HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=8",
"previous": "https://unprotect.it/api/techniques/?format=api&page=6",
"results": [
{
"id": 89,
"key": "process-camouflage-masquerading",
"unprotect_id": "U1230, F0005",
"name": "Process Camouflage, Masquerading",
"description": "Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as `svchost.exe`, and placing it in a legitimate folder. \r\n\r\nMasquerading can occur when the name or location of an executable, whether legitimate or malicious, is manipulated or abused to evade security defenses and observation. This technique has many variations and has been observed in various forms.\r\n\r\nThis technique is more a social engineering trick. The malware will use the same techniques to copy and rename the file as a legitimate one in the system. Some examples of how the malware can achieve this are:\r\n\r\n* Using scripting languages such as VBS or PowerShell to copy and rename the files.\r\n* Using built-in Windows commands such as copy and rename.\r\n* Using legitimate tools such as xcopy or robocopy to copy the files while preserving their original timestamps.\r\n\r\nThe detection of this technique is not based on the code used but in the analysis of the file properties such as the name, location, timestamps, and digital signature. And also, on the behavior of the process after it runs.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.endgame.com/blog/technical-blog/how-hunt-masquerade-ball",
"creation_date": "2019-03-18T14:45:21Z",
"tags": "Masquerading, malware, legitimate file, svchost.exe, legitimate folder, name, location, executable, manipulated, abused, security defenses, observation, variations, forms, legitimate software, source, process,",
"modification_date": "2023-10-04T10:44:04.348000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 88,
"key": "process-hollowing-runpe",
"unprotect_id": "U1225, E1055.012",
"name": "Process Hollowing, RunPE",
"description": "Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload. \r\n\r\nThe process is the following:\r\n\r\n* `CreateProcess`: in a suspended mode with the CreationFlag at 0x0000 0004.\r\n* `GetThreadContext`: retrieves the context of the specified thread.\r\n* `ZwUnmapViewOfSection`: Unmaps a view of a section from the virtual address space of a\r\nsubject process.\r\n* `VirtualAllocEx`: allocates memory within the suspended process’s address space.\r\n* `WriteProcessMemory`: writes data of the PE file into the memory just allocated within the\r\nsuspended process.\r\n* `SetThreadContext`: sets the EAX register to the entry point of the executable written.\r\n* `ResumeThread`: resumes the thread of the suspended process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf\nhttps://speakerdeck.com/fr0gger/teslacrypt-ransomware-analysis",
"creation_date": "2019-03-18T13:56:37Z",
"tags": "Process hollowing, malware, evading detection, injecting, malicious code, legitimate process, memory modification",
"modification_date": "2023-10-04T10:44:56.452000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
11,
12,
15,
22,
357
],
"contributors": []
},
{
"id": 87,
"key": "disassembly-desynchronization",
"unprotect_id": "U0207",
"name": "Disassembly Desynchronization",
"description": "Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become \"desynchronized\" and generate incorrect disassembly output.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nadd eax, 0x00000004\r\n```\r\n\r\nA disassembler that is working correctly would recognize these instructions and generate the following disassembly output:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: add eax, 0x00000004\r\n```\r\n\r\nHowever, if the programmer uses disassembly desynchronization techniques, they could rearrange the instructions in the program in a way that breaks the normal sequence of instructions. For example, they could insert some \"garbage\" instructions or data between the `mov` and `add` instructions, like this:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\nnop\r\nnop\r\nnop\r\nnop\r\nadd eax, 0x00000004\r\n```\r\n\r\nIn this case, a disassembler that uses a simple, linear sweep algorithm might become \"desynchronized\" when it encounters the nop instructions and generate incorrect disassembly output. This can make it difficult for an analyst to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nDisassembly desynchronization is a well-known anti-disassembly technique that is commonly used by malware authors and other attackers to make it more difficult to analyze and understand their programs. It can be used in conjunction with other anti-disassembly techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/the_return_of_disassembly_desynchronization/the_return_of_disassembly_desynchronization.md",
"creation_date": "2019-03-18T13:56:14Z",
"tags": "Disassembly desynchronization,\r\nGarbage instructions,\r\nNOP slide,\r\nLinear sweep,\r\nRecursive traversal,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nInstruction sequence,",
"modification_date": "2023-10-04T10:44:39.272000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 86,
"key": "dynamically-computed-target-address",
"unprotect_id": "U0208",
"name": "Dynamically Computed Target Address",
"description": "Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing the program.\r\n\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\ncall eax\r\n```\r\n\r\nIn this case, the call instruction uses a dynamically computed target address, as the value of the eax register is not known until the program is actually executed. This means that a disassembler will not be able to determine the correct target address for the call instruction without executing the program. If the disassembler tries to disassemble the program without executing it, it might generate incorrect disassembly output, like this:\r\n\r\n```assembly\r\n0x00000000: mov eax, 0x12345678\r\n0x00000004: call eax\r\n```\r\n\r\nIn this case, the disassembler has assumed that the target address of the call instruction is the value stored in the eax register at the time the disassembler was run, but this is not necessarily the correct target address. The actual target address could be different if the program is executed, and the disassembler will not be able to determine the correct target address without executing the program.\r\n\r\nThis technique can be used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can also make it more difficult for other tools, such as debuggers, to accurately interpret the program's behavior. This can be especially effective when the snapshot of the program is taken at a point during its execution when the resolution of the dynamically computed target address has not yet taken place in the code, as this can make it even more difficult for a disassembler to determine the correct target addresses.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://books.google.fr/books?id=3nPAM3AZ1foC&pg=PA436&lpg=PA436&dq=dynamically+computed+target+address&source=bl&ots=Nm7aJXEhDp&sig=ACfU3U2X1g6CTacHMZ3AH1kyk0XBDRUiQA&hl=en&sa=X&ved=2ahUKEwi5wbKV-pXhAhUPy4UKHS1xAdAQ6AEwAHoECAYQAQ#v=onepage&q=dynamically%20computed%20target%20address&f=false",
"creation_date": "2019-03-18T13:55:53Z",
"tags": "Dynamically computed target addresses,\r\nAnti-disassembling,\r\nBranch instruction,\r\nTarget address,\r\nExecution,",
"modification_date": "2023-10-04T10:44:39.984000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 85,
"key": "opcode-obfuscation",
"unprotect_id": "U0209",
"name": "Opcode Obfuscation",
"description": "Opcode obfuscation is an anti-disassembling technique that involves modifying the opcodes of a program's machine language instructions in order to make it more difficult for a disassembler to accurately reconstruct the original instructions. This can be done in a variety of ways, such as by using equivalent but different opcodes for the same operation, by adding additional instructions or data to the program, or by rearranging the program's instructions in a non-standard order.\r\n\r\nOpcode obfuscation is a common technique used by malware authors and other attackers to make it more difficult for analysts to disassemble and understand their programs. It can be used in conjunction with other anti-disassembling techniques, such as the call trick or the insertion of garbage bytes, to create even more effective and powerful exploits.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation",
"creation_date": "2019-03-18T13:55:35Z",
"tags": "Opcode obfuscation,\r\nAnti-disassembling,\r\nDisassembler,\r\nMachine language,\r\nOpcode,\r\nEquivalent opcodes,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2023-10-04T10:42:44.100000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 84,
"key": "jump-with-same-target",
"unprotect_id": "U0210",
"name": "Jump With Same Target",
"description": "Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.\r\n\r\nFor example, suppose a program contains the following instructions:\r\n\r\n```assembly\r\nmov eax, 0x12345678\r\njz loc_512\r\njnz loc_512\r\n```\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.\r\n\r\nIn this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/",
"creation_date": "2019-03-18T13:55:03Z",
"tags": "Jump with the same target,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nTarget address,\r\nDisassembly output,\r\nDisassembly accuracy,\r\nUnconditionnal jum,",
"modification_date": "2023-10-04T10:42:25.972000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 83,
"key": "impossible-disassembly",
"unprotect_id": "U0211",
"name": "Impossible Disassembly",
"description": "Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode for a multibyte instruction, the disassembler will be unable to correctly interpret the next instruction, and will therefore generate incorrect disassembly output.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/SamBowne/practical-malware-analysis-ch-15-antidisassembly\r\nhttps://medium.com/swlh/assembly-wrapping-a-new-technique-for-anti-disassembly-c144eb90e036\r\nhttps://gelven4sec.github.io/posts/rogue_byte/",
"creation_date": "2019-03-18T13:54:40Z",
"tags": "Impossible disassembly,\r\nAnti-disassembling,\r\nDisassembler,\r\nConditional jump,\r\nData byte,\r\nDisassembly output,\r\nDisassembly accuracy,",
"modification_date": "2024-11-21T13:22:00.769914Z",
"category": [
5
],
"rules": [
163
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 82,
"key": "obscuring-control-flow",
"unprotect_id": "U0212",
"name": "Obscuring Control Flow",
"description": "Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.\r\n\r\nOne example of this technique is the use of the Structure Exception Handling (SEH) mechanism in the Microsoft Windows operating system. SEH provides a way to handle exceptions, which are runtime errors that occur during the execution of a program. It allows the programmer to define a set of exception handlers that are called whenever an exception occurs. These exception handlers can be used to handle the exception and continue the program's execution, or to log the error and terminate the program.\r\n\r\nSEH provides a method of flow control that is difficult for disassemblers and debuggers to follow, because the exception handlers are not part of the program's normal control flow. Disassemblers and debuggers are not able to accurately reconstruct the program's original instructions when SEH is used, because they cannot determine the intended behavior of the program without actually executing it.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:54:18Z",
"tags": "Obscuring control flow,\r\nAnti-disassembling,\r\nException handling,\r\nStructure Exception Handling (SEH),\r\nControl flow,\r\nException handler,",
"modification_date": "2023-10-04T10:42:49.627000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 81,
"key": "abusing-the-return-pointer",
"unprotect_id": "U0213",
"name": "Abusing the Return Pointer",
"description": "Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nThe RETN instruction is normally used to return from a function call, by returning control to the calling function. It typically takes a single operand, which is the number of bytes that the caller should add to the stack pointer after the return has been executed. This allows the caller to clean up the stack and restore the registers to their original values before the call was made.\r\n\r\nHowever, if the RETN instruction is used for another purpose, the disassembler may not be able to accurately interpret it and may generate incorrect disassembly output. For example, the RETN instruction could be used as a jump target for other instructions, such as a CALL or JMP instruction. This would cause the disassembler to prematurely terminate the function, because it would assume that the RETN instruction marks the end of the function.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.malwinator.com/2015/11/27/anti-disassembly-techniques-used-by-malware-a-primer-part-2/",
"creation_date": "2019-03-18T13:53:57Z",
"tags": "Abusing the return pointer,\r\nAnti-disassembling,\r\nDisassembler,\r\nDebugger,\r\nControl flow,\r\nReturn instruction (RETN),\r\nFunction call,\r\nStack pointer,\r\nRegister,",
"modification_date": "2023-10-04T10:44:45.279000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 79,
"key": "obscuring-control-flow-using-pointers",
"unprotect_id": "U0214",
"name": "Obscuring Control Flow Using Pointers",
"description": "The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.\r\n\r\nPointers are a common programming idiom used in C and C++ to reference memory locations and manipulate data in memory. They are typically implemented as variables that contain the memory address of another variable. This allows the programmer to access and modify the data stored at that memory address, without having to know the exact memory address of the data.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf",
"creation_date": "2019-03-18T13:53:11Z",
"tags": "Pointers,\r\nAnti-disassembling,\r\nControl flow,\r\nProgram behavior,\r\nMemory addresses,\r\nData manipulation,",
"modification_date": "2023-10-04T10:43:02.048000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 78,
"key": "spaghetti-junk-code",
"unprotect_id": "U0215",
"name": "Spaghetti, Junk Code",
"description": "Junk code is a technique used to add meaningless or irrelevant instructions to a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior.\r\n\r\nJunk code can be inserted into a program without modifying the original code, and it will not affect the program's behavior. Instead, it will simply add extra instructions that the disassembler must process, which can make it more difficult for the disassembler to generate correct disassembly output.\r\n\r\nSpaghetti code, on the other hand, is a coding style that is characterized by a complex and unstructured control flow. This can make it difficult for a disassembler to accurately interpret the instructions and generate correct disassembly output, because the disassembler may not be able to follow the complex and unstructured control flow.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://en.wikipedia.org/wiki/Spaghetti_code\nhttps://www.nozominetworks.com/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
"creation_date": "2019-03-18T13:52:42Z",
"tags": "Junk code,\r\nSpaghetti code,\r\nAnti-disassembling,\r\nControl flow,\r\nObfuscation,\r\nInstruction insertion,\r\nUnstructured code,",
"modification_date": "2023-10-04T10:44:36.921000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 76,
"key": "control-flow-graph-flattening",
"unprotect_id": "U0216",
"name": "Control Flow Graph Flattening",
"description": "Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This switch statement is then wrapped inside the body of a loop, which makes it difficult for the disassembler to follow the control flow and generate correct disassembly output.\r\n\r\nControl flow flattening is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior. It can also be used to protect legitimate software from being reverse engineered by competitors or hackers.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://ac.inf.elte.hu/Vol_030_2009/003.pdf",
"creation_date": "2019-03-18T13:51:58Z",
"tags": "Control flow flattening,\r\nAnti-disassembling,\r\nObfuscation,\r\nSwitch statement,\r\nLoop statement,\r\nControl flow,\r\nNesting,\r\nUnstructured code,\r\nComplex control flow,",
"modification_date": "2023-10-04T10:42:40.326000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 75,
"key": "api-obfuscation",
"unprotect_id": "U0217, B0032.001",
"name": "API Obfuscation",
"description": "API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead of the actual names of the functions, making it more difficult to understand the code and identify any potentially malicious behavior.\r\n\r\nThis technique is often used to hide suspicious API calls from the Import Address Table (IAT), which is used to store the addresses of functions imported from other libraries. By hiding these calls, malware authors can make it harder for analysts to identify and analyze their code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware",
"creation_date": "2019-03-18T13:48:59Z",
"tags": "hashing, API, obfuscation, API hashing,\r\nImport Address Table (IAT),\r\nCode obfuscation,",
"modification_date": "2023-10-04T10:44:20.085000Z",
"category": [
5
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
},
{
"id": 74,
"key": "int3-instruction-scanning",
"unprotect_id": "U0105, B0001.025",
"name": "INT3 Instruction Scanning",
"description": "Instruction `INT3` is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value `0xCC` (INT3 / Breakpoint Interrupt). \r\n\r\nThe exception `EXCEPTION_BREAKPOINT` (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector code and/or an API code.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Whitepaper/bh-usa-07-quist_and_valsmith-WP.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int3",
"creation_date": "2019-03-18T13:44:00Z",
"tags": "int3",
"modification_date": "2023-10-04T10:42:47.549000Z",
"category": [
3
],
"rules": [
70,
84
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 73,
"key": "interrupts",
"unprotect_id": "U0106",
"name": "Interrupts",
"description": "Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling. \r\n\r\nBy triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it is being executed in a debugger and take appropriate action, such as exiting or altering its behavior. This can be achieved using interrupt instructions such as INT 3 or UD2 to trigger the exception. This technique can be used to evade detection and make reverse engineering more difficult.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-18T13:43:21Z",
"tags": "",
"modification_date": "2023-10-04T10:37:41.393000Z",
"category": [
3
],
"rules": [
125
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 72,
"key": "performing-code-checksum",
"unprotect_id": "U0107",
"name": "Performing Code Checksum",
"description": "Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take appropriate action, such as exiting or altering its behavior. \r\n\r\nThis technique can be used to detect if anti-debugging routines have been disabled or if the code has been tampered with in other ways. By detecting these modifications, the adversary's code can attempt to evade detection and make reverse engineering more difficult.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software",
"creation_date": "2019-03-18T13:42:45Z",
"tags": "",
"modification_date": "2023-10-04T10:43:00.625000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 71,
"key": "unhandled-exception-filter",
"unprotect_id": "U0108, B0001.030",
"name": "Unhandled Exception Filter",
"description": "An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.\r\n\r\nIf an exception occurs and no exception handler is registered, the `UnhandledExceptionFilter` function will be called. It is possible to register a custom unhandled exception filter using the `SetUnhandledExceptionFilter`. But if the program is running under a debugger, the custom filter won’t be called, and the exception will be passed to the debugger. \r\n\r\nTherefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://evilcodecave.wordpress.com/2008/07/24/setunhandledexception-filter-anti-debug-trick/\nhttps://anti-debug.checkpoint.com/techniques/exceptions.html",
"creation_date": "2019-03-18T13:42:14Z",
"tags": "exception",
"modification_date": "2023-10-04T10:43:55.620000Z",
"category": [
3
],
"rules": [
71
],
"attachments": [],
"featured_api": [
403
],
"contributors": []
},
{
"id": 70,
"key": "bad-string-format",
"unprotect_id": "U0104",
"name": "Bad String Format",
"description": "Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.\r\n\r\nFor example, the malware may use a string with multiple %s inputs, which OllyDbg is not able to handle correctly. This causes the debugger to crash or behave in an unpredictable manner, making it difficult for the analyst to continue their analysis. This technique can be effective in disrupting the analysis process and making it more difficult for the analyst to understand the malware's capabilities and behavior. However, it is only effective against OllyDbg, and other debuggers may not be affected by this technique.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/",
"creation_date": "2019-03-18T13:40:52Z",
"tags": "Bad string format,\r\nOllyDbg,\r\nDebugger evasion,\r\nString manipulation,",
"modification_date": "2023-10-04T10:43:43.022000Z",
"category": [
3
],
"rules": [
69
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 69,
"key": "tls-callback",
"unprotect_id": "U0124",
"name": "TLS Callback",
"description": "TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.\r\n\r\nAs an anti-debugging technique, a program can use a TLS callback to execute code before the main entry point of the program, which is defined in the PE (Portable Executable) header. This allows the program to run secretly in a debugger, as the debugger will typically start at the main entry point and may not be aware of the TLS callback.\r\n\r\nThe program can use the TLS callback to detect whether it is being debugged, and if it is, it can terminate the process or take other actions to evade debugging. This technique can be used to make it more difficult for a debugger to attach to the process and to hinder reverse engineering efforts.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://resources.infosecinstitute.com/debugging-tls-callbacks/#gref\nhttps://isc.sans.edu/diary/How+Malware+Defends+Itself+Using+TLS+Callback+Functions/6655",
"creation_date": "2019-03-18T13:40:19Z",
"tags": "TLS callbacks,\r\nanti-debugging technique,\r\nthread,\r\nmain entry point,\r\ndebugger,",
"modification_date": "2023-10-04T10:44:42.226000Z",
"category": [
3
],
"rules": [
1
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 68,
"key": "detecting-running-process-enumprocess-api",
"unprotect_id": "U0109,U0405,U1306",
"name": "Detecting Running Process: EnumProcess API",
"description": "Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the `EnumProcess` function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system. \r\n\r\nBy detecting these processes and taking evasive action, such as terminating itself or encrypting its own code, malware can prevent security professionals from gaining visibility into its activities and disrupt their efforts to analyze it.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx",
"creation_date": "2019-03-18T13:39:38Z",
"tags": "EnumProcess function,\r\nOllydbg.exe,\r\nWireshark.exe,\r\nMonitoring,\r\nAnalysis,",
"modification_date": "2023-10-04T10:43:41.232000Z",
"category": [
1,
3,
6
],
"rules": [
72,
92
],
"attachments": [],
"featured_api": [
24
],
"contributors": []
},
{
"id": 67,
"key": "detecting-window-with-findwindow-api",
"unprotect_id": "U0406, U0123",
"name": "Detecting Window with FindWindow API",
"description": "The [FindWindowA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa) / [FindWindowW](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindoww) function can be used to search for windows by name or class.\r\n\r\nIt is also possible to use [EnumWindows](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows) API in conjunction with [GetWindowTextLength](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextlengthw) and [GetWindowText](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtextw) to locate a piece of string that could reveal the presence of a known debugger.\r\n\r\n### Some Known Debuggers\r\n\r\n* ImmunityDebugger\r\n* OllyDbg\r\n* IDA\r\n* x64dbg / x32dbg\r\n* WinDbg",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-18T13:39:00Z",
"tags": "WinAPI,FindWindow",
"modification_date": "2023-10-04T10:43:37.678000Z",
"category": [
3,
6
],
"rules": [
82
],
"attachments": [],
"featured_api": [
24
],
"contributors": []
},
{
"id": 66,
"key": "getlocaltime-getsystemtime-timegettime-ntqueryperformancecounter",
"unprotect_id": "U0110,U1308,B0001.28",
"name": "GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter",
"description": "When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.malwinator.com/2016/01/03/part-2-antidebug/",
"creation_date": "2019-03-18T13:38:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:28.130000Z",
"category": [
1,
3
],
"rules": [
15
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 65,
"key": "gettickcount",
"unprotect_id": "U0125,B0001.032",
"name": "GetTickCount",
"description": "This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.\r\n\r\n`GetTickCount` reads from the `KUSER_SHARED_DATA` page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the system time, which is stored directly in this page.\r\n\r\n`ZwGetTickCount` is used the same way as `GetTickCount`. Using `KiGetTickCount` is faster than calling `ZwGetTickCount`, but slightly slower than reading from the `KUSER_SHARED_DATA` page directly.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://researchcenter.paloaltonetworks.com/2015/10/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\nhttps://anti-debug.checkpoint.com/techniques/timing.html#kernel-timing",
"creation_date": "2019-03-18T13:36:32Z",
"tags": "gettickcount",
"modification_date": "2023-10-04T10:43:40.578000Z",
"category": [
3
],
"rules": [
28
],
"attachments": [],
"featured_api": [
413
],
"contributors": []
},
{
"id": 64,
"key": "rdtsc",
"unprotect_id": "U0126",
"name": "RDTSC",
"description": "The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into `EDX:EAX`.\r\n\r\nIt will execute RDTSC twice and then calculate the difference between low order values and check it with CMP condition. If the difference lays below `0FFFh` no debugger is found if it is above or equal, then application is debugged.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide\nhttps://www.aldeid.com/wiki/RDTSC-Read-Time-Stamp-Counter",
"creation_date": "2019-03-18T13:35:53Z",
"tags": "RDTSC",
"modification_date": "2023-10-04T10:42:41.264000Z",
"category": [
3
],
"rules": [
80
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 63,
"key": "ntglobalflag",
"unprotect_id": "U0111,B0001.036",
"name": "NtGlobalFlag",
"description": "The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset `0x68`. If the value at this location is `0x70`, we know that we are running in a debugger.\r\n\r\nThe `NtGlobalFlag` field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit Windows) is 0 by default. Attaching a debugger doesn’t change the value of NtGlobalFlag. However, if the process was created by a debugger, the following flags will be set:\r\n\r\n- `FLG_HEAP_ENABLE_TAIL_CHECK` (0x10)\r\n- `FLG_HEAP_ENABLE_FREE_CHECK` (0x20)\r\n- `FLG_HEAP_VALIDATE_PARAMETERS` (0x40)\r\n\r\nThe presence of a debugger can be detected by checking a combination of those flags.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-ntglobalflag",
"creation_date": "2019-03-18T13:35:07Z",
"tags": "ntglobalflag",
"modification_date": "2023-10-04T10:44:18.871000Z",
"category": [
3
],
"rules": [
4,
25
],
"attachments": [],
"featured_api": [
24,
425
],
"contributors": []
},
{
"id": 62,
"key": "heap-flag",
"unprotect_id": "U0112,B0001.021",
"name": "Heap Flag",
"description": "`ProcessHeap` is located at `0x18` in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are `Flags` and `ForceFlags`.\r\n\r\nThe values of `Flags and ForceFlags` are normally set to `HEAP_GROWABLE` and `0`, respectively.\r\n\r\nOn 64-bit Windows XP, and Windows Vista and higher, if a debugger is present, the Flags field is set to a combination of these flags:\r\n\r\n- `HEAP_GROWABLE (2)`\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`\r\n\r\nWhen a debugger is present, the ForceFlags field is set to a combination of these flags:\r\n\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-heap-flags",
"creation_date": "2019-03-18T13:34:32Z",
"tags": "heapflag",
"modification_date": "2023-10-04T10:42:51.159000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 61,
"key": "isdebugged-flag",
"unprotect_id": "U0113,B0001.019",
"name": "IsDebugged Flag",
"description": "While a process is running, the location of the PEB can be referenced by the location `fs:[30h]`. For anti-debugging, malware will use that location to check the `BeingDebugged` flag, which indicates whether the specified process is being debugged.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-18T13:33:59Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:39:04.249000Z",
"category": [
3
],
"rules": [
26
],
"attachments": [],
"featured_api": [
6,
24,
357,
425
],
"contributors": []
},
{
"id": 60,
"key": "closehandle-ntclose",
"unprotect_id": "U0114, B0001.003",
"name": "CloseHandle, NtClose",
"description": "When a process is debugged, calling `NtClose` or `CloseHandle` with an invalid handle will generate a `STATUS_INVALID_HANDLE` exception.\r\n\r\nThe exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.symantec.com/connect/articles/windows-anti-debug-reference\nhttps://anti-debug.checkpoint.com/techniques/object-handles.html#closehandle",
"creation_date": "2019-03-18T13:32:34Z",
"tags": "closehandle,ntclose",
"modification_date": "2023-10-04T10:43:46.973000Z",
"category": [
3
],
"rules": [
45,
73
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 59,
"key": "csrgetprocessid",
"unprotect_id": "U0115",
"name": "CsrGetProcessID",
"description": "This function is undocumented within `OpenProcess`. It can be used to get the PID of CRSS.exe, which is a `SYSTEM` process. By default, a process has the `SeDebugPrivilege` privilege in their access token disabled. \r\n\r\nHowever, when the process is loaded by a debugger such as OllyDbg or WinDbg, the `SeDebugPrivilege` privilege is enabled. If a process is able to open CRSS.exe process, it means that the process `SeDebugPrivilege` enabled in the access token, and thus, suggesting that the process is being debugged.\r\n\r\nIf we call `OpenProcess` and pass the ID returned by `CsrGetProcessId`, no error will occur if the `SeDebugPrivilege` has been set with `SetPrivilege` / `AdjustTokenPrivileges`.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.gironsec.com/blog/2013/12/other-antidebug-tricks/",
"creation_date": "2019-03-18T13:31:58Z",
"tags": "CsrGetProcessID",
"modification_date": "2023-10-04T10:43:42.118000Z",
"category": [
3
],
"rules": [
74
],
"attachments": [],
"featured_api": [
24,
425
],
"contributors": []
},
{
"id": 58,
"key": "eventpairhandles",
"unprotect_id": "U0116",
"name": "EventPairHandles",
"description": "An `EventPair` Object is an event constructed by two `_KEVENT` structures which are conventionally named High and Low. \r\n\r\nThere is a relation between generic Event Objects and Debuggers because they must create a custom event called `DebugEvent` able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal process differs from a debugged process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.evilfingers.com/publications/research_EN/EventPairsHandle.pdf",
"creation_date": "2019-03-18T13:31:13Z",
"tags": "EventPairHandles",
"modification_date": "2023-10-04T10:43:38.435000Z",
"category": [
3
],
"rules": [
75
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 57,
"key": "outputdebugstring",
"unprotect_id": "U0117,B0001.016",
"name": "OutputDebugString",
"description": "This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.\r\n\r\nIt is possible to use [OutputDebugString](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-outputdebugstringw) in addition of [GetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror) / [SetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setlasterror) to detect debugger presence.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx",
"creation_date": "2019-03-18T13:29:14Z",
"tags": "outputdebugstring",
"modification_date": "2023-10-04T10:42:48.424000Z",
"category": [
3
],
"rules": [
14,
76
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 56,
"key": "ntqueryobject",
"unprotect_id": "U0118,B0001.013",
"name": "NtQueryObject",
"description": "This function retrieves object information. By calling this function with the class `ObjectTypeInformation` will retrieve the specific object type (debug) to detect the debugger.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/bb432383(v=vs.85).aspx\nhttps://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide?fbclid=IwAR0fpYHnQX6C3YyBx3pnZ1m3bOYawc-kUIhZn65T5Bf7pQR26fUuVNYPs_Q#NtQueryObject",
"creation_date": "2019-03-18T13:28:29Z",
"tags": "NtQueryObject",
"modification_date": "2023-10-04T10:42:54.288000Z",
"category": [
3
],
"rules": [
77
],
"attachments": [],
"featured_api": [
3,
425
],
"contributors": []
},
{
"id": 55,
"key": "ntsetinformationthread",
"unprotect_id": "U0119, B0001.014",
"name": "NtSetInformationThread",
"description": "[NtSetInformationThread](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationthread) can be used to hide threads from debuggers using the `ThreadHideFromDebugger` `ThreadInfoClass` (`0x11` / `17`). This is intended to be used by an external process, but any thread can use it on itself.\r\n\r\nAfter the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread can perform anti-debugging checks such as code checksum, debug flags verification, etc.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread\nhttps://ntquery.wordpress.com/2014/03/29/anti-debug-ntsetinformationthread/",
"creation_date": "2019-03-18T13:27:48Z",
"tags": "NtSetInformationThread",
"modification_date": "2023-10-04T10:43:43.449000Z",
"category": [
3
],
"rules": [
78
],
"attachments": [],
"featured_api": [
22,
360,
425
],
"contributors": []
},
{
"id": 54,
"key": "ntqueryinformationprocess",
"unprotect_id": "U0120,B0001.012",
"name": "NtQueryInformationProcess",
"description": "This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the `ProcessDebugPort (0x7)` information class.\r\n\r\nA nonzero value returned by the call indicates that the process is being debugged.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:26:52Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:43:39.185000Z",
"category": [
3
],
"rules": [
79,
86
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 53,
"key": "checkremotedebuggerpresent",
"unprotect_id": "U0121, B0001.002",
"name": "CheckRemoteDebuggerPresent",
"description": "CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:25:12Z",
"tags": "",
"modification_date": "2023-10-04T10:42:13.178000Z",
"category": [
3
],
"rules": [
7
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 52,
"key": "isdebuggerpresent",
"unprotect_id": "U0122, B0001.008",
"name": "IsDebuggerPresent",
"description": "This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.\r\n\r\nIf you want to understand the underlying process of [IsDebuggerPresent](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent) API you can check the code snippet section for the following method: [IsDebugged Flag](https://search.unprotect.it/map/anti-debugging/isdebugged-flag/).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx",
"creation_date": "2019-03-18T13:24:02Z",
"tags": "isdebuggerpresent",
"modification_date": "2023-10-04T10:43:44.328000Z",
"category": [
3
],
"rules": [
67
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 49,
"key": "fake-signature",
"unprotect_id": "U0506",
"name": "Fake Signature",
"description": "Every exe file contain metadata that allow users to trust the third party that distribute the program. Malware are able to usurp the metadata in order to fool the user but also the security tools.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-18T13:22:18Z",
"tags": "",
"modification_date": "2023-10-04T10:37:56.097000Z",
"category": [
2
],
"rules": [
89
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 48,
"key": "adding-antivirus-exception",
"unprotect_id": "U0507",
"name": "Adding antivirus exception",
"description": "This technique involves searching for active antivirus-related processes or modules and terminating execution if any are found. By detecting loaded antivirus libraries, malware can determine whether it is running in a monitored environment and exit to avoid detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.darknet.org.uk/2016/12/malware-writers-using-exclusion-lists-to-linger/",
"creation_date": "2019-03-18T13:21:38Z",
"tags": "",
"modification_date": "2025-02-20T16:55:17.960737Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
50
]
},
{
"id": 47,
"key": "disabling-antivirus",
"unprotect_id": "U0508,F0004",
"name": "Disabling Antivirus",
"description": "Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/",
"creation_date": "2019-03-18T13:21:04Z",
"tags": "computer system, network, device, antivirus, evade detection, malicious programs",
"modification_date": "2023-10-04T10:42:10.499000Z",
"category": [
2
],
"rules": [
47
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 46,
"key": "file-splitting",
"unprotect_id": "U0509",
"name": "File Splitting",
"description": "An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf",
"creation_date": "2019-03-18T13:20:17Z",
"tags": "",
"modification_date": "2023-10-04T10:42:10.991000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 45,
"key": "bypassing-static-heuristic",
"unprotect_id": "U0510",
"name": "Bypassing Static Heuristic",
"description": "Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-18T13:19:25Z",
"tags": "",
"modification_date": "2023-10-04T10:37:47.211000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 44,
"key": "file-format-confusion",
"unprotect_id": "U0511",
"name": "File Format Confusion",
"description": "By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.\r\n\r\nConfusing file format is another trick that can be used to bypass an AV detection specific to a file format.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf\nhttps://code.google.com/archive/p/corkami/wikis/mix.wiki",
"creation_date": "2019-03-18T13:18:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.659000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 42,
"key": "big-file",
"unprotect_id": "U0512",
"name": "Big File",
"description": "Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header). This is an old trick still apply in the wild.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/",
"creation_date": "2019-03-18T13:17:09Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.210000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 41,
"key": "fingerprinting-emulator",
"unprotect_id": "U0513",
"name": "Fingerprinting Emulator",
"description": "Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf",
"creation_date": "2019-03-18T13:16:15Z",
"tags": "",
"modification_date": "2023-10-04T10:43:06.521000Z",
"category": [
2
],
"rules": [
58
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 40,
"key": "pe-format-manipulation",
"unprotect_id": "U0514",
"name": "PE Format Manipulation",
"description": "Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/",
"creation_date": "2019-03-18T13:14:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.566000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 39,
"key": "evading-specific-signature",
"unprotect_id": "U0515",
"name": "Evading Specific Signature",
"description": "Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.digital.security/en/blog/bypassing-antivirus-detection-pdf-exploit",
"creation_date": "2019-03-18T13:08:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:11.469000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 38,
"key": "evading-hash-signature",
"unprotect_id": "U0516",
"name": "Evading Hash Signature",
"description": "AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://resources.infosecinstitute.com/antivirus-evasion-tools/",
"creation_date": "2019-03-17T18:07:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.256000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 37,
"key": "connected-printer",
"unprotect_id": "U1309, B0009.017",
"name": "Connected Printer",
"description": "Another technique for detecting if a program is running in a sandbox is to look for potential connected printers or identify the default Windows printers, Adobe, or OneNote. This is because sandboxes typically do not have access to printers, and detecting the absence of printers can help identify whether the program is being run in a sandbox environment.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/bz98/sandbox-detection-leak-abuse-test-hacktivity-2015",
"creation_date": "2019-03-11T08:18:47Z",
"tags": "sandbox, program, printers, connected, default, Windows, Adobe, OneNote, access, environment, detection",
"modification_date": "2023-10-04T10:42:15.569000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 36,
"key": "detecting-usb-drive",
"unprotect_id": "U1310, B0009.016",
"name": "Detecting USB Drive",
"description": "To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:18:05Z",
"tags": "sandbox, program, USB drives,",
"modification_date": "2023-10-04T10:42:11.257000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 35,
"key": "detecting-hostname-username",
"unprotect_id": "U1311",
"name": "Detecting Hostname, Username",
"description": "Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:17:31Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.932000Z",
"category": [
1
],
"rules": [
57
],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
