Recon techniques
The recon/* package tree groups discovery + environmental
awareness primitives:
- Anti-analysis — debugger / VM / sandbox detection
(
antidebug,antivm,sandbox,timing). - Hijack discovery — DLL search-order hijack opportunities
(
dllhijack). - Hook detection — hardware breakpoint inspection
(
hwbp). - System enumeration — drives, special folders, network
(
drive,folder,network).
flowchart TB
subgraph anti [Anti-analysis]
AD[antidebug]
AV[antivm]
TIME[timing]
SB[sandbox<br>orchestrator]
AD --> SB
AV --> SB
TIME --> SB
end
subgraph discovery [System discovery]
DRV[drive]
FLD[folder]
NET[network]
end
subgraph hooks [Hook detection]
HWBP[hwbp<br>DR0-DR3]
end
subgraph hijack [Hijack discovery]
DLL[dllhijack<br>services + procs +<br>tasks + autoElevate]
end
SB --> BAIL[bail-on-detect]
HWBP --> CLEAR[clear + unhook]
DLL --> EXPLOIT[validate + deploy]
DRV --> STAGE[USB-stage / SMB-share lateral]
FLD --> PERSIST[persistence path resolution]
NET --> C2[source-aware C2]
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
recon/antidebug | anti-analysis.md | quiet | Cross-platform debugger detection (PEB / TracerPid) |
recon/antivm | anti-analysis.md | quiet | Multi-vendor hypervisor detection (7 dimensions) |
recon/sandbox | sandbox.md | quiet | Multi-factor sandbox orchestrator |
recon/timing | timing.md | quiet | CPU-burn defeats Sleep-hook fast-forward |
recon/dllhijack | dll-hijack.md | moderate | Discover DLL search-order hijack opportunities |
recon/hwbp | hw-breakpoints.md | moderate | Detect + clear EDR HWBPs in DR0-DR3 |
recon/drive | drive.md | very-quiet | Drive enum + USB-insert watcher (Windows) |
recon/folder | folder.md | very-quiet | Windows special-folder path resolution |
recon/network | network.md | very-quiet | Cross-platform interface IPs + IsLocal |
Quick decision tree
| You want to… | Use |
|---|---|
| …bail if a debugger is attached | antidebug.IsDebuggerPresent |
| …bail if running in a hypervisor | antivm.Detect |
| …run multi-factor "is this analysis?" | sandbox.New(DefaultConfig).IsSandboxed |
| …burn CPU to defeat Sleep fast-forward | timing.BusyWait |
| …find DLL hijack candidates | dllhijack.ScanAll |
| …UAC bypass via autoElevate hijack | dllhijack.ScanAutoElevate |
| …detect EDR HWBPs in ntdll | hwbp.Detect → ClearAll |
| …list mounted drives + watch removable insertions | drive.NewWatcher |
…resolve %APPDATA% / %PROGRAMDATA% | folder.Get |
| …list host IPs / detect self-references | network.InterfaceIPs / IsLocal |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1622 | Debugger Evasion | antidebug, hwbp | D3-EI |
| T1497 | Virtualization/Sandbox Evasion | sandbox | D3-EI |
| T1497.001 | System Checks | antivm | D3-EI |
| T1497.003 | Time Based Evasion | timing | D3-EI |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | dllhijack | D3-EAL |
| T1548.002 | Bypass UAC | dllhijack (autoElevate) | D3-EAL |
| T1027.005 | Indicator Removal from Tools | hwbp | D3-PSA |
| T1120 | Peripheral Device Discovery | drive | — |
| T1083 | File and Directory Discovery | folder, drive | — |
| T1016 | System Network Configuration Discovery | network | — |
See also
- Operator path: pre-flight discovery
- Detection eng path
evasion/unhook— pair withhwbp.ClearAllfor full hook clear.win/syscall— direct/indirect syscalls bypass both inline + HWBP.persistence/*— consumesfolder.Getfor path resolution.