| Feature | Technique | Evasion Impact | |--------|-----------|----------------| | | NtQueryInformationProcess (DebugPort), IsDebuggerPresent , CheckRemoteDebuggerPresent , timing checks (RDTSC), hardware breakpoint detection (DR registers), OutputDebugString anomalies. | Prevents live analysis with x64dbg, OllyDbg, WinDbg. | | Anti-Disassembly | Junk instructions, opaque predicates, call trickery, exception handlers that alter control flow. | IDA Pro / Ghidra produce incorrect graphs. | | Anti-VM | Checks for VMware, VirtualBox, QEMU via registry, MAC addresses, CPUID (hypervisor bit), RDTSC timing variance. | Malware can refuse to run, delaying sandbox analysis. | | Anti-Dumping | Encrypts sections in memory after unpacking; uses page guard exceptions to re-encrypt code after execution. | Dumping unpacked process with Process Hacker fails. | | Import Obfuscation | Dynamically resolves APIs via custom hash lookup (e.g., CRC32 of CreateFileA ), no static IAT. | Static imports empty; API calls invisible. | | Metamorphic Engine | Stub code rearranges itself (register swapping, instruction substitution) each run. | Signature matching fails. |
Themida Crypter
| Feature | Technique | Evasion Impact | |--------|-----------|----------------| | | NtQueryInformationProcess (DebugPort), IsDebuggerPresent , CheckRemoteDebuggerPresent , timing checks (RDTSC), hardware breakpoint detection (DR registers), OutputDebugString anomalies. | Prevents live analysis with x64dbg, OllyDbg, WinDbg. | | Anti-Disassembly | Junk instructions, opaque predicates, call trickery, exception handlers that alter control flow. | IDA Pro / Ghidra produce incorrect graphs. | | Anti-VM | Checks for VMware, VirtualBox, QEMU via registry, MAC addresses, CPUID (hypervisor bit), RDTSC timing variance. | Malware can refuse to run, delaying sandbox analysis. | | Anti-Dumping | Encrypts sections in memory after unpacking; uses page guard exceptions to re-encrypt code after execution. | Dumping unpacked process with Process Hacker fails. | | Import Obfuscation | Dynamically resolves APIs via custom hash lookup (e.g., CRC32 of CreateFileA ), no static IAT. | Static imports empty; API calls invisible. | | Metamorphic Engine | Stub code rearranges itself (register swapping, instruction substitution) each run. | Signature matching fails. |
You can, in fact long ago there was a tool that automated this, lost when codeplex was taken down by msft. Look into xperf -help Processing, specifically the Boot processing switch