GetUserName
returns "AVEMU".printf
-like function to exfiltrate data from the emulators. AVLeak presents a Python API allowing for the creation of scriptable testing routines and integration with other applications, such as fuzzers, reversing tools, web frameworks, etc. New AVs can be integrated into AVLeak in a matter of hours, most of which is run time for automated scripts, and C test cases and Python testing scripts are write-once-run-against-any-AV.C:\\BATMAN
directory found in BitdefenderGetProcAddress
. Dumped every single exported function for multiple essential system DLLs and found common patterns; the AVs often used faulting or obscure instructions in these libraries as means of triggering emulation of specific functions (when the instruction is seen by the CPU emulator, it calls the appropriate WinAPI emulation function).200 OK
status codes, and provided PE executables for download, presumably as means of catching malware which downloads and executes in stages. Extracting and analyzing these files provided more artifacts with which the emulators may be detected.Sleep(1)
to sleep for 1 millisecond will have some multi-millisecond overhead, but this was not accounted for - measuring time before and after the call showed a difference of exactly 1 millisecond only)LoadLibrary
. cpuid
or rdtscp
have lead to the discovery of CPU emulator inconsistencies.