Anti-emulation or anti-automated analysis are methods employed by a program to prevent moving further in its code if it identifies that it is being analyzed. The behavior of a program can be logged and analyzed using automated analysis tools such as Cuckoo Sandbox, Hybrid Analysis, and ThreatAnalyzer. The concept of these tricks is in being able to determine that the system in which a program is running is controlled and was set up by a user.
Here are some things that distinguish a user-controlled environment and an automated analysis controlled system from each other:
- A user-controlled system has mouse movement.
- User controlled systems can include a dialog box that waits for a user to scroll down and then click on a button.
- The setup of an automated analysis system has the following attributes:
- A low amount of physical memory
- A low disk size
- The free space on the disk may be nearly depleted
- The number of CPUs is only one
- The screen size is too small
Simply setting up a task that requires a user's manual input would determine that the program is running in a user-controlled environment. Similar to anti-VM, the VM guest setup would make use of the lowest possible requirements, such that it doesn't eat up the VM host's computer resources.
Another anti-analysis trick checks for running analysis tools. These tools include the following:
- OllyDBG (ollydbg.exe)
- WinDbg (windbg.exe)
- IDA Pro (ida.exe, idag.exe, ida64.exe, idag64.exe)
- SysInternals Suite Tools, which includes the following:
- Process Explorer (procexp.exe)
- Process Monitor (procmon.exe)
- Regmon (regmon.exe)
- Filemon (filemon.exe)
- TCPView (tcpview.exe)
- Autoruns (autoruns.exe, autorunsc.exe)
- Wireshark (wireshark.exe)
A way around these tricks is for automated analysis to trick them back. For example, there are ways to mimic mouse movement and even read dialog window properties, scroll, and click buttons. A simple work-around for anti-analysis trick is to rename the tool we're using to monitor behaviors.