pafish v0.6 releases: detect sandboxes and analysis environments
Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
The project is open-source, you can read the code of all anti-analysis checks. It is licensed under GNU/GPL version 3.
The objective of this project is to collect the usual tricks seen in malware samples. This allows us to study them, and test if our analysis environments are properly implemented.
- The code has been adapted for 64-bit and now both Windows 32-bit and 64-bit executables are available in the release
- Executable files have been removed from git to avoid antivirus detections, these will now be included in the releases page
- New reverse turing tests (RTT) detections added by @jgru, these include:
- Checking mouse presence
- Checking mouse movement
- Checking mouse speed
- Checking mouse click activity
- Checking mouse double click activity
- Checking dialog confirmation
- Checking plausible dialog confirmation
- Added the function
pafish_get_PEBto easily access the PEB
- Added a debugger detection that uses the
BeingDebuggedfield of the PEB
- Added a new detection traces output in the executable image of pafish in memory, useful to get detection output out of memory dumps
- Compiler warning fixes
- Cosmetic changes
Pafish is written in C and can be built with MinGW (gcc + make).
git clone https://github.com/a0rtega/pafish.git
For compiling on Windows, Cygwin is recommended. It will setup an Unix-like environment with a package manager to install only selected software.During the installation you will need to select packages make, mingw64-i686-gcc-core and mingw64-x86_64-gcc-core.
Then you just need to run Cygwin Terminal, change to the project directory and compile:
If you are using a Debian based distribution (Ubuntu, Mint, …), you can install the required packages executing:sudo apt-get install make mingw-w64
If you are running a Red Hat like distribution (Fedora, CentOS, …):
sudo yum install make mingw32-gcc mingw64-gcc
If you are running Arch Linux:
pacman -S make mingw-w64-gcc
Then you can compile:
You can also download the executable of the latest stable version.
Copyright (C) 2013 a0rtega