GoDefender: detect and defend against various forms of debugging tools and virtualization environments

GoDefender

This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments

Anti-Virtualization

  • Triage Detection: Detects if the system is running in a triage or analysis environment.
  • Monitor Metrics: Monitors system metrics to identify abnormal behavior indicative of virtualization.
  • VirtualBox Detection: Detects the presence of Oracle VirtualBox.
  • VMware Detection: Detects the presence of VMware virtualization software.
  • KVM Check: Checks for Kernel-based Virtual Machine (KVM) hypervisor.
  • Username Check: Verifies if the current user is a default virtualization user.
  • Recent User Activity: Checks user activity; if there are fewer than 20 files, it exits.
  • USB Mount: Checks if a USB was ever plugged into the computer before.

Anti-Debug

This module includes functions to detect and prevent debugging and analysis of the running process.

  • IsDebuggerPresent: Checks if a debugger is currently attached to the process.
  • Remote Debugger: Detects if a remote debugger is connected to the process.
  • PC Uptime: Monitors system uptime to detect debugging attempts based on system restarts.
  • Check Blacklisted Windows Names: Verifies if the process name matches any blacklisted names commonly used by debuggers.
  • Running Processes: Retrieves a list of running processes and identifies potential malicious ones.
  • Parent Anti-Debug: Detects if the parent process is attempting to debug the current process.
  • Kill Bad Processes: Terminates known malicious processes detected on the system.
  • Detects Usermode AntiAntiDebuggers: Detects user-mode anti-anti-debuggers like ScyllaHide (BASIC).
  • Internet Connection Check: Checks if an internet connection is present.

Process

This module focuses on critical processes that should be monitored or protected.

  • Critical Process: Implements functionality to manage critical processes essential for system operation.
  • SeDebugPrivilege: Grants better permissions.

Quick Nutshell

  • Detects most anti-anti-debugging hooking methods on common anti-debugging functions by checking for bad instructions on function addresses (most effective on x64). It also detects user-mode anti-anti-debuggers like ScyllaHide and can detect some sandboxes that use hooking to monitor application behavior/activity (like Tria.ge).

Download

Copyright (C) 2024 EvilBytecode