Category Archives: A.R.F Project News

A.R.F v2.0 – News #2

I have started updating the documentation for the A.R.F v2.0 and also testing a few methods.

Today I added an extra generic method that aims to detect all process monitoring tools which work through dll injection into the target process.

The release date for the A.R.F v2.0 is getting really close…


A.R.F v2.0 – Preview (x86) –

New detection methods are constantly being added to the A.R.F Project, which include popular VMs detection, the famous SandBoxie, SpyStudio, and API Monitor, bringing now the total number of Anti-Reversing methods to 31, and counting…

More methods are going to be added before the official release of the A.R.F v2.0, and I am also planning major changes to existing ones which will make the code much stealthier from the reversing point of view.

The release of A.R.F v2.0 might take a little bit longer than expected, but you can bet that your patience will be rewarded.

I decided to release a compiled executable, that includes some of the new methods added, but not the updates to the existing ones.

Download: A.R.F v2.0 – Preview (x86) –

A.R.F v2.0 – News #1

***The following methods are not available for download yet.***

New methods added in:

SehDbgDetection Class
HardwareBreakPointDetection class

New Class added:

VirtualMachineDetection – Currently includes 6 new methods (2 for each) to detect VirtualPC, VMWare, and VirtualBOX. More methods are being developped to detect these 3 popular VMs.

What’s next…

Detecting SandBoxes. – Currently one method has been tested for the well-known SandBoxie, and more research is coming for other popular SandBoxes.

A.R.F v2.0

I had promised that I will keep working on the Anti-Reversing Framework, so I am back on it.

Even if I don’t have a lot of free time, I am planning to release v2.0 before September.

The new version will include more debugger detection methods, as well as various methods to detect Virtual Machines such as VMWare, VirtualPC etc..

Finally, I am planning to add also some generic “attack” methods that the user will be able to use in case a debugger or a VM has been detected. However, this could be a feature of v2.1 later on, depending on the time I have available.

Stay tuned,