Golang anti-vm framework
Let Medusa stone wall analysis
Table of Contents
Medusa is an anti-vm framework.
Written in Golang in order to support Red Team operations and Pentesters during engagements.
Medusa is designed for Windows environment!
!!I'm not responsible for your acts!!
Firstly, make sure that your dependencies are satisfied.
Medusa has 3 dependencies:
- wmi
go get github.com/StackExchange/wmi@v0.0.0-20210224194228-fe8f1750fd46
- go-ole
go get github.com/go-ole/go-ole@v1.2.5
- go-ps
go get github.com/mitchellh/go-ps@v1.0.0
In your prompt type
go get github.com/whiterabb17/medusa
Additional processes and configs can be set in util\process_list.go
Such as AV processes to kill/search for.
Additional strings to find or MAC addresses to add to the blacklist
Into your program, import the packages used by Medusa
import (
"github.com/whiterabb17/medusa/antidebug"
"github.com/whiterabb17/medusa/antimem"
"github.com/whiterabb17/medusa/antivm"
)
"github.com/whiterabb17/medusa/antidebug"
Antidebug package implement strategies to avoid common programs that are used for debugging.
antidebug.ByProcessWatcher()
return boolean
This function look for common programs used for inspect process, like processhacker.exe, procmon.exe, xdbg.exe, etc.
Example:
if antidebug.ByProcessWatcher() { // Whether some debugger program founded, enter here.
// exit or wait
}
antidebug.ByTimmingDiff(time, int)
return boolean
Compare whether the difference between initial and end time is bigger than difference allowed (in seconds).
When debugging, some analisys use to take some time into a function.
Grab the time just in the begging of the function and later in the end, before go out, and ask Medusa to compare.
Example:
func myFuncHere(){
initTime := time.Now() // grab the time here
// do your actions here
if antidebug.ByTimmingDiff(timeInit, 2){ // if your function takes 2 seconds or more, your malware must be debugged. You chose your time.
// exit or wait
}
}
"github.com/whiterabb17/medusa/antimem"
Antimem package implement strategies to avoid common programs that are used for inspect memory process.
antimem.ByMemWatcher()
return boolean
This function look for common programs used for inspect memory, like rammap.exe, dumpit.exe, etc.
Example:
if antimem.ByMemWatcher() { // Whether some program used for inspect memory founded, enter here.
// exit or wait
}
"github.com/whiterabb17/medusa/antivm"
Antivm package implement strategies to avoid virtualized environment.
antivm.BySizeDisk( int )
return boolean
Check total size disk, in GB.
Example:
if antivm.BySizeDisk(100) { // whether total disk size is less than 100 GB, enter here. You chose the size, always in GB.
// exit or wait
}
antivm.IsVirtualDisk()
boolean
Check whether may be on virtual disk.
Example:
if antivm.IsVirtualDisk() { // If Medusa guess you are on virtual disk, enter here.
// exit or wait
}
antivm.ByMacAddress()
boolean
Look for known virtualized MAC Address.
Example:
if antivm.ByMacAddress() { If Medusa guess you are on virtual MAC Address, enter here.
// exit or wait
}