| last_reviewed | 2026-04-27 |
|---|---|
| reflects_commit | f31fca1 |
The recon/* package tree groups discovery + environmental
awareness primitives:
- Anti-analysis — debugger / VM / sandbox detection
(
antidebug,antivm,sandbox,timing). - Hijack discovery — DLL search-order hijack opportunities
(
dllhijack). - Hook detection — hardware breakpoint inspection
(
hwbp). - System enumeration — drives, special folders, network
(
drive,folder,network).
flowchart TB
subgraph anti [Anti-analysis]
AD[antidebug]
AV[antivm]
TIME[timing]
SB[sandbox<br>orchestrator]
AD --> SB
AV --> SB
TIME --> SB
end
subgraph discovery [System discovery]
DRV[drive]
FLD[folder]
NET[network]
end
subgraph hooks [Hook detection]
HWBP[hwbp<br>DR0-DR3]
end
subgraph hijack [Hijack discovery]
DLL[dllhijack<br>services + procs +<br>tasks + autoElevate]
end
SB --> BAIL[bail-on-detect]
HWBP --> CLEAR[clear + unhook]
DLL --> EXPLOIT[validate + deploy]
DRV --> STAGE[USB-stage / SMB-share lateral]
FLD --> PERSIST[persistence path resolution]
NET --> C2[source-aware C2]
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
recon/antidebug |
anti-analysis.md | quiet | Cross-platform debugger detection (PEB / TracerPid) |
recon/antivm |
anti-analysis.md | quiet | Multi-vendor hypervisor detection (7 dimensions) |
recon/sandbox |
sandbox.md | quiet | Multi-factor sandbox orchestrator |
recon/timing |
timing.md | quiet | CPU-burn defeats Sleep-hook fast-forward |
recon/dllhijack |
dll-hijack.md | moderate | Discover DLL search-order hijack opportunities |
recon/hwbp |
hw-breakpoints.md | moderate | Detect + clear EDR HWBPs in DR0-DR3 |
recon/drive |
drive.md | very-quiet | Drive enum + USB-insert watcher (Windows) |
recon/folder |
folder.md | very-quiet | Windows special-folder path resolution |
recon/network |
network.md | very-quiet | Cross-platform interface IPs + IsLocal |
| You want to… | Use |
|---|---|
| …bail if a debugger is attached | antidebug.IsDebuggerPresent |
| …bail if running in a hypervisor | antivm.Detect |
| …run multi-factor "is this analysis?" | sandbox.New(DefaultConfig).IsSandboxed |
| …burn CPU to defeat Sleep fast-forward | timing.BusyWait |
| …find DLL hijack candidates | dllhijack.ScanAll |
| …UAC bypass via autoElevate hijack | dllhijack.ScanAutoElevate |
| …detect EDR HWBPs in ntdll | hwbp.Detect → ClearAll |
| …list mounted drives + watch removable insertions | drive.NewWatcher |
…resolve %APPDATA% / %PROGRAMDATA% |
folder.Get |
| …list host IPs / detect self-references | network.InterfaceIPs / IsLocal |
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1622 | Debugger Evasion | antidebug, hwbp |
D3-EI |
| T1497 | Virtualization/Sandbox Evasion | sandbox |
D3-EI |
| T1497.001 | System Checks | antivm |
D3-EI |
| T1497.003 | Time Based Evasion | timing |
D3-EI |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | dllhijack |
D3-EAL |
| T1548.002 | Bypass UAC | dllhijack (autoElevate) |
D3-EAL |
| T1027.005 | Indicator Removal from Tools | hwbp |
D3-PSA |
| T1120 | Peripheral Device Discovery | drive |
— |
| T1083 | File and Directory Discovery | folder, drive |
— |
| T1016 | System Network Configuration Discovery | network |
— |
- Operator path: pre-flight discovery
- Detection eng path
evasion/unhook— pair withhwbp.ClearAllfor full hook clear.win/syscall— direct/indirect syscalls bypass both inline + HWBP.persistence/*— consumesfolder.Getfor path resolution.