Binary Armory Wiki

crimsonRain · April 16, 2021, 12:03am

A compilation of resources to classical AntiRE techniques I’ve collected over time. Note that some resources may seem to be redundant but are added for the sake of completeness. Feel free to add any if you wish.

Packers/Obfuscators

Build your first LLVM Obfuscator
Extending LLVM for Code Obfuscation 1
Extending LLVM for Code Obfuscation 2
Using LLVM to Obfuscate Your Code During Compilation
Turning Regular Code Into Atrocities With LLVM
Simple Packer in C
Writing a PE packer series
Using UPX as a security packer
How to Write Your Own Packer

Anti-Disassembly

Anti-Disassembly techniques used by malware (a primer) 1
Anti-Disassembly techniques used by malware (a primer) 2
Anti-Disassembly Techniques and Mitigation
Assembly “wrapping”: a technique for anti-disassembly
The Return of Disassembly Desynchronization

Anti-Debug

Anti-Debug Tricks Wiki
[WIN]The Ultimate Anti Debugging Reference
[WIN]Anti-Debugging Techniques and Mitigation
[WIN]Anti Debugging Protection Techniques with Examples
Windows Anti-Debug Reference
Beginner’s Guide to Basic Linux Anti Anti Debugging Technique
Anti-Debug Techniques on Linux

VM/Sandbox Detection

[WIN]Playing with GuLoader Anti-VM techniques
Malware Anti-VM Techniques
Malware Evasion Techniques 2
Malware Evasion Techniques 3
[WIN]Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
How does malware know the difference between the virtual world and the real world?
[LINUX]Easy Ways to Determine Virtualization Technology

Source Code

github.com

hackedteam/scout-win/blob/master/core-scout-win32/antivm.cpp

#include <Windows.h>
#include "utils.h"
#include "proto.h"
#include "antivm.h"

//#define VMWARE_WORKSTATION_FAIL		"\x76\x6f\x73\x08\xb2\x72\x45\x1a\x87\x51\x30\x18\xc9\x88\x7c\xaa\x60\x75\x3c\x34" // "2d 94 e0 88 ff dc f3 45" -> unicode
//#define VMWARE_WORKSTATION_FAIL2	"\x44\xb0\x73\xdc\x0d\x9d\x4c\x84\xd6\x13\x32\xe2\x70\x98\xc0\xf6\x67\x20\xe8\x0d" // "4e 60 5c 00 41 b6 4f f1 " -> unicode

#define VBOX_FAIL					"\xee\xfb\x15\x51\x37\xa9\xa2\x67\x39\x4b\x9e\x9f\xa3\x05\x5f\xf0\xde\x09\xa4\xa7" // "PCI\\VEN_80EE&DEV_CAFE"	-> unicode
#define VMWARE_WHITELISTED			"\x83\xbe\x37\x16\x52\x97\x24\xc9\x73\xbe\x68\xbb\x0e\x46\x00\xa0\xc0\xf3\x74\x0d"  // VMware-aa aa aa aa aa aa aa aa
#define IS_VMWARE					"\x72\x19\x78\xcf\x34\x89\x66\x34\xe1\x10\x2f\x21\xf1\x5c\x73\x96\x38\x9e\xa7\x69"  // VMware


BOOL AntiVM()
{
	AntiCuckoo();
	BOOL bVMWare = AntiVMWare();
	BOOL bVBox = AntiVBox();

	if (bVMWare || bVBox)

This file has been truncated. show original

https://bitbucket.org/fkie_cd_dare/simplifire.antire/src/master/

Misc

[WIN]Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario
Five Anti-Analysis Tricks That Sometimes Fool Analysts
Obfuscation Techniques
Mac OS X Binary Protection
[WIN] Anti Reverse Engineering
Evasion Techniques Wiki
[WIN]Malware Evasion 1
Evasive Techniques: An Introduction
[WIN]Anti–Reverse Engineering Techniques Employed by Malware
Hiding Process Memory Via Anti-Forensic Techniques
Hiding Call To Ptrace
[WIN]Anti-Reverse Engineering Guide
[LINUX]Programming Linux Anti-Reversing Techniques
Malicious cryptography techniques for unreversable (malicious or not) binaries
Malware Armoring: The case against incident related binary analysis

messede · April 16, 2021, 5:02am

This is a nice compilation , thank you

c0z · April 18, 2021, 6:24am

I’m organizing some notes and will try to contribute here when I can. @crimsonRain Do you mind if I send you my bookmarks that I have organized and you can sift through them?

crimsonRain · April 18, 2021, 8:48am

No, I don’t mind. In fact, contributions are welcome, so feel free.

system · October 26, 2025, 7:47pm

This topic was automatically closed after 1654 days. New replies are no longer allowed.