tamperprotectionmanagement Sophos Anti-Virus.sslea圓2 Trusteer (could be a legitimate use of OpenSSL library though).savshellext圆4 Sophos Anti-Virus 64-bit.R3HOOK Kaspersky Anti-Virus (Ring 3 Hooker).
pstorec Possible SunBelt Sandbox (but also other sandboxes that preload DLLs).psapi Possibly loaded to look for processes/modules.log_api64 Buster Sandbox Analyzer ( Link, Thx Andrew!).log_api32 Buster Sandbox Analyzer ( Link, Link, Thx Andrew!).kloehk Kaspersky Anti-Virus (Outlook Express Hook).ivm-inject.dll Buster Sandbox Analyzer ( Link, Link, Thx Andrew!).ieprot Rising Information Technology (IE Protector).
aswhookx.dll Avast ( Link, Thx Andrew!).aswhooka.dll Avast ( Link, Thx Andrew!).apshook Cognizant Application Protection Hook.apilogen.dll Used by logman API Trace – API Tracing Log Engine.apihookdll (Generic API Hooking DLL name).apihe圆4.dll Used by logman API Trace (64-bit) – API Tracing 圆4 Hook Engine – also see this link.apihex86.dll Used by logman API Trace (32-bit) – API Tracing X86 Hook Engine.AMSI.dll Used by Antimalware Scan Interface (AMSI).amxread.dll Used by logman API Trace – API Tracing Manifest Read Library.If you know any others, please do let me know. Some of them are very well known, some of them… less. In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it. Thanks!Īdded apihex86.dll and apihe圆4.dll + apilogen.dll & amxread.dllįixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptionsĭetecting sandboxes is a cool domain for research. Thanks!Īdded a few libraries pointed out by Andrew! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks !Īdded a few more pointed out by Andrew! fshook32, aswhookx, aswhooka. I finally managed to update the post & apologies to Andrew for this taking so long!!!Īnd a few more additions from Andrew! RapportGP, RapportGP_圆4, and aswhook. Andrew sent these long time ago, but I sat on it even longer.
0 kommentar(er)
