Anva allows the monitoring of userland programs by executing them within the same virtual address space.
Anva features a self-made PE Loader that mimics Windows' PE Loader (found in NTDLL.DLL) and manually maps the target program into Anva's address space.
The tool spoofs internal structures (eg. PEB) to mimic a bare metal environment.
Anva supports:
- Both x86 and x64 PE formats
- VMProtect support
- Fixed and relocatable base address
- Sections with correct memory protection
- Imports with DLL loading
- SEH handlers against exceptions
- TLS and TLS callbacks
- PEB setup
- Console, window and DLL applications.
Anva is powered by MinHook for both its 32-bit and 64-bit trampoline hook implementations. Anva uses tramp-hooks to monitor specific WinAPI and NTAPI calls and respond accordingly (this mechanism can be modified to use instrumentation callback for better results).
Anva can be used in different domains:
- Malware analysis
- Reverse engineering
- Protection unpacking
- API monitoring
- CRC bypassing
This is just a POC, always use a Virtual Machine while executing malicious software with Anva.
Anva running a VMProtect'd game: