Anti-Reversing Techniques

Name: agents/anti-reversing-techniques
Author: wshobson

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill provides detailed instructions and functional code for bypassing

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Anti-Reversing Techniques: Understanding protection mechanisms encountered during authorized software analysis, security research, and malware analysis. This knowledge helps analysts bypass protections to complete legitimate analysis tasks.

Actually does

The skill provides detailed descriptions, code examples (C, Python, GDB), and tool recommendations for identifying and bypassing anti-debugging (Windows API/PEB/timing/exception-based, Linux ptrace/procfs), anti-VM (CPUID, registry/file/process checks, timing), and code obfuscation (control flow, data, instruction-level) techniques. It references tools like ScyllaHide, x64dbg, IDA, Ghidra, GDB, FLOSS, angr, and Triton, and suggests manipulating binary code, process memory, and system calls.

Threat Analysis

AI Agent Traps ↗Scanned 5/4/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning3 findings

Cognitive StateMemory & Learningclean

Behavioural ControlAction6 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namewshobson/agents/anti-reversing-techniques

Registrygithub

Versionece811f23310

PURLpkg:github/wshobson/agents@ece811f23310?skill=anti-reversing-techniques

Stars34,864

Installs5,700

Source

Repository ↗SKILL.md ↗

SHA-25602fd49bd75de...

SHA-14c5ce6b67a8a...

MD5b452f4774a5c...

TLSHda621a12f5b1...

ssdeep192:DK1qg+FG...

Size15,090 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/wshobson/agents

5,700 installs

Skills.shDocs

npx skills add https://github.com/wshobson/agents

Assessments (2)

AI Agent Traps ↗

Code Injection and Runtime Manipulationcriticalcommand execution

The skill provides explicit instructions for code injection via LD_PRELOAD on Linux and detailed commands for runtime manipulation and binary patching using debuggers (GDB, IDA, x64dbg). These techniques allow for arbitrary code execution and alteration of program behavior.

100% confidenceline 82

LD_PRELOAD=./hook.so ./target; ida_bytes.patch_byte(check_addr, 0x90); GDB command sequence to set $rax = 0.

Reconnaissance of Analysis Environmentsmediumreconnaissance

The skill details numerous methods for detecting debugging environments (e.g., IsDebuggerPresent, ptrace, /proc/self/status) and virtual machines (e.g., CPUID, registry/file checks). It also includes a Python script for scanning binaries for anti-debug patterns.

100% confidenceline 192

if (IsDebuggerPresent()) { exit(1); }; if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1); Python script to scan for common timing-based anti-debug patterns.

Anti-VM/Sandbox Detection Techniques Documentedmediumanti analysis

The skill provides detailed techniques for detecting virtualized/sandboxed environments including CPUID hypervisor bit checks, vendor string identification, MAC address prefix detection, registry/file artifact enumeration, and timing anomaly detection. While framed as educational, this constitutes a comprehensive guide for evasion of analysis sandboxes.

65% confidenceline 258

// CPUID-based detection
int cpuid_info[4];
__cpuid(cpuid_info, 1);
// Check hypervisor bit (bit 31 of ECX)
if (cpuid_info[2] & (1 << 31)) {
    // Running in hypervisor
}
// CPUID brand string ... "VMwareVMware", "Microsoft Hv", "KVMKVMKVM", "VBoxVBoxVBox"

LD_PRELOAD Hook Instructions for ptrace Bypassmediumcommand execution

The skill provides complete working instructions for creating and using an LD_PRELOAD shared library to intercept and neutralize ptrace anti-debugging calls. This is a functional technique usable directly for bypassing security controls in unauthorized contexts.

60% confidenceline 216

# hook.c: long ptrace(int request, ...) { return 0; }
# gcc -shared -fPIC -o hook.so hook.c
LD_PRELOAD=./hook.so ./target

Binary Scanning Script with Arbitrary File Readlowcommand execution

The embedded Python script reads arbitrary files from disk via a command-line argument without any path validation or sandboxing. When executed by an agent in an automated pipeline, this could be directed at sensitive files beyond the intended binary targets.

40% confidenceline 100

def scan(path: str) -> None:
    data = open(path, "rb").read()
    print(f"Scanning: {path} ({len(data)} bytes)\n")

GDB Commands to Intercept and Modify Syscallsmediumcommand execution

The skill provides ready-to-use GDB command sequences that intercept system calls (ptrace, openat) and modify register values and flags at runtime. These commands could be repurposed to manipulate arbitrary process execution in unauthorized contexts.

55% confidenceline 163

catch syscall ptrace
commands
  silent
  set $rax = 0
  continue
end

# 2. Bypass check after ptrace call: find "cmp rax, 0xffffffff; je <exit>"
#    Clear ZF so the conditional jump is not taken:
#    set $eflags = $eflags & ~0x40

Dual-Use Security Techniques Disclaimerinfooversight evasion

The skill explicitly states it contains 'dual-use security techniques' and provides warnings about legal compliance and authorized use. While not malicious, this framing highlights the high-risk nature of the capabilities described.

100% confidenceline 10

AUTHORIZED USE ONLY: This skill contains dual-use security techniques. ... Legal compliance: Understand that unauthorized bypassing of software protection may violate laws (CFAA, DMCA anti-circumvention, etc.)

Oversight Evasion via Authorization Framinglowoversight evasion

The skill uses repeated authorization framing ('AUTHORIZED USE ONLY', 'legitimate security context', 'ethical considerations') that could be leveraged to convince an agent or human overseer that generating anti-debugging/anti-VM bypass code is sanctioned, potentially lowering scrutiny on requests that combine these techniques maliciously.

45% confidenceline 7

> **AUTHORIZED USE ONLY**: This skill contains dual-use security techniques. Before proceeding with any bypass or analysis:
>
> 1. **Verify authorization**: Confirm you have explicit written permission...

Dual-Use Anti-Debug Bypass Knowledge Basemediumoversight evasion

The skill description explicitly includes implementing anti-debugging protections as a use case ('implementing anti-debugging protections for CTF challenges'), blending offensive capability (implementing evasive malware features) with defensive framing. This normalizes generation of evasive code under the CTF/research umbrella.

50% confidenceline 3

Use this skill when analyzing malware evasion techniques, when implementing anti-debugging protections for CTF challenges, when reverse engineering packed binaries, or when building security research tools that need to detect virtualized environments.

Version History (2)

ece811f23310current100Critical5/4/2026 03d0b4b9eb4d70High4/15/2026

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/wshobson/agents/anti-reversing-techniques.svg)](https://mondoo.com/ai-agent-security/skills/github/wshobson/agents/anti-reversing-techniques)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/wshobson/agents/anti-reversing-techniques"><img src="https://mondoo.com/ai-agent-security/api/badge/github/wshobson/agents/anti-reversing-techniques.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/wshobson/agents/anti-reversing-techniques.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow