ENNAENNA

al-khaser

GPL-2.0

🧬 Reverse Engineering · C++

al-khaser is a proof-of-concept application that implements numerous malware evasion techniques in a single codebase. It serves as a reference for security researchers studying how malware detects virtual machines, sandboxes, debuggers, and analysis environments. Techniques include timing attacks, CPU feature detection, registry checks, process enumeration, hardware fingerprinting, and API hooking detection. Each technique is implemented, documented, and testable independently. Security teams use al-khaser to validate that their analysis environments and sandboxes are resistant to common evasion methods employed by real-world malware.

6.9kstars
1.3kforks
41issues
Updated 26d ago
+I use this
View on GitHub

Installation

$ git clone https://github.com/LordNoteworthy/al-khaser.git

Use Cases

  • Testing sandbox and VM detection resistance
  • Studying malware evasion techniques
  • Validating analysis environment stealth
  • Reference implementation for anti-analysis research

Tags

anti-analysisevasionvm-detectionsandbox-detectionanti-debuggingmalware-researchanti-disassemblyanti-emulationanti-sandboxanti-vmav-bypasscode-injectionmalwaresandbox-evasiontiming-attacks

Details

Category
🧬 Reverse Engineering
Language
C++
License
GPL-2.0
Platforms
🪟windows

Links

GitHub Repository

github.com/LordNoteworthy/al-khaser

Releases

github.com/LordNoteworthy/al-khaser/releases

Issues

github.com/LordNoteworthy/al-khaser/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

capa

Python

Automatically identify capabilities in executable files - detects techniques like persistence, C2, and anti-analysis.

Compare al-khaser vs capa

FakeNet-NG

Python

Mandiant's dynamic network analysis tool. Simulates internet services to capture malware C2 communications locally.

Compare al-khaser vs FakeNet-NG

CAPEv2

Python

Malware behavior analysis sandbox. Detonates samples and extracts configs, payloads, network IOCs, and API call traces.

Compare al-khaser vs CAPEv2

More in Reverse Engineering

dnSpy

C#

.NET debugger, decompiler, and assembly editor. Inspect and modify .NET and Unity assemblies without source code.

dotnetdecompilerdebugger

ILSpy

C#

Open-source .NET decompiler and assembly browser. Produces clean C# from compiled binaries with cross-platform support.

dotnetdecompilerassembly-browser

x64dbg

C++

Open-source x64/x32 debugger for Windows. Full-featured binary debugger with plugin ecosystem for malware analysis and reverse engineering.

debuggerdisassemblermalware-analysis

Detect It Easy

C++/Qt

Binary packer and compiler detection. Identifies compilers, linkers, packers, and protectors used to build PE, ELF, and Mach-O files.

packer-detectionbinary-analysispe

angr

Python

Binary analysis framework. Symbolic execution, CFG recovery, and vulnerability discovery for compiled binaries in Python.

symbolic-executionbinary-analysiscfr

RetDec

C++

Retargetable decompiler by Avast. Converts machine code back to C from x86, ARM, MIPS, and PowerPC binaries.

decompilerllvmmulti-arch