explaingit

ayoubfaouzi/al-khaser

6,949C++Audience · developerComplexity · 2/5Setup · easy

TLDR

A Windows test tool for security researchers that simulates the tricks real malware uses to detect debuggers, virtual machines, and sandboxes, so you can verify your analysis environment stays hidden.

Mindmap

mindmap
  root((al-khaser))
    What It Does
      Simulates malware evasion
      Runs evasion checks
    Detection Categories
      Anti-debugging
      VM detection
      Sandbox detection
    Tech
      C++ codebase
      Windows only
    Audience
      Security researchers
      Malware analysts
    Usage
      Pre-built binaries
      Command-line flags
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Test whether your malware sandbox would be detected by adversarial samples before deploying it.

USE CASE 2

Verify that your debugging environment is invisible to anti-debugging techniques used by real malware.

USE CASE 3

Check if a virtual machine setup leaks hardware or registry identifiers that malware would notice.

USE CASE 4

Benchmark anti-malware tooling against a known set of real-world evasion techniques.

Tech stack

C++Windows

Getting it running

Difficulty · easy Time to first run · 5min

Pre-built binaries available from the releases page, no compilation needed to get started.

License terms are not described in the explanation.

In plain English

Al-khaser is a test program for security researchers and malware analysts. It simulates techniques that real malware uses to detect and avoid analysis environments, allowing people who build security tools to check whether those tools would be spotted by an adversary. The program runs a battery of checks against the system it is running on. These checks look for signs that a debugger is attached, that the machine is a virtual machine rather than real hardware, or that the program is running inside a sandboxed analysis environment. When real malware detects any of these conditions it typically stops doing malicious things to avoid being studied. Al-khaser lets security tool builders verify that their setups would not trigger those checks. The checks cover several categories. Anti-debugging checks look for software and hardware breakpoints, monitoring processes, and other signals that a reverse engineer is watching the program run. Virtual machine detection looks for registry keys, driver files, and hardware identifiers left behind by VirtualBox, VMware, QEMU, Hyper-V, and several other platforms. Sandbox detection includes timing tests (checking whether the system is accelerating sleep calls, which some sandboxes do to speed up analysis), human interaction checks such as whether the mouse has moved or whether disk sizes look realistic, and detection of known analysis tools by name. The project is written in C++ and targets Windows. Pre-built binaries are available from the releases page. Running the program with no arguments exercises all checks, specific categories can be selected individually via command-line flags. The intended audience is people building or testing anti-malware software, sandbox environments, or malware analysis systems. It is described as a proof-of-concept with good intentions rather than an actual malicious tool, and contributions of newly observed real-world techniques are welcome.

Copy-paste prompts

Prompt 1
I'm building a malware analysis sandbox and want to test whether al-khaser would detect it. List the most common virtual machine artifacts it checks for and how I can hide them.
Prompt 2
Show me how to run al-khaser with only the anti-debugging checks enabled on Windows, and explain what each check is testing.
Prompt 3
I want to add a new sandbox detection technique to al-khaser. Walk me through the C++ code structure so I know where to add my check.
Prompt 4
Which of al-khaser's timing-based sandbox checks are most commonly triggered by commercial sandboxes, and why do sleep-acceleration tricks fool them?
Prompt 5
Help me interpret the output of al-khaser to understand which checks my analysis VM is failing.
Open on GitHub → Explain another repo

← ayoubfaouzi on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.