This will just be a short post as I wanted to get this link out there. Recently I had been doing a little side project of creating a Python program that can do certain checks to determine if it is potentially on a machine that will be used to debug it. I want to go deeper than that, but that’s just the current state of the program. For example, I have this excerpt:
def checkRunningProcesses(): processArray = ["Wireshark","HxD","IDA","NASM","Autopsy","Process Hacker", "VMWare","x64dbg","dnspy","HashCalc","OllyD","shellcode","scdbg"] for proc in psutil.process_iter(): processName = proc.name() for i in range(len(processArray)): if processArray[i].lower() in processName.lower(): return 1 return 0
This looks at whether a certain process with a certain name is currently running on the machine. Eventually I wanted to see if a Python script could be leveraged by converting it to an .exe or .dll (I know, converting Python to those formats isn’t necessarily easy or efficient).
Recently though I ran across a really cool site that lists out different types of malware evasion techniques, what they relate to in terms of the infrastructure it is checking, and a lot more. It is called the “Unprotect Project“. So if anyone is interested in those types of things, I’d definitely go over there to check it out!