref0x
  • Update MemoryBreakpoints_PageGuard.cpp thanks to @hfiref0x
  • Fix number of bugs in get_system_firmware thanks to @hfiref0x
  • Fix InitWMI routine and multiple bugs in WMI related routines thanks to @hfiref0x
  • Remove incorrect result checks and wrong printf specifiers in ScanForModules.cpp thanks to @hfiref0x
  • Fix null pointer dereference in qemu_firmware_ACPI routine thanks to @hfiref0x
  • Fix null pointer dereferences in VirtualBox.cpp & VMWare.cpp thanks to @hfiref0x
  • Fix QueueUserAPC_Injection routine by rewrite thanks to @hfiref0x
  • Fix null pointer dereference in setupdi_diskdrive routine thanks to @hfiref0x
  • Add error handling in log_print thanks to @hfiref0x
  • Fix null pointer dereference in print_last_error routine, add more error handling thanks to @hfiref0x
  • Fix signed/unsigned mismatch for specifiers in various *printf calls thanks to @hfiref0x
  • Fix resource leak in timing_IcmpSendEcho routine thanks to @hfiref0x
  • Fix missing VirtualAlloc checks in WriteWatch.cpp thanks to @hfiref0x
  • Remove incorrect return value checks thanks to @hfiref0x
  • Fixed multiple bugs in check_adapter_name & ascii_to_wide_str thanks to @hfiref0x
  • Update and add typecast in IsBadLibrary thanks to @hfiref0x
  • Fix handle leak in GetProccessIDByName routine thanks to @hfiref0x
  • Fix invalid return value check in attempt_to_read_memory_wow64 routine thanks to @hfiref0x
  • Remove double call of SetDebugPrivileges in CreateRemoteThread_Injection thanks to @hfiref0x
  • Fix multiple bugs in SetPrivilege routine thanks to @hfiref0x
  • Fix unexpected behavior in SetHandleInformatiom_ProtectedHandle thanks to @hfiref0x
  • Fix null pointer dereference in get_system_firmware routine thanks to @hfiref0x
  • Fix multiple bugs in {Services, log, Generic, timing, process, ScanForModules cpp files} thanks to @hfiref0x
  • Fix null pointer derefence in {vmware,vbox,qemu}_firmware_ACPI thanks to @hfiref0x
  • Fix resource leak in ScanForModules_ToolHelp32 routine thanks to @hfiref0x
  • Fix multiple bugs in ProcessJob routine thanks to @hfiref0x


Usage al-khaser


Copyright (C) 2016 LordNoteworthy