Pafish

Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

The project is open-source, you can read the code of all anti-analysis checks. It is licensed under GNU/GPL version 3.

Scope

The objective of this project is to collect the usual tricks seen in malware samples. This allows us to study them, and test if our analysis environments are properly implemented.

Changelog v0.6

• The code has been adapted for 64-bit and now both Windows 32-bit and 64-bit executables are available in the release
• Executable files have been removed from git to avoid antivirus detections, these will now be included in the releases page
• New reverse turing tests (RTT) detections added by @jgru, these include:
  • Checking mouse presence
  • Checking mouse movement
  • Checking mouse speed
  • Checking mouse click activity
  • Checking mouse double click activity
  • Checking dialog confirmation
  • Checking plausible dialog confirmation
• Added the function pafish_get_PEB to easily access the PEB
• Added a debugger detection that uses the BeingDebugged field of the PEB
• Added a new detection traces output in the executable image of pafish in memory, useful to get detection output out of memory dumps
• Compiler warning fixes
• Cosmetic changes

Build

Pafish is written in C and can be built with MinGW (gcc + make).

git clone https://github.com/a0rtega/pafish.git

• Windows
  For compiling on Windows, Cygwin is recommended. It will setup an Unix-like environment with a package manager to install only selected software.During the installation you will need to select packages make, mingw64-i686-gcc-core and mingw64-x86_64-gcc-core.Then you just need to run Cygwin Terminal, change to the project directory and compile:

  Alberto@Alberto-PC /cygdrive/f/pafish
  
  $ cd pafish/
  
  
  
  Alberto@Alberto-PC /cygdrive/f/pafish/pafish
  
  $ make -f Makefile.linux
  
  
  
  [...]
  
  
  
  Alberto@Alberto-PC /cygdrive/f/pafish/pafish
  
  $ ls Output/MingW/
  
  pafish.exe

   

   

   

• Linux
  If you are using a Debian based distribution (Ubuntu, Mint, …), you can install the required packages executing:sudo apt-get install make mingw-w64If you are running a Red Hat like distribution (Fedora, CentOS, …):sudo yum install make mingw32-gcc mingw64-gcc

  If you are running Arch Linux:

  pacman -S make mingw-w64-gcc

  Then you can compile:

  $ cd pafish/
  
  $ make -f Makefile.linux
  
  [...]
  
  $ ls Output/MingW/
  
  pafish.exe

   

   

Copyright (C) 2013 a0rtega

Source: https://github.com/a0rtega/