pafish: detect sandboxes and analysis environments


(Paranoid Fish)

Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

The project is open source, you can read the code of all anti-analysis checks. It is licensed under GNU/GPL version 3.

Pafish screenshot


The objective of this project is to collect the usual tricks seen in malware samples. This allows us to study them, and test if our analysis environments are properly implemented.


Pafish is written in C and can be built with MinGW (gcc + make).

git clone

  • Windows
    For compiling on Windows, Cygwin is recommended. It will setup an Unix-like environment with a package manager to install only selected software.

    During the installation you will need to select packages makemingw64-i686-gcc-core and mingw64-x86_64-gcc-core.

    Then you just need to run Cygwin Terminal, change to the project directory and compile:

    Alberto@Alberto-PC /cygdrive/f/pafish
    $ cd pafish/
    Alberto@Alberto-PC /cygdrive/f/pafish/pafish
    $ make -f Makefile.linux
    Alberto@Alberto-PC /cygdrive/f/pafish/pafish
    $ ls Output/MingW/
  • Linux
    If you are using a Debian based distribution (UbuntuMint, …), you can install the required packages executing:

    sudo apt-get install make mingw-w64

    If you are running a Red Hat like distribution (FedoraCentOS, …):

    sudo yum install make mingw32-gcc mingw64-gcc

    If you are running Arch Linux:

    pacman -S make mingw-w64-gcc

    Then you can compile:

    $ cd pafish/
    $ make -f Makefile.linux
    $ ls Output/MingW/

You can also download the executable of the latest stable version.

Copyright (C) 2013 a0rtega