Analysis Tool Process Detection

A blunt but effective evasion: enumerate every running process and compare the image names against a blocklist of analysis tools. If a debugger, packet sniffer, or monitoring utility is found, the sample exits or alters its behavior. Window-title enumeration is a common companion check.

Because it needs no special privileges and relies only on documented APIs, this technique appears across commodity stealers and loaders.

How it works

The sample walks the process list with CreateToolhelp32Snapshot / Process32Next and matches each szExeFile against names like x64dbg.exe, ollydbg.exe, procmon.exe, procexp.exe, wireshark.exe, idaq.exe, x32dbg.exe, and tcpview.exe.

#include <windows.h>
#include <tlhelp32.h>

const wchar_t *tools[] = {
    L"x64dbg.exe", L"ollydbg.exe", L"procmon.exe",
    L"wireshark.exe", L"idaq.exe", L"procexp.exe"
};

HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32W pe = { .dwSize = sizeof(pe) };
for (BOOL ok = Process32FirstW(snap, &pe); ok; ok = Process32NextW(snap, &pe)) {
    for (int i = 0; i < 6; i++)
        if (_wcsicmp(pe.szExeFile, tools[i]) == 0)
            ExitProcess(0);  // Analysis tool found.
}

Some variants hash the names so the blocklist is not visible as plaintext, or use EnumWindows to match class names and titles instead.

Detection & analysis

• Static analysis: look for the Toolhelp imports (CreateToolhelp32Snapshot, Process32Next) or EnumProcesses, paired with embedded tool names or a table of FNV/CRC hashes compared in a loop.
• Dynamic analysis: rename your tools' executables (e.g. x64dbg.exe -> notepad2.exe) and hide window titles, or hook Process32Next to omit flagged entries from the returned snapshot.
• Detection rule hint: YARA-match the literal tool-name strings together with the Toolhelp API names; in sandbox logs, alert when a process enumerates the full process list and then exits without further activity.