HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 351,
"next": "https://unprotect.it/api/techniques/?format=api&page=7",
"previous": "https://unprotect.it/api/techniques/?format=api&page=5",
"results": [
{
"id": 115,
"key": "extra-window-memory-injection",
"unprotect_id": "U1219, E1055.011",
"name": "Extra Window Memory Injection",
"description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). \r\n\r\nRegistration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.\r\n\r\nAdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
"resources": "https://www.crowdstrike.com/blog/through-window-creative-code-invocation/\nhttps://modexp.wordpress.com/2018/08/26/process-injection-ctray/",
"creation_date": "2019-03-23T17:26:37Z",
"tags": "EWMI, Code Injection",
"modification_date": "2023-10-04T10:43:53.882000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363,
425
],
"contributors": []
},
{
"id": 114,
"key": "atom-bombing",
"unprotect_id": "U1220",
"name": "Atom Bombing",
"description": "Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process. \r\n\r\nThe technique involves storing a shellcode in an Atom Table, then using the `NtQueueApcThread` function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data Execution Prevention (DEP), the technique also employs Return Oriented Programming (ROP) chains. \r\n\r\nAtom Bombing is a form of process injection that abuses legitimate Windows functions to store and execute malicious code in a target process.",
"resources": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows",
"creation_date": "2019-03-23T17:22:37Z",
"tags": "Atom Bombing, Process injection, Windows functions, Atom Tables, Globally accessible string storage, shellcode, NtQueueApcThread, targeted process, Return Oriented Programming (ROP), Data Execution Prevention (DEP), injection, malicious code, Windows Atom Tables, global storage mechanism,",
"modification_date": "2023-10-04T10:42:35.764000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
7,
18,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
338,
339,
340,
357,
365,
381,
383,
395,
399,
412,
415,
419,
425,
439,
444,
449,
532
],
"contributors": []
},
{
"id": 113,
"key": "apc-injection",
"unprotect_id": "U1221, E1055.004",
"name": "APC injection",
"description": "Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.\r\n\r\nEach thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.\r\n\r\nA thread enters an alert table state if it calls `SleepEx`, `SignalObjectAndWait`, `MsgWaitForMultipleObjectsEx`, `WaitForMultipleObjectsEx`, or `WaitForSingleObjectEx` functions. The malware usually looks for any thread that is in an alterable state, and then calls `OpenThread` and `QueueUserAPC` to queue an APC to a thread.",
"resources": "",
"creation_date": "2019-03-23T17:21:25Z",
"tags": "Asynchronous Procedure Calls (APC), custom code, APC Queue, target thread, alterable state, SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, WaitForSingleObjectEx, OpenThread, QueueUserAPC, Malware, thread, execution",
"modification_date": "2023-10-04T10:39:04.584000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
132,
239,
290,
295,
381,
399,
419
],
"contributors": []
},
{
"id": 112,
"key": "image-file-execution-options-injection",
"unprotect_id": "U1222",
"name": "Image File Execution Options Injection",
"description": "Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system. \r\n\r\nThe technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating system checks the corresponding IFEO registry key for any specified debugging options. If the key exists, the operating system launches the specified debugger instead of the executable file. \r\n\r\nAlong with IFEO, malware also uses other registry keys such as `Appinit_DLL` and `AppCertDlls` for both injection and persistence on the compromised system. These keys are used by the operating system to load DLLs at the start of a process and for code signing, respectively.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:19:27Z",
"tags": "Image File Execution Options Injection, IFEO Injection, malware, evasion, detection, persistence, compromised system, registry keys, Windows operating system, debugging options, executable files, Appinit_DLL, AppCertDlls, injection, DLLs, code signing,de signing,",
"modification_date": "2023-10-04T10:44:02.397000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 111,
"key": "thread-execution-hijacking",
"unprotect_id": "U1223, E1055.003",
"name": "Thread Execution Hijacking",
"description": "Thread execution hijacking is a technique used by malware to evade detection by targeting an existing thread of a process and avoiding any noisy process or thread creation operations. This technique allows the malware to run its code within the context of the targeted thread, without creating new processes or threads, which can be easily detected by security software.\r\n\r\nDuring analysis, it is possible to observe calls to `CreateToolhelp32Snapshot` and `Thread32First` functions followed by `OpenThread`, which are used by the malware to enumerate and select the target thread.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-23T17:16:57Z",
"tags": "thread execution hijacking, malware, evading detection, existing thread, process, avoiding noisy process, thread creations operations, analysis, CreateToolhelp32Snapshot, Thread32First,",
"modification_date": "2023-10-04T10:42:29.198000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
18,
23,
28,
29,
30
],
"contributors": []
},
{
"id": 110,
"key": "reflective-dll-injection",
"unprotect_id": "U1224",
"name": "Reflective DLL injection",
"description": "Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a `LoadLibrary` function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.\r\n\r\nThe way the reflective injection works is described by the technique's original author Stephen Fewer:\r\n\r\n* Execution is passed, either via `CreateRemoteThread` or a tiny bootstrap shellcode, to the library's\r\n\r\n* ReflectiveLoader function which is an exported function found in the library's export table.\r\n\r\n- As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.\r\n\r\n- The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely `LoadLibraryA`, `GetProcAddress` and `VirtualAlloc`.\r\n\r\n- The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.\r\n\r\n- The library's headers and sections are loaded into their new locations in memory.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.\r\n\r\n- The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with `DLL_PROCESS_ATTACH`. The library has now been successfully loaded into memory.\r\n\r\n- Finally, the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via `CreateRemoteThread`, the thread will terminate.",
"resources": "https://0x00sec.org/t/reflective-dll-injection/3080\nhttps://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection",
"creation_date": "2019-03-23T17:13:35Z",
"tags": "",
"modification_date": "2023-10-04T10:42:57.942000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
7,
23,
340,
357,
365,
380,
419,
425,
439
],
"contributors": []
},
{
"id": 109,
"key": "suspendthread",
"unprotect_id": "U0101, C0055",
"name": "SuspendThread",
"description": "Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the `SuspendThread` function from the kernel32.dll library or the `NtSuspendThread` function from the NTDLL.DLL library. \r\n\r\nThe malware can enumerate the threads of a given process, or search for a named window and open its owner thread, and then suspend that thread. This will prevent the debugger from running and make it more difficult to analyze the code. \r\n\r\nThis technique can be used by malware authors to evade detection and analysis, and make their code more difficult to understand.",
"resources": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread\nhttp://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtSuspendThread.htmlhttps://secret.club/2021/01/04/thread-stuff.html",
"creation_date": "2019-03-23T17:09:11Z",
"tags": "SuspendThread,\r\nNtSuspendThread,\r\nDebugging,\r\nAnti-debugging,\r\nThread enumeration,\r\nProcess enumeration,",
"modification_date": "2023-10-04T10:44:18.329000Z",
"category": [
3
],
"rules": [
65
],
"attachments": [],
"featured_api": [
18,
23,
26,
27,
28,
29,
30,
106,
133,
239,
245,
290,
295,
355,
412,
419
],
"contributors": []
},
{
"id": 108,
"key": "guard-pages",
"unprotect_id": "U0102, B0006.006",
"name": "Guard Pages",
"description": "Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a \"guard page\" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its presence.\r\n\r\nThis technique works by putting a return address onto the stack, then accessing the guard page. If the operating system detects that the guard page has been accessed, it will raise a STATUS_GUARD_PAGE_VIOLATION exception. The malware can then check for this exception, and if it is present, it can assume that no debugging is taking place. This allows the malware to evade detection and continue to operate without being interrupted by a debugger.",
"resources": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/",
"creation_date": "2019-03-23T17:05:57Z",
"tags": "Memory breakpoints,\r\nGuard pages,\r\nDebugger detection,\r\nSTATUS_GUARD_PAGE_VIOLATION,",
"modification_date": "2023-10-04T10:44:17.143000Z",
"category": [
3
],
"rules": [
68
],
"attachments": [],
"featured_api": [
3,
363,
422
],
"contributors": []
},
{
"id": 107,
"key": "ntsetdebugfilterstate",
"unprotect_id": "U0103",
"name": "NtSetDebugFilterState",
"description": "The `NtSetDebugFilterState` and `DbgSetDebugFilterState` functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.\r\n\r\nWhen a kernel mode debugger is present, the debug filter will be triggered, and the malware can then take actions to evade detection and continue to operate. This technique is commonly used by malware to avoid analysis by security researchers and avoid being detected by security software. By using these functions, the malware can operate stealthily and evade detection, making it difficult for analysts to reverse engineer the malware and understand its capabilities and behaviors.",
"resources": "",
"creation_date": "2019-03-23T17:00:59Z",
"tags": "NtSetDebugFilterState,\r\nDbgSetDebugFilterState,\r\nKernel mode debugger detection,\r\nDebug filter,",
"modification_date": "2022-12-06T09:47:13.926000Z",
"category": [
3
],
"rules": [
66
],
"attachments": [
"b913237e-4937-4062-9187-b752a00d818c"
],
"featured_api": [
376,
425
],
"contributors": []
},
{
"id": 106,
"key": "code-cave",
"unprotect_id": "U0502",
"name": "Code Cave",
"description": "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.",
"resources": "https://resources.infosecinstitute.com/injecting-spyware-exe-code-injections/",
"creation_date": "2019-03-23T16:53:39Z",
"tags": "",
"modification_date": "2023-10-04T10:42:32.184000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
4,
5
]
},
{
"id": 105,
"key": "stolen-certificate",
"unprotect_id": "U0503",
"name": "Stolen certificate",
"description": "To avoid detection, attackers can use stolen certificates from known companies. It allows the malware to bypass security solution.",
"resources": "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"creation_date": "2019-03-23T16:51:37Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.333000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 104,
"key": "redirect-antivirus-website",
"unprotect_id": "U0504",
"name": "Redirect Antivirus Website",
"description": "To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.",
"resources": "https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/",
"creation_date": "2019-03-23T16:44:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:24.854000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 103,
"key": "time-bomb",
"unprotect_id": "U1005, B0007.008",
"name": "Time Bomb",
"description": "Some malware contains a built-in expiration date, after which the malware will no longer run or function. This can be used by attackers to limit the time during which the malware can be detected and analyzed by security researchers. In order to run and analyze the malware after its expiration date, security researchers must manually change the date on the machine where the malware is being analyzed. \r\n\r\nThis can be effective in defeating sandbox environments, which are typically used to isolate and analyze malware, if the sandbox's clock is not set to the current date. By using this technique, attackers can make it more difficult for researchers to analyze and understand their malware, potentially allowing it to evade detection.",
"resources": "https://en.wikipedia.org/wiki/Time_bomb_(software)",
"creation_date": "2019-03-18T14:56:28Z",
"tags": "timebomb,\r\nchange date,\r\nsandbox environments,\r\nisolate malware,\r\nanalyze malware,\r\nclock,",
"modification_date": "2023-10-04T10:42:26.818000Z",
"category": [
1,
14
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 102,
"key": "shortcut-hiding",
"unprotect_id": "U0505",
"name": "Shortcut Hiding",
"description": "Windows shortcut can be used to store code that downloads a malicious file from the internet, or that stores the malicious file directly within the shortcut itself. This can make it difficult for antivirus software to detect the malicious application, as the file is not stored in a typical location on the computer. Additionally, the use of a shortcut can make it easier for the attacker to hide the malicious code and evade detection.",
"resources": "",
"creation_date": "2019-03-18T14:56:11Z",
"tags": "Windows shortcut,\r\nAntivirus software,\r\nHide code,\r\nEvade detection,",
"modification_date": "2023-10-04T10:38:07.524000Z",
"category": [
2
],
"rules": [
130
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 101,
"key": "geofencing",
"unprotect_id": "U1006",
"name": "Geofencing",
"description": "Geofencing in malware refers to a technique used by cybercriminals to restrict the distribution or activation of malicious software based on geographical location. Malware authors use geofencing to target specific regions or avoid certain areas, such as their home country, in order to evade detection, minimize the chances of being investigated, or maximize the effectiveness of their attacks.\r\n\r\nGeofencing works by checking the IP address, GPS coordinates, or other location data of a potential victim's device. If the device is within the predetermined boundaries defined by the attacker, the malware may proceed with its intended actions, such as infecting the device, stealing data, or launching further attacks. Conversely, if the device is outside the defined boundaries, the malware may remain dormant or deactivate itself to avoid detection.\r\n\r\nMalware authors might use geofencing for various reasons, such as:\r\n\r\n\r\n1. **Targeting specific countries or regions:** Attackers may focus on certain areas due to economic, political, or strategic reasons, or to exploit known vulnerabilities in specific regions.\r\n\r\n2. **Avoiding detection by security researchers:** By restricting the distribution of malware to specific regions, attackers may make it more difficult for security researchers to obtain and analyze samples of the malicious software.\r\n\r\n3. **Evading law enforcement:** By not targeting their own country, cybercriminals can minimize the risk of drawing the attention of local law enforcement agencies.\r\n\r\n4. **Complying with criminal partnerships:** Some cybercriminal groups may have agreements not to target each other's territories, and geofencing allows them to abide by these agreements while still conducting their operations.",
"resources": "https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-4/",
"creation_date": "2019-03-18T14:54:34Z",
"tags": "geofencing, malware, cybercriminals, geographical location, IP address, GPS coordinates, location data, victim's device, predetermined boundaries, distribution, activation, malicious software, targeting, regions",
"modification_date": "2023-10-04T10:44:25.920000Z",
"category": [
14
],
"rules": [],
"attachments": [],
"featured_api": [
331
],
"contributors": []
},
{
"id": 100,
"key": "custom-encoding",
"unprotect_id": "U0702,E1027.m03",
"name": "Custom Encoding",
"description": "Malware often uses custom encoding schemes to conceal their payloads and avoid detection. These custom schemes can be full custom layers, or they can be variations of known algorithms such as XOR or Base64. Using custom encoding schemes allows malware to encode their payloads in a unique way that can be difficult for security tools and forensic investigators to detect. \r\n\r\nIn some cases, the custom encoding scheme may be a combination of different algorithms, such as using XOR to encrypt the payload and then using Base64 to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze.\r\n\r\nTo safeguard payloads and communication channels, multiple data encoding operations (e.g., XOR, ADD, SUB, ROL, and ROR) can also be chained together with a randomly generated key. These operations are not only simple to execute and reverse but also demand minimal computing resources.",
"resources": "https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation-techniques-in-malware/",
"creation_date": "2019-03-18T14:54:13Z",
"tags": "Custom encoding schemes,\r\nConceal,\r\nPayloads,\r\nFull custom layers,\r\nVariations,\r\nKnown algorithms,\r\nXOR,\r\nBase64,",
"modification_date": "2023-10-04T10:44:46.799000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 99,
"key": "cryptography",
"unprotect_id": "U0703, E1027.m04",
"name": "Cryptography",
"description": "Cryptography is a technique often used by malware to protect against analysis or to perform malicious actions such as in ransomware attacks. In these cases, malware will use cryptography to encrypt their payloads or communication channels in order to make it difficult for security tools and forensic investigators to detect and analyze their activities. \r\n\r\nAdditionally, cryptography can be used by malware to make their payloads more difficult to reverse engineer, making it harder for researchers to understand their inner workings and develop effective countermeasures.",
"resources": "https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schmitt-A-Different-Kind-of-Crypto-Slides.pdf",
"creation_date": "2019-03-18T14:53:51Z",
"tags": "Cryptography,\r\nRansomware,\r\nEncrypt,\r\nPayloads,\r\nCommunication channels,",
"modification_date": "2023-10-04T10:44:21.880000Z",
"category": [
7
],
"rules": [
42
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 98,
"key": "rol",
"unprotect_id": "U0704",
"name": "ROL",
"description": "ROL, or Rotate Left, is a simple encoding algorithm similar to the Caesar Cipher. In the ROL algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the rotation value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nROL is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes ROL relatively easy to break, as frequency analysis can be used to determine the rotation value and decrypt the ciphertext. \r\n\r\nDespite its weaknesses, ROL is still a popular algorithm for teaching the basics of cryptography. In the context of malware, ROL can be used to encode the payload or communication channels in order to avoid detection and analysis.",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:31Z",
"tags": "ROL,\r\nCaesar Cipher,\r\nEncoding algorithm,\r\nPlaintext,\r\nCiphertext,\r\nRotation value,\r\nMonoalphabetic substitution cipher,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:51.702000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [
335
],
"contributors": []
},
{
"id": 97,
"key": "caesar-cipher",
"unprotect_id": "U0705",
"name": "Caesar Cipher",
"description": "The Caesar Cipher is a simple encoding algorithm that was used during the Roman Empire to hide secret messages. In this algorithm, each letter of the plaintext is replaced with a letter that is a fixed number of positions down the alphabet. For example, if the shift value is 3, then the letter \"A\" would be replaced with \"D\", \"B\" would be replaced with \"E\", and so on. \r\n\r\nThe Caesar Cipher is a monoalphabetic substitution cipher, meaning that each letter of the plaintext is replaced with the same letter of the ciphertext every time it appears. This makes the Caesar Cipher relatively easy to break, as frequency analysis can be used to determine the shift value and decrypt the ciphertext. \r\n\r\nThe Caesar Cipher algorithm can be used by malware in several ways. One possible use case is to encode the payload or command and control (C2) communication in order to make it more difficult for security tools and forensic investigators to detect and analyze. \r\n\r\nAnother possible use case is to use the Caesar Cipher as part of a more complex encoding scheme, such as using it to encrypt the payload and then using another algorithm, such as Base64, to encode the resulting ciphertext. This can make the encoded payload even more difficult to detect and analyze. In both cases, the use of the Caesar Cipher can help the malware avoid detection and continue operating on a compromised system.",
"resources": "https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/",
"creation_date": "2019-03-18T14:53:09Z",
"tags": "Caesar Cipher,\r\nEncoding algorithm,\r\nRoman Empire,\r\nSecret message,\r\nMonoalphabetic substitution cipher,\r\nPlaintext,\r\nCiphertext,\r\nShift value,\r\nFrequency analysis,",
"modification_date": "2023-10-04T10:42:42.092000Z",
"category": [
7
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 96,
"key": "base64",
"unprotect_id": "U0706, E1027.m02",
"name": "Base64",
"description": "Base64 is a simple encoding scheme that is often used by malware to represent binary data in an ASCII string. This allows the malware to encode and transmit binary data, such as a payload or network traffic, in a way that is more compact and easier to transmit over text-based communication channels. \r\n\r\nBase64 uses a 64-character alphabet to encode the data, which includes the upper and lower case letters, the digits 0-9, and the symbols \"+\" and \"/\". The encoded data is typically padded with the character \"=\" to ensure that it has a length that is a multiple of 4. The encoded data can then be decoded using the same 64-character alphabet to recover the original binary data. This makes Base64 a useful tool for malware to conceal their payloads and communicate with their command and control (C2) servers.",
"resources": "https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0",
"creation_date": "2019-03-18T14:52:37Z",
"tags": "Base64,\r\nBinary data,\r\nASCII string,\r\nEncoding,\r\nText-based communication channels,\r\n64-character alphabet,\r\nPadded,",
"modification_date": "2024-01-11T05:22:12.678000Z",
"category": [
7
],
"rules": [
146
],
"attachments": [],
"featured_api": [],
"contributors": [
5,
33
]
},
{
"id": 95,
"key": "xor-operation",
"unprotect_id": "U0701,E1027.m02",
"name": "XOR Operation",
"description": "The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data. \r\n\r\nThe encrypted data can then be decrypted using the same key, allowing the original data to be accessed. The XOR operation is often used by malware because it is easy to implement and can be used to effectively conceal data from detection.",
"resources": "https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+1/22486/",
"creation_date": "2019-03-18T14:52:04Z",
"tags": "XOR operation,\r\nKey,\r\nCiphertext,\r\nReversible function,\r\nEncode,\r\nDecode,\r\nEncrypt,\r\nDecrypt,",
"modification_date": "2024-01-04T05:14:05.126000Z",
"category": [
7
],
"rules": [
131,
136
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 94,
"key": "fileless-mechanisms",
"unprotect_id": "U1205, B0027.001",
"name": "FIleless Mechanisms",
"description": "Fileless malware is a type of malware that is designed to reside and execute entirely in the memory of a host system, without leaving any trace on the local disk. This can make it more difficult for security tools to detect and remove the malware, as it does not leave any files on the system that can be scanned or deleted.\r\n\r\nFileless malware is typically delivered through a variety of means, such as email attachments, malicious websites, or exploit kits. Once it has been delivered to the host system, it may use a variety of techniques to avoid detection and persist in the memory of the system. This can include modifying system settings, injecting code into legitimate processes, or using fileless malware-specific tools and frameworks.\r\n\r\nFileless malware can be difficult to detect and mitigate, as it does not leave any physical evidence on the system and can often evade traditional security measures that rely on scanning and analyzing the local disk. As a result, it is important for individuals and organizations to take steps to protect themselves against this type of malware, such as by keeping their systems and applications up to date, practicing safe browsing habits, and using security software that is designed to detect and mitigate fileless malware threats.",
"resources": "https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques",
"creation_date": "2019-03-18T14:48:03Z",
"tags": "Fileless malware,\r\nMemory,\r\nEmail attachments,\r\nMalicious websites,\r\nExploit kits,\r\nSystem settings,\r\nLegitimate processes,\r\nFileless malware-specific tools,",
"modification_date": "2023-10-04T10:43:48.702000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 93,
"key": "dll-injection-via-createremotethread-and-loadlibrary",
"unprotect_id": "U1226, E1055.001",
"name": "DLL Injection via CreateRemoteThread and LoadLibrary",
"description": "DLL Injection Via `CreateRemoteThread` and `LoadLibrary` is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.\r\n\r\nThe malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of the target process, and then creates a remote thread in the target process. The thread's start address is the `LoadLibrary` function, which is used to load the malicious DLL into the target process's address space. This allows the malware to execute its code within the context of the target process, without creating new processes or threads.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"creation_date": "2019-03-18T14:47:37Z",
"tags": "DLL Injection, CreateRemoteThread, LoadLibrary, malware, hook injection, process, system, code injection, legitimate process, virtual address space, remote thread, target process, LoadLibrary function, malicious DLL, execution,",
"modification_date": "2023-10-04T10:43:55.058000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
1,
3,
4,
5,
6,
7,
8,
9,
10,
23,
24,
355,
381,
419,
425
],
"contributors": []
},
{
"id": 92,
"key": "hook-injection",
"unprotect_id": "U1227, E1055.m01",
"name": "Hook Injection",
"description": "Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.\r\n\r\nIn the case of Windows, the `SetWindowsHookEx` function can be used by programs to install hooks that monitor events such as mouse clicks and keyboard key presses. This can enable malware to monitor user actions and steal sensitive information or perform other malicious actions. By using hook injection, malware can evade detection and continue to operate stealthily within a system.",
"resources": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\nhttps://www.ired.team/offensive-security/code-injection-process-injection/setwindowhookex-code-injection",
"creation_date": "2019-03-18T14:47:10Z",
"tags": "Hook injection, malware, internal functions, operating system, application, malicious code, existing function calls, intercept, manipulate, normal flow of execution, SetWindowsHookEx function,",
"modification_date": "2023-10-04T10:44:04.798000Z",
"category": [
4
],
"rules": [
118,
119
],
"attachments": [],
"featured_api": [
117,
131,
212,
272
],
"contributors": []
},
{
"id": 91,
"key": "entry-point-modification",
"unprotect_id": "U1228",
"name": "Entry Point Modification",
"description": "The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.",
"resources": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/",
"creation_date": "2019-03-18T14:46:26Z",
"tags": "entry point, executable file, execution, malware, techniques, changing, relocating, real entry point, protect code, analysis, security software, identification,",
"modification_date": "2023-10-04T10:42:18.759000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 90,
"key": "parent-process-detection",
"unprotect_id": "U0404",
"name": "Parent Process Detection",
"description": "Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it. \r\n\r\nFor example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by security analysts. If the parent process is not explorer.exe, then the process is likely being monitored and the malware can take evasive action, such as terminating itself.",
"resources": "https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/",
"creation_date": "2019-03-18T14:46:02Z",
"tags": "Process,\r\nSpawn,\r\nExplorer.exe,\r\nMonitoring,\r\nEvasive action,\r\nTermination,\r\nEncryption,",
"modification_date": "2023-10-04T10:42:17.040000Z",
"category": [
6
],
"rules": [
127
],
"attachments": [],
"featured_api": [
23,
26,
27,
28,
355,
419
],
"contributors": []
},
{
"id": 89,
"key": "process-camouflage-masquerading",
"unprotect_id": "U1230, F0005",
"name": "Process Camouflage, Masquerading",
"description": "Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as `svchost.exe`, and placing it in a legitimate folder. \r\n\r\nMasquerading can occur when the name or location of an executable, whether legitimate or malicious, is manipulated or abused to evade security defenses and observation. This technique has many variations and has been observed in various forms.\r\n\r\nThis technique is more a social engineering trick. The malware will use the same techniques to copy and rename the file as a legitimate one in the system. Some examples of how the malware can achieve this are:\r\n\r\n* Using scripting languages such as VBS or PowerShell to copy and rename the files.\r\n* Using built-in Windows commands such as copy and rename.\r\n* Using legitimate tools such as xcopy or robocopy to copy the files while preserving their original timestamps.\r\n\r\nThe detection of this technique is not based on the code used but in the analysis of the file properties such as the name, location, timestamps, and digital signature. And also, on the behavior of the process after it runs.",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-masquerade-ball",
"creation_date": "2019-03-18T14:45:21Z",
"tags": "Masquerading, malware, legitimate file, svchost.exe, legitimate folder, name, location, executable, manipulated, abused, security defenses, observation, variations, forms, legitimate software, source, process,",
"modification_date": "2023-10-04T10:44:04.348000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 88,
"key": "process-hollowing-runpe",
"unprotect_id": "U1225, E1055.012",
"name": "Process Hollowing, RunPE",
"description": "Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload. \r\n\r\nThe process is the following:\r\n\r\n* `CreateProcess`: in a suspended mode with the CreationFlag at 0x0000 0004.\r\n* `GetThreadContext`: retrieves the context of the specified thread.\r\n* `ZwUnmapViewOfSection`: Unmaps a view of a section from the virtual address space of a\r\nsubject process.\r\n* `VirtualAllocEx`: allocates memory within the suspended process’s address space.\r\n* `WriteProcessMemory`: writes data of the PE file into the memory just allocated within the\r\nsuspended process.\r\n* `SetThreadContext`: sets the EAX register to the entry point of the executable written.\r\n* `ResumeThread`: resumes the thread of the suspended process.",
"resources": "https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf\nhttps://speakerdeck.com/fr0gger/teslacrypt-ransomware-analysis",
"creation_date": "2019-03-18T13:56:37Z",
"tags": "Process hollowing, malware, evading detection, injecting, malicious code, legitimate process, memory modification",
"modification_date": "2023-10-04T10:44:56.452000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
15,
22,
23,
132,
357,
380,
381,
388
],
"contributors": []
},
{
"id": 87,
"key": "disassembly-desynchronization",
"unprotect_id": "U0207",
"name": "Disassembly Desynchronization",
"description": "Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become \"desynchronized\" and generate incorrect disassembly output.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nadd eax, 0x00000004\r\n```\r\n\r\nA disassembler that is working correctly would recognize these instructions and generate the following disassembly output:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: add eax, 0x00000004\r\n```\r\n\r\nHowever, if the programmer uses disassembly desynchronization techniques, they could rearrange the instructions in the program in a way that breaks the normal sequence of instructions. For example, they could insert some \"garbage\" instructions or data between the `mov` and `add` instructions, like this:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nnop\r\nnop\r\nnop\r\nnop\r\nadd eax, 0x00000004\r\n```\r\n\r\nIn this case, a disassembler that uses a simple, linear sweep algorithm might become \"desynchronized\" when it encounters the nop instructions and generate incorrect disassembly output. This can make it difficult for an analyst to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nDisassembly desynchronization is a well-known anti-disassembly technique that is commonly used by malware authors and other attackers to make it more difficult to analyze and understand their programs. It can be used in conjunction with other anti-disassembly techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"resources": "https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/the_return_of_disassembly_desynchronization/the_return_of_disassembly_desynchronization.md",
"creation_date": "2019-03-18T13:56:14Z",
"tags": "Disassembly desynchronization,\r\nGarbage instructions,\r\nNOP slide,\r\nLinear sweep,\r\nRecursive traversal,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nInstruction sequence,",
"modification_date": "2023-10-04T10:44:39.272000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 86,
"key": "dynamically-computed-target-address",
"unprotect_id": "U0208",
"name": "Dynamically Computed Target Address",
"description": "Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing the program.\r\n\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\ncall eax\r\n```\r\n\r\nIn this case, the call instruction uses a dynamically computed target address, as the value of the eax register is not known until the program is actually executed. This means that a disassembler will not be able to determine the correct target address for the call instruction without executing the program. If the disassembler tries to disassemble the program without executing it, it might generate incorrect disassembly output, like this:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: call eax\r\n```\r\n\r\nIn this case, the disassembler has assumed that the target address of the call instruction is the value stored in the eax register at the time the disassembler was run, but this is not necessarily the correct target address. The actual target address could be different if the program is executed, and the disassembler will not be able to determine the correct target address without executing the program.\r\n\r\nThis technique can be used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can also make it more difficult for other tools, such as debuggers, to accurately interpret the program's behavior. This can be especially effective when the snapshot of the program is taken at a point during its execution when the resolution of the dynamically computed target address has not yet taken place in the code, as this can make it even more difficult for a disassembler to determine the correct target addresses.",
"resources": "https://books.google.fr/books?id=3nPAM3AZ1foC&pg=PA436&lpg=PA436&dq=dynamically+computed+target+address&source=bl&ots=Nm7aJXEhDp&sig=ACfU3U2X1g6CTacHMZ3AH1kyk0XBDRUiQA&hl=en&sa=X&ved=2ahUKEwi5wbKV-pXhAhUPy4UKHS1xAdAQ6AEwAHoECAYQAQ#v=onepage&q=dynamically%20computed%20target%20address&f=false",
"creation_date": "2019-03-18T13:55:53Z",
"tags": "Dynamically computed target addresses,\r\nAnti-disassembling,\r\nBranch instruction,\r\nTarget address,\r\nExecution,",
"modification_date": "2023-10-04T10:44:39.984000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 85,
"key": "opcode-obfuscation",
"unprotect_id": "U0209",
"name": "Opcode Obfuscation",
"description": "Opcode obfuscation is an anti-disassembling technique that involves modifying the opcodes of a program's machine language instructions in order to make it more difficult for a disassembler to accurately reconstruct the original instructions. This can be done in a variety of ways, such as by using equivalent but different opcodes for the same operation, by adding additional instructions or data to the program, or by rearranging the program's instructions in a non-standard order.\r\n\r\nOpcode obfuscation is a common technique used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can be used in conjunction with other anti-disassembling techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"resources": "https://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation",
"creation_date": "2019-03-18T13:55:35Z",
"tags": "Opcode obfuscation,\r\nAnti-disassembling,\r\nDisassembler,\r\nMachine language,\r\nOpcode,\r\nEquivalent opcodes,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2023-10-04T10:42:44.100000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 84,
"key": "jump-with-same-target",
"unprotect_id": "U0210",
"name": "Jump With Same Target",
"description": "Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\njz loc_512\r\njnz loc_512\r\n```\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.",
"resources": "https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/",
"creation_date": "2019-03-18T13:55:03Z",
"tags": "Jump with the same target,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nTarget address,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nUnconditionnal jum,",
"modification_date": "2023-10-04T10:42:25.972000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 83,
"key": "impossible-disassembly",
"unprotect_id": "U0211",
"name": "Impossible Disassembly",
"description": "Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode for a multibyte instruction, the disassembler will be unable to correctly interpret the next instruction, and will therefore generate incorrect disassembly output.",
"resources": "https://www.slideshare.net/SamBowne/practical-malware-analysis-ch-15-antidisassembly\nhttps://medium.com/swlh/assembly-wrapping-a-new-technique-for-anti-disassembly-c144eb90e036",
"creation_date": "2019-03-18T13:54:40Z",
"tags": "Impossible disassembly,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nData byte,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2023-10-04T10:44:47.927000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 82,
"key": "obscuring-control-flow",
"unprotect_id": "U0212",
"name": "Obscuring Control Flow",
"description": "Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nOne example of this technique is the use of the Structure Exception Handling (SEH) mechanism in the Microsoft Windows operating system. SEH provides a way to handle exceptions, which are runtime errors that occur during the execution of a program. It allows the programmer to define a set of exception handlers that are called whenever an exception occurs. These exception handlers can be used to handle the exception and continue the program's execution, or to log the error and terminate the program.\r\n\r\nSEH provides a method of flow control that is difficult for disassemblers and debuggers to follow, because the exception handlers are not part of the program's normal control flow. Disassemblers and debuggers are not able to accurately reconstruct the program's original instructions when SEH is used, because they cannot determine the intended behavior of the program without actually executing it.",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:54:18Z",
"tags": "Obscuring control flow,\r\nAnti-disassembling,\r\nException handling,\r\nStructure Exception Handling (SEH),\r\nControl flow,\r\nException handler,",
"modification_date": "2023-10-04T10:42:49.627000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
394
],
"contributors": []
},
{
"id": 81,
"key": "abusing-the-return-pointer",
"unprotect_id": "U0213",
"name": "Abusing the Return Pointer",
"description": "Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nThe RETN instruction is normally used to return from a function call, by returning control to the calling function. It typically takes a single operand, which is the number of bytes that the caller should add to the stack pointer after the return has been executed. This allows the caller to clean up the stack and restore the registers to their original values before the call was made.\r\n\r\nHowever, if the RETN instruction is used for another purpose, the disassembler may not be able to accurately interpret it and may generate incorrect disassembly output. For example, the RETN instruction could be used as a jump target for other instructions, such as a CALL or JMP instruction. This would cause the disassembler to prematurely terminate the function, because it would assume that the RETN instruction marks the end of the function.",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:53:57Z",
"tags": "Abusing the return pointer,\r\nAnti-disassembling,\r\nDisassembler,\r\nDebugger,\r\nControl flow,\r\nReturn instruction (RETN),\r\nFunction call,\r\nStack pointer,\r\nRegister,",
"modification_date": "2023-10-04T10:44:45.279000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 79,
"key": "obscuring-control-flow-using-pointers",
"unprotect_id": "U0214",
"name": "Obscuring Control Flow Using Pointers",
"description": "The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nPointers are a common programming idiom used in C and C++ to reference memory locations and manipulate data in memory. They are typically implemented as variables that contain the memory address of another variable. This allows the programmer to access and modify the data stored at that memory address, without having to know the exact memory address of the data.",
"resources": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf",
"creation_date": "2019-03-18T13:53:11Z",
"tags": "Pointers,\r\nAnti-disassembling,\r\nControl flow,\r\nProgram behavior,\r\nMemory addresses,\r\nData manipulation,",
"modification_date": "2023-10-04T10:43:02.048000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 78,
"key": "spaghetti-junk-code",
"unprotect_id": "U0215",
"name": "Spaghetti, Junk Code",
"description": "Junk code is a technique used to add meaningless or irrelevant instructions to a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior.\r\n\r\nJunk code can be inserted into a program without modifying the original code, and it will not affect the program's behavior. Instead, it will simply add extra instructions that the disassembler must process, which can make it more difficult for the disassembler to generate correct disassembly output.\r\n\r\nSpaghetti code, on the other hand, is a coding style that is characterized by a complex and unstructured control flow. This can make it difficult for a disassembler to accurately interpret the instructions and generate correct disassembly output, because the disassembler may not be able to follow the complex and unstructured control flow.",
"resources": "https://en.wikipedia.org/wiki/Spaghetti_code\nhttps://www.nozominetworks.com/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
"creation_date": "2019-03-18T13:52:42Z",
"tags": "Junk code,\r\nSpaghetti code,\r\nAnti-disassembling,\r\nControl flow,\r\nObfuscation,\r\nInstruction insertion,\r\nUnstructured code,",
"modification_date": "2023-10-04T10:44:36.921000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 76,
"key": "control-flow-graph-flattening",
"unprotect_id": "U0216",
"name": "Control Flow Graph Flattening",
"description": "Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This switch statement is then wrapped inside the body of a loop, which makes it difficult for the disassembler to follow the control flow and generate correct disassembly output.\r\n\r\nControl flow flattening is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior. It can also be used to protect legitimate software from being reverse engineered by competitors or hackers.",
"resources": "http://ac.inf.elte.hu/Vol_030_2009/003.pdf",
"creation_date": "2019-03-18T13:51:58Z",
"tags": "Control flow flattening,\r\nAnti-disassembling,\r\nObfuscation,\r\nSwitch statement,\r\nLoop statement,\r\nControl flow,\r\nNesting,\r\nUnstructured code,\r\nComplex control flow,",
"modification_date": "2023-10-04T10:42:40.326000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 75,
"key": "api-obfuscation",
"unprotect_id": "U0217, B0032.001",
"name": "API Obfuscation",
"description": "API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead of the actual names of the functions, making it more difficult to understand the code and identify any potentially malicious behavior.\r\n\r\nThis technique is often used to hide suspicious API calls from the Import Address Table (IAT), which is used to store the addresses of functions imported from other libraries. By hiding these calls, malware authors can make it harder for analysts to identify and analyze their code.",
"resources": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware",
"creation_date": "2019-03-18T13:48:59Z",
"tags": "hashing, API, obfuscation, API hashing,\r\nImport Address Table (IAT),\r\nCode obfuscation,",
"modification_date": "2023-10-04T10:44:20.085000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
2,
7,
376,
425
],
"contributors": []
},
{
"id": 74,
"key": "int3-instruction-scanning",
"unprotect_id": "U0105, B0001.025",
"name": "INT3 Instruction Scanning",
"description": "Instruction `INT3` is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value `0xCC` (INT3 / Breakpoint Interrupt). \r\n\r\nThe exception `EXCEPTION_BREAKPOINT` (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector code and/or an API code.",
"resources": "https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Whitepaper/bh-usa-07-quist_and_valsmith-WP.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int3",
"creation_date": "2019-03-18T13:44:00Z",
"tags": "int3",
"modification_date": "2023-10-04T10:42:47.549000Z",
"category": [
3
],
"rules": [
70,
84
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 73,
"key": "interrupts",
"unprotect_id": "U0106",
"name": "Interrupts",
"description": "Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling. \r\n\r\nBy triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it is being executed in a debugger and take appropriate action, such as exiting or altering its behavior. This can be achieved using interrupt instructions such as INT 3 or UD2 to trigger the exception. This technique can be used to evade detection and make reverse engineering more difficult.",
"resources": "",
"creation_date": "2019-03-18T13:43:21Z",
"tags": "",
"modification_date": "2023-10-04T10:37:41.393000Z",
"category": [
3
],
"rules": [
125
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 72,
"key": "performing-code-checksum",
"unprotect_id": "U0107",
"name": "Performing Code Checksum",
"description": "Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take appropriate action, such as exiting or altering its behavior. \r\n\r\nThis technique can be used to detect if anti-debugging routines have been disabled or if the code has been tampered with in other ways. By detecting these modifications, the adversary's code can attempt to evade detection and make reverse engineering more difficult.",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software",
"creation_date": "2019-03-18T13:42:45Z",
"tags": "",
"modification_date": "2023-10-04T10:43:00.625000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 71,
"key": "unhandled-exception-filter",
"unprotect_id": "U0108, B0001.030",
"name": "Unhandled Exception Filter",
"description": "An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.\r\n\r\nIf an exception occurs and no exception handler is registered, the `UnhandledExceptionFilter` function will be called. It is possible to register a custom unhandled exception filter using the `SetUnhandledExceptionFilter`. But if the program is running under a debugger, the custom filter won’t be called, and the exception will be passed to the debugger. \r\n\r\nTherefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.",
"resources": "https://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick/\nhttps://anti-debug.checkpoint.com/techniques/exceptions.html",
"creation_date": "2019-03-18T13:42:14Z",
"tags": "exception",
"modification_date": "2023-10-04T10:43:55.620000Z",
"category": [
3
],
"rules": [
71
],
"attachments": [],
"featured_api": [
394,
403
],
"contributors": []
},
{
"id": 70,
"key": "bad-string-format",
"unprotect_id": "U0104",
"name": "Bad String Format",
"description": "Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.\r\n\r\nFor example, the malware may use a string with multiple %s inputs, which OllyDbg is not able to handle correctly. This causes the debugger to crash or behave in an unpredictable manner, making it difficult for the analyst to continue their analysis. This technique can be effective in disrupting the analysis process and making it more difficult for the analyst to understand the malware's capabilities and behavior. However, it is only effective against OllyDbg, and other debuggers may not be affected by this technique.",
"resources": "http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/",
"creation_date": "2019-03-18T13:40:52Z",
"tags": "Bad string format,\r\nOllyDbg,\r\nDebugger evasion,\r\nString manipulation,",
"modification_date": "2023-10-04T10:43:43.022000Z",
"category": [
3
],
"rules": [
69
],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 69,
"key": "tls-callback",
"unprotect_id": "U0124",
"name": "TLS Callback",
"description": "TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.\r\n\r\nAs an anti-debugging technique, a program can use a TLS callback to execute code before the main entry point of the program, which is defined in the PE (Portable Executable) header. This allows the program to run secretly in a debugger, as the debugger will typically start at the main entry point and may not be aware of the TLS callback.\r\n\r\nThe program can use the TLS callback to detect whether it is being debugged, and if it is, it can terminate the process or take other actions to evade debugging. This technique can be used to make it more difficult for a debugger to attach to the process and to hinder reverse engineering efforts.",
"resources": "https://resources.infosecinstitute.com/debugging-tls-callbacks/#gref\nhttps://isc.sans.edu/diary/How+Malware+Defends+Itself+Using+TLS+Callback+Functions/6655",
"creation_date": "2019-03-18T13:40:19Z",
"tags": "TLS callbacks,\r\nanti-debugging technique,\r\nthread,\r\nmain entry point,\r\ndebugger,",
"modification_date": "2023-10-04T10:44:42.226000Z",
"category": [
3
],
"rules": [
1
],
"attachments": [],
"featured_api": [
364
],
"contributors": []
},
{
"id": 68,
"key": "detecting-running-process-enumprocess-api",
"unprotect_id": "U0109,U0405,U1306",
"name": "Detecting Running Process: EnumProcess API",
"description": "Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the `EnumProcess` function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system. \r\n\r\nBy detecting these processes and taking evasive action, such as terminating itself or encrypting its own code, malware can prevent security professionals from gaining visibility into its activities and disrupt their efforts to analyze it.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx",
"creation_date": "2019-03-18T13:39:38Z",
"tags": "EnumProcess function,\r\nOllydbg.exe,\r\nWireshark.exe,\r\nMonitoring,\r\nAnalysis,",
"modification_date": "2023-10-04T10:43:41.232000Z",
"category": [
1,
3,
6
],
"rules": [
72,
92
],
"attachments": [],
"featured_api": [
23,
24
],
"contributors": []
},
{
"id": 67,
"key": "detecting-window-with-findwindow-api",
"unprotect_id": "U0406, U0123",
"name": "Detecting Window with FindWindow API",
"description": "The [FindWindowA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa) / [FindWindowW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindoww) function can be used to search for windows by name or class.\r\n\r\nIt is also possible to use [EnumWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows) API in conjunction with [GetWindowTextLength](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextlengthw) and [GetWindowText](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextw) to locate a piece of string that could reveal the presence of a known debugger.\r\n\r\n### Some Known Debuggers\r\n\r\n* ImmunityDebugger\r\n* OllyDbg\r\n* IDA\r\n* x64dbg / x32dbg\r\n* WinDbg",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-18T13:39:00Z",
"tags": "WinAPI,FindWindow",
"modification_date": "2023-10-04T10:43:37.678000Z",
"category": [
3,
6
],
"rules": [
82
],
"attachments": [],
"featured_api": [
23,
24,
106,
133,
239,
290,
295
],
"contributors": []
},
{
"id": 66,
"key": "getlocaltime-getsystemtime-timegettime-ntqueryperformancecounter",
"unprotect_id": "U0110,U1308,B0001.28",
"name": "GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter",
"description": "When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.",
"resources": "https://www.malwinator.com/2016/01/03/part-2-antidebug/",
"creation_date": "2019-03-18T13:38:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:28.130000Z",
"category": [
1,
3
],
"rules": [
15
],
"attachments": [],
"featured_api": [
448
],
"contributors": []
},
{
"id": 65,
"key": "gettickcount",
"unprotect_id": "U0125,B0001.032",
"name": "GetTickCount",
"description": "This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.\r\n\r\n`GetTickCount` reads from the `KUSER_SHARED_DATA` page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the system time, which is stored directly in this page.\r\n\r\n`ZwGetTickCount` is used the same way as `GetTickCount`. Using `KiGetTickCount` is faster than calling `ZwGetTickCount`, but slightly slower than reading from the `KUSER_SHARED_DATA` page directly.",
"resources": "https://researchcenter.paloaltonetworks.com/2015/10/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\nhttps://anti-debug.checkpoint.com/techniques/timing.html#kernel-timing",
"creation_date": "2019-03-18T13:36:32Z",
"tags": "gettickcount",
"modification_date": "2023-10-04T10:43:40.578000Z",
"category": [
3
],
"rules": [
28
],
"attachments": [],
"featured_api": [
413
],
"contributors": []
},
{
"id": 64,
"key": "rdtsc",
"unprotect_id": "U0126",
"name": "RDTSC",
"description": "The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into `EDX:EAX`.\r\n\r\nIt will execute RDTSC twice and then calculate the difference between low order values and check it with CMP condition. If the difference lays below `0FFFh` no debugger is found if it is above or equal, then application is debugged.",
"resources": "https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide\nhttps://www.aldeid.com/wiki/RDTSC-Read-Time-Stamp-Counter",
"creation_date": "2019-03-18T13:35:53Z",
"tags": "RDTSC",
"modification_date": "2023-10-04T10:42:41.264000Z",
"category": [
3
],
"rules": [
80
],
"attachments": [],
"featured_api": [
23
],
"contributors": []
}
]
}
