HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 351,
"next": "https://unprotect.it/api/techniques/?format=api&page=8",
"previous": "https://unprotect.it/api/techniques/?format=api&page=6",
"results": [
{
"id": 63,
"key": "ntglobalflag",
"unprotect_id": "U0111,B0001.036",
"name": "NtGlobalFlag",
"description": "The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset `0x68`. If the value at this location is `0x70`, we know that we are running in a debugger.\r\n\r\nThe `NtGlobalFlag` field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit Windows) is 0 by default. Attaching a debugger doesn’t change the value of NtGlobalFlag. However, if the process was created by a debugger, the following flags will be set:\r\n\r\n- `FLG_HEAP_ENABLE_TAIL_CHECK` (0x10)\r\n- `FLG_HEAP_ENABLE_FREE_CHECK` (0x20)\r\n- `FLG_HEAP_VALIDATE_PARAMETERS` (0x40)\r\n\r\nThe presence of a debugger can be detected by checking a combination of those flags.",
"resources": "https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-ntglobalflag",
"creation_date": "2019-03-18T13:35:07Z",
"tags": "ntglobalflag",
"modification_date": "2023-10-04T10:44:18.871000Z",
"category": [
3
],
"rules": [
4,
25
],
"attachments": [],
"featured_api": [
24,
355,
419,
425
],
"contributors": []
},
{
"id": 62,
"key": "heap-flag",
"unprotect_id": "U0112,B0001.021",
"name": "Heap Flag",
"description": "`ProcessHeap` is located at `0x18` in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are `Flags` and `ForceFlags`.\r\n\r\nThe values of `Flags and ForceFlags` are normally set to `HEAP_GROWABLE` and `0`, respectively.\r\n\r\nOn 64-bit Windows XP, and Windows Vista and higher, if a debugger is present, the Flags field is set to a combination of these flags:\r\n\r\n- `HEAP_GROWABLE (2)`\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`\r\n\r\nWhen a debugger is present, the ForceFlags field is set to a combination of these flags:\r\n\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-heap-flags",
"creation_date": "2019-03-18T13:34:32Z",
"tags": "heapflag",
"modification_date": "2023-10-04T10:42:51.159000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
258
],
"contributors": []
},
{
"id": 61,
"key": "isdebugged-flag",
"unprotect_id": "U0113,B0001.019",
"name": "IsDebugged Flag",
"description": "While a process is running, the location of the PEB can be referenced by the location `fs:[30h]`. For anti-debugging, malware will use that location to check the `BeingDebugged` flag, which indicates whether the specified process is being debugged.",
"resources": "",
"creation_date": "2019-03-18T13:33:59Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:39:04.249000Z",
"category": [
3
],
"rules": [
26
],
"attachments": [],
"featured_api": [
6,
23,
24,
357,
376,
425
],
"contributors": []
},
{
"id": 60,
"key": "closehandle-ntclose",
"unprotect_id": "U0114, B0001.003",
"name": "CloseHandle, NtClose",
"description": "When a process is debugged, calling `NtClose` or `CloseHandle` with an invalid handle will generate a `STATUS_INVALID_HANDLE` exception.\r\n\r\nThe exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.",
"resources": "https://www.symantec.com/connect/articles/windows-anti-debug-reference\nhttps://anti-debug.checkpoint.com/techniques/object-handles.html#closehandle",
"creation_date": "2019-03-18T13:32:34Z",
"tags": "closehandle,ntclose",
"modification_date": "2023-10-04T10:43:46.973000Z",
"category": [
3
],
"rules": [
45,
73
],
"attachments": [],
"featured_api": [
23
],
"contributors": []
},
{
"id": 59,
"key": "csrgetprocessid",
"unprotect_id": "U0115",
"name": "CsrGetProcessID",
"description": "This function is undocumented within `OpenProcess`. It can be used to get the PID of CRSS.exe, which is a `SYSTEM` process. By default, a process has the `SeDebugPrivilege` privilege in their access token disabled. \r\n\r\nHowever, when the process is loaded by a debugger such as OllyDbg or WinDbg, the `SeDebugPrivilege` privilege is enabled. If a process is able to open CRSS.exe process, it means that the process `SeDebugPrivilege` enabled in the access token, and thus, suggesting that the process is being debugged.\r\n\r\nIf we call `OpenProcess` and pass the ID returned by `CsrGetProcessId`, no error will occur if the `SeDebugPrivilege` has been set with `SetPrivilege` / `AdjustTokenPrivileges`.",
"resources": "https://www.gironsec.com/blog/2013/12/other-antidebug-tricks/",
"creation_date": "2019-03-18T13:31:58Z",
"tags": "CsrGetProcessID",
"modification_date": "2023-10-04T10:43:42.118000Z",
"category": [
3
],
"rules": [
74
],
"attachments": [],
"featured_api": [
24,
425
],
"contributors": []
},
{
"id": 58,
"key": "eventpairhandles",
"unprotect_id": "U0116",
"name": "EventPairHandles",
"description": "An `EventPair` Object is an event constructed by two `_KEVENT` structures which are conventionally named High and Low. \r\n\r\nThere is a relation between generic Event Objects and Debuggers because they must create a custom event called `DebugEvent` able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal process differs from a debugged process.",
"resources": "https://www.evilfingers.com/publications/research_EN/EventPairsHandle.pdf",
"creation_date": "2019-03-18T13:31:13Z",
"tags": "EventPairHandles",
"modification_date": "2023-10-04T10:43:38.435000Z",
"category": [
3
],
"rules": [
75
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 57,
"key": "outputdebugstring",
"unprotect_id": "U0117,B0001.016",
"name": "OutputDebugString",
"description": "This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.\r\n\r\nIt is possible to use [OutputDebugString](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-outputdebugstringw) in addition of [GetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror) / [SetLastError](https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setlasterror) to detect debugger presence.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa363362(v=vs.85).aspx",
"creation_date": "2019-03-18T13:29:14Z",
"tags": "outputdebugstring",
"modification_date": "2023-10-04T10:42:48.424000Z",
"category": [
3
],
"rules": [
14,
76
],
"attachments": [],
"featured_api": [
381,
383
],
"contributors": []
},
{
"id": 56,
"key": "ntqueryobject",
"unprotect_id": "U0118,B0001.013",
"name": "NtQueryObject",
"description": "This function retrieves object information. By calling this function with the class `ObjectTypeInformation` will retrieve the specific object type (debug) to detect the debugger.",
"resources": "https://msdn.microsoft.com/en-us/library/bb432383(v=vs.85).aspx\nhttps://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide?fbclid=IwAR0fpYHnQX6C3YyBx3pnZ1m3bOYawc-kUIhZn65T5Bf7pQR26fUuVNYPs_Q#NtQueryObject",
"creation_date": "2019-03-18T13:28:29Z",
"tags": "NtQueryObject",
"modification_date": "2023-10-04T10:42:54.288000Z",
"category": [
3
],
"rules": [
77
],
"attachments": [],
"featured_api": [
3,
363,
372,
376,
425
],
"contributors": []
},
{
"id": 55,
"key": "ntsetinformationthread",
"unprotect_id": "U0119, B0001.014",
"name": "NtSetInformationThread",
"description": "[NtSetInformationThread](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationthread) can be used to hide threads from debuggers using the `ThreadHideFromDebugger` `ThreadInfoClass` (`0x11` / `17`). This is intended to be used by an external process, but any thread can use it on itself.\r\n\r\nAfter the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread can perform anti-debugging checks such as code checksum, debug flags verification, etc.",
"resources": "https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-zwsetinformationthread\nhttps://ntquery.wordpress.com/2014/03/29/anti-debug-ntsetinformationthread/",
"creation_date": "2019-03-18T13:27:48Z",
"tags": "NtSetInformationThread",
"modification_date": "2023-10-04T10:43:43.449000Z",
"category": [
3
],
"rules": [
78
],
"attachments": [],
"featured_api": [
2,
22,
360,
376,
381,
383,
425,
449,
452
],
"contributors": []
},
{
"id": 54,
"key": "ntqueryinformationprocess",
"unprotect_id": "U0120,B0001.012",
"name": "NtQueryInformationProcess",
"description": "This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the `ProcessDebugPort (0x7)` information class.\r\n\r\nA nonzero value returned by the call indicates that the process is being debugged.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:26:52Z",
"tags": "NtQueryInformationProcess",
"modification_date": "2023-10-04T10:43:39.185000Z",
"category": [
3
],
"rules": [
79,
86
],
"attachments": [],
"featured_api": [
383,
419
],
"contributors": []
},
{
"id": 53,
"key": "checkremotedebuggerpresent",
"unprotect_id": "U0121, B0001.002",
"name": "CheckRemoteDebuggerPresent",
"description": "CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx",
"creation_date": "2019-03-18T13:25:12Z",
"tags": "",
"modification_date": "2023-10-04T10:42:13.178000Z",
"category": [
3
],
"rules": [
7
],
"attachments": [],
"featured_api": [
364,
419
],
"contributors": []
},
{
"id": 52,
"key": "isdebuggerpresent",
"unprotect_id": "U0122, B0001.008",
"name": "IsDebuggerPresent",
"description": "This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.\r\n\r\nIf you want to understand the underlying process of [IsDebuggerPresent](https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent) API you can check the code snippet section for the following method: [IsDebugged Flag](https://search.unprotect.it/map/anti-debugging/isdebugged-flag/).",
"resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx",
"creation_date": "2019-03-18T13:24:02Z",
"tags": "isdebuggerpresent",
"modification_date": "2023-10-04T10:43:44.328000Z",
"category": [
3
],
"rules": [
67
],
"attachments": [],
"featured_api": [
360
],
"contributors": []
},
{
"id": 49,
"key": "fake-signature",
"unprotect_id": "U0506",
"name": "Fake Signature",
"description": "Every exe file contain metadata that allow users to trust the third party that distribute the program. Malware are able to usurp the metadata in order to fool the user but also the security tools.",
"resources": "",
"creation_date": "2019-03-18T13:22:18Z",
"tags": "",
"modification_date": "2023-10-04T10:37:56.097000Z",
"category": [
2
],
"rules": [
89
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 48,
"key": "adding-antivirus-exception",
"unprotect_id": "U0507",
"name": "Adding antivirus exception",
"description": "Another way for a malware is to add an exception into the antivirus.",
"resources": "https://www.darknet.org.uk/2016/12/malware-writers-using-exclusion-lists-to-linger/",
"creation_date": "2019-03-18T13:21:38Z",
"tags": "",
"modification_date": "2023-10-04T10:42:18.396000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 47,
"key": "disabling-antivirus",
"unprotect_id": "U0508,F0004",
"name": "Disabling Antivirus",
"description": "Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..",
"resources": "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/",
"creation_date": "2019-03-18T13:21:04Z",
"tags": "computer system, network, device, antivirus, evade detection, malicious programs",
"modification_date": "2023-10-04T10:42:10.499000Z",
"category": [
2
],
"rules": [
47
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 46,
"key": "file-splitting",
"unprotect_id": "U0509",
"name": "File Splitting",
"description": "An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.",
"resources": "https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf",
"creation_date": "2019-03-18T13:20:17Z",
"tags": "",
"modification_date": "2023-10-04T10:42:10.991000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 45,
"key": "bypassing-static-heuristic",
"unprotect_id": "U0510",
"name": "Bypassing Static Heuristic",
"description": "Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.",
"resources": "",
"creation_date": "2019-03-18T13:19:25Z",
"tags": "",
"modification_date": "2023-10-04T10:37:47.211000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 44,
"key": "file-format-confusion",
"unprotect_id": "U0511",
"name": "File Format Confusion",
"description": "By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.\r\n\r\nConfusing file format is another trick that can be used to bypass an AV detection specific to a file format.",
"resources": "https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf\nhttps://code.google.com/archive/p/corkami/wikis/mix.wiki",
"creation_date": "2019-03-18T13:18:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.659000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 42,
"key": "big-file",
"unprotect_id": "U0512",
"name": "Big File",
"description": "Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header). This is an old trick still apply in the wild.",
"resources": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/",
"creation_date": "2019-03-18T13:17:09Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.210000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 41,
"key": "fingerprinting-emulator",
"unprotect_id": "U0513",
"name": "Fingerprinting Emulator",
"description": "Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.",
"resources": "https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf",
"creation_date": "2019-03-18T13:16:15Z",
"tags": "",
"modification_date": "2023-10-04T10:43:06.521000Z",
"category": [
2
],
"rules": [
58
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 40,
"key": "pe-format-manipulation",
"unprotect_id": "U0514",
"name": "PE Format Manipulation",
"description": "Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.",
"resources": "https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/",
"creation_date": "2019-03-18T13:14:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.566000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 39,
"key": "evading-specific-signature",
"unprotect_id": "U0515",
"name": "Evading Specific Signature",
"description": "Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.",
"resources": "https://www.digital.security/en/blog/bypassing-antivirus-detection-pdf-exploit",
"creation_date": "2019-03-18T13:08:26Z",
"tags": "",
"modification_date": "2023-10-04T10:42:11.469000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 38,
"key": "evading-hash-signature",
"unprotect_id": "U0516",
"name": "Evading Hash Signature",
"description": "AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.",
"resources": "https://resources.infosecinstitute.com/antivirus-evasion-tools/",
"creation_date": "2019-03-17T18:07:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:12.256000Z",
"category": [
2
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 37,
"key": "connected-printer",
"unprotect_id": "U1309, B0009.017",
"name": "Connected Printer",
"description": "Another technique for detecting if a program is running in a sandbox is to look for potential connected printers or identify the default Windows printers, Adobe, or OneNote. This is because sandboxes typically do not have access to printers, and detecting the absence of printers can help identify whether the program is being run in a sandbox environment.",
"resources": "https://www.slideshare.net/bz98/sandbox-detection-leak-abuse-test-hacktivity-2015",
"creation_date": "2019-03-11T08:18:47Z",
"tags": "sandbox, program, printers, connected, default, Windows, Adobe, OneNote, access, environment, detection",
"modification_date": "2023-10-04T10:42:15.569000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
40
],
"contributors": []
},
{
"id": 36,
"key": "detecting-usb-drive",
"unprotect_id": "U1310, B0009.016",
"name": "Detecting USB Drive",
"description": "To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:18:05Z",
"tags": "sandbox, program, USB drives,",
"modification_date": "2023-10-04T10:42:11.257000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
594,
595
],
"contributors": []
},
{
"id": 35,
"key": "detecting-hostname-username",
"unprotect_id": "U1311",
"name": "Detecting Hostname, Username",
"description": "Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.",
"resources": "https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf",
"creation_date": "2019-03-11T08:17:31Z",
"tags": "",
"modification_date": "2023-10-04T10:42:08.932000Z",
"category": [
1
],
"rules": [
57
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 34,
"key": "checking-hard-drive-size",
"unprotect_id": "U1312, B0009.015",
"name": "Checking Hard Drive Size",
"description": "Many user machines have hard drives that are larger than 80GB. A malware program can detect whether it is running in a virtual environment by checking the size of the hard drive. If the size is less than 80GB, it is likely that the program is running in a sandbox or virtual environment.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:57Z",
"tags": "user machines, hard drives, size, 80GB, malware, virtual environment, sandbox",
"modification_date": "2023-10-04T10:42:21.219000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
596
],
"contributors": []
},
{
"id": 33,
"key": "checking-memory-size",
"unprotect_id": "U1313, B0009.014",
"name": "Checking Memory Size",
"description": "Most modern user machines have at least 4GB of memory. Malware programs can detect whether they are running in a sandbox environment by checking the available memory size. If the available memory size is less than 4GB, it is likely that the program is running in a sandbox.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:13Z",
"tags": "memory, malware, sandbox, available memory size.",
"modification_date": "2023-10-04T10:42:09.947000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
597
],
"contributors": []
},
{
"id": 32,
"key": "checking-installed-software",
"unprotect_id": "U1314",
"name": "Checking Installed Software",
"description": "By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox. \r\n\r\nThis inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis but are less common in regular user environments.",
"resources": "https://www.theguardian.com/technology/blog/2011/nov/08/sandboxing-malware-failure\r\nhttps://evasions.checkpoint.com/techniques/human-like-behavior.html",
"creation_date": "2019-03-11T08:15:36Z",
"tags": "installed software, sandbox",
"modification_date": "2024-01-16T04:21:02.068000Z",
"category": [
1
],
"rules": [
153
],
"attachments": [],
"featured_api": [
315,
321,
328,
331
],
"contributors": [
33
]
},
{
"id": 31,
"key": "checking-screen-resolution",
"unprotect_id": "U1315,B0007.006",
"name": "Checking Screen Resolution",
"description": "Sandbox environments typically do not function as standard user workspaces; as a result, they often maintain a minimum screen resolution of 800x600 or even lower. In practice, users seldom work with such limited screen dimensions. Malware may leverage this information, detecting the screen resolution to ascertain whether it is operating on a genuine user machine or within a sandbox environment.",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:14:42Z",
"tags": "sandbox environments, standard user workspaces, screen resolution, 800x600, malware detection, user machine",
"modification_date": "2023-10-04T10:44:00.339000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
25,
183,
224,
290,
291
],
"contributors": []
},
{
"id": 30,
"key": "checking-recent-office-files",
"unprotect_id": "U1316,B0007.003",
"name": "Checking Recent Office Files",
"description": "Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.",
"resources": "https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques",
"creation_date": "2019-03-11T08:14:05Z",
"tags": "",
"modification_date": "2023-10-04T10:42:09.710000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 29,
"key": "checking-mouse-activity",
"unprotect_id": "U1317,B0007.003",
"name": "Checking Mouse Activity",
"description": "Some Sandbox doesn't have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.",
"resources": "",
"creation_date": "2019-03-11T08:13:32Z",
"tags": "",
"modification_date": "2023-10-04T10:37:44.543000Z",
"category": [
1
],
"rules": [
22
],
"attachments": [],
"featured_api": [
25,
94,
185,
192
],
"contributors": []
},
{
"id": 28,
"key": "stalling-code",
"unprotect_id": "U1318,B0003.003",
"name": "Stalling Code",
"description": "This technique is used for delaying execution of the real malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.",
"resources": "https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797",
"creation_date": "2019-03-11T08:12:32Z",
"tags": "",
"modification_date": "2023-10-04T10:42:14.290000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 26,
"key": "onset-delay",
"unprotect_id": "U1320",
"name": "Onset Delay",
"description": "Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.\r\n\r\nThe purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis systems give up on a sample, incorrectly assuming that the program is non-functional, or does not execute any action of interest.",
"resources": "http://www.syssec-project.eu/m/page-media/3/hasten-ccs11.pdf\nhttps://blog.sonicwall.com/2018/02/6-ways-malware-evades-detection/",
"creation_date": "2019-03-11T08:11:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:38.381000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 25,
"key": "vpcext",
"unprotect_id": "U1321,B0009.038",
"name": "VPCEXT",
"description": "The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/\nhttps://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html\nhttps://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual",
"creation_date": "2019-03-11T08:10:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:40.076000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 24,
"key": "vmcpuid",
"unprotect_id": "U1322,B0009.037",
"name": "VMCPUID",
"description": "The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.\r\n\r\nThis instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine. \r\n\r\nBy using VMCPUID, malware can adapt its behavior based on the context in which it is running, thus adding an additional layer of complexity to its detection and mitigation. Essentially, it serves as a telltale indicator, aiding malware in identifying virtualization-based security measures or sandboxing environments",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/",
"creation_date": "2019-03-11T08:09:24Z",
"tags": "VMCPUID, instruction, malware, detection, virtual environment, x86 architecture",
"modification_date": "2023-10-04T10:42:06.356000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 22,
"key": "in",
"unprotect_id": "U1323,B0009.035",
"name": "IN",
"description": "The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception. \r\n\r\nHowever, some virtual machine monitors, such as VMWare, use a special port called the VX port as an interface between the virtual machine monitor (VMM) and the virtual machine. If a malware executes the IN instruction in user mode on a VMWare virtual machine, it will not generate an exception, since the VX port allows the instruction to be executed without triggering an exception. This behavior can be used by the malware to detect the presence of a VMWare virtual machine.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:07:40Z",
"tags": "Machine code instruction,\r\nInput port,\r\nVirtual machine monitor (VMM),\r\nVirtual machine,\r\nVMWare,\r\nVX port,",
"modification_date": "2023-10-04T10:42:31.362000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 21,
"key": "cpuid",
"unprotect_id": "U1324,B0009.034",
"name": "CPUID",
"description": "The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.\r\n\r\nYou can use the CPUID instruction to retrieve various pieces of information about the CPU, such as the brand of the CPU, the operating system, or the presence of a hypervisor. This is done by specifying the \"leaf\" information you want to retrieve (such as 0 for the brand of the CPU) in the EAX register, and then executing the instruction. The result will be returned in the EBX, EDX, and ECX registers as a string.\r\n\r\nFor example, when you request leaf information 0, you may see the brand of the CPU or the virtualization technology in use. Some common strings that you may see include \"KVMKVMKVM\" for KVM, \"Microsoft Hv\" for Hyper-V, \"VMwareVMware\" for VMware, and \"GenuineIntel\" for an Intel CPU.\r\n\r\nThe information returned by the CPUID instruction can vary depending on the platform and the specific CPU model.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm\nhttps://github.com/a0rtega/pafish",
"creation_date": "2019-03-11T08:06:29Z",
"tags": "CPUID, instruction, CPU level, bytecode 0FA2, running CPU, Pentium, brand of the CPU, Hypervisor, leaf information, EAX register, EBX, EDX, ECX, virtualisation, plateforms, KVM, Microsoft Hv, Hyper V, VMware, GenuineIntel",
"modification_date": "2023-10-04T10:43:32.768000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
339
],
"contributors": []
},
{
"id": 20,
"key": "str",
"unprotect_id": "U1325,B0009.033",
"name": "STR",
"description": "Stores the segment selector from the Task Register (TR).",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:01.226000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 19,
"key": "smsw",
"unprotect_id": "U1326,B0009.032",
"name": "SMSW",
"description": "Stores the machine status word into the destination operand.",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:02Z",
"tags": "",
"modification_date": "2023-10-04T10:42:02.944000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 18,
"key": "sldt-no-pill",
"unprotect_id": "U1327,B0009.031",
"name": "SLDT, No Pill",
"description": "The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas on a virtual machine, the location of the LDT will be non-zero. \r\n\r\nBy checking the location of the LDT, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly. For example, the malware may choose to remain dormant on a virtual machine in order to avoid detection.",
"resources": "https://blog.talosintelligence.com/2009/10/how-does-malware-know-difference.html",
"creation_date": "2019-03-11T08:04:03Z",
"tags": "Physical machine,\r\nVirtual machine,\r\nLocal Descriptor Table (LDT),\r\nProcessor,\r\nOperating system,",
"modification_date": "2023-10-04T10:44:37.533000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 17,
"key": "sidt-red-pill",
"unprotect_id": "U1328,B0009.030",
"name": "SIDT, Red Pill",
"description": "Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location. \r\n\r\nOn a physical machine, the IDTR will contain the address of the Interrupt Descriptor Table (IDT), which is a data structure used by the operating system to manage interrupts. However, on a virtual machine, the IDTR will contain the address of the IDT for the virtual machine, which is different from the IDT for the host machine. \r\n\r\nBy comparing the IDTR on a physical and a virtual machine, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly.",
"resources": "https://litigationconferences.com/wp-content/uploads/2017/05/Introduction-to-Evasive-Techniques-v1.0.pdf",
"creation_date": "2019-03-11T08:03:01Z",
"tags": "Anti-VM technique,\r\nSIDT instruction,\r\nIDTR register,\r\nIDT,\r\nInterrupts,\r\nVirtual machine,\r\nInterrupt Descriptor Table (IDT),",
"modification_date": "2023-10-04T10:44:01.802000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 15,
"key": "checking-pipe",
"unprotect_id": "U1329",
"name": "Checking Pipe",
"description": "Cuckoo is a malware analysis system that uses a named pipe, called \\\\.\\pipe\\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running). \r\n\r\nA malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \\\\.\\pipe\\cuckoo named pipe. If the named pipe exists, it indicates that the malware is running on a virtual machine being monitored by Cuckoo. This information can be used by the malware to adjust its behavior in order to evade detection or to avoid performing certain actions.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:01:31Z",
"tags": "Sandbox,\r\nCuckoo,\r\nHost system,\r\nGuest system,\r\nCommunication,\r\nNamed pipe,\r\nVirtual environment,",
"modification_date": "2023-10-04T10:42:28.443000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 14,
"key": "detecting-hooked-function",
"unprotect_id": "U1330",
"name": "Detecting Hooked Function",
"description": "To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:00:27Z",
"tags": "",
"modification_date": "2023-10-04T10:42:07.527000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 13,
"key": "checking-specific-folder-name",
"unprotect_id": "U1331",
"name": "Checking Specific Folder Name",
"description": "Specific directories, such as \"C:\\Cuckoo\", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it identifies such markers, thus skirting the sandbox and avoiding detection.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:59:28Z",
"tags": "Special path, Cuckoo, Guest system, Malware, Sandbox evasion",
"modification_date": "2023-10-04T10:42:06.572000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
23,
381
],
"contributors": []
},
{
"id": 12,
"key": "detecting-virtual-environment-artefacts",
"unprotect_id": "U1332",
"name": "Detecting Virtual Environment Artefacts",
"description": "Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key `HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0` with the value of `Identifier` and the data of `QEMU` or `HARDWARE\\\\Description\\\\System` with a value of `SystemBiosVersion` and data of `QEMU`.\r\n\r\nThe VirtualBox Guest addition leaves many artifacts in the registry. A search for `VBOX` in the registry might find some keys.\r\n\r\nThe VMware installation directory `C:\\\\Program Files\\\\VMware\\\\VMware Tools` may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.\r\n\r\nVMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:58:47Z",
"tags": "",
"modification_date": "2023-10-04T10:43:32.985000Z",
"category": [
1
],
"rules": [
17,
19,
32,
53
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 11,
"key": "detecting-virtual-environment-files",
"unprotect_id": "U1333",
"name": "Detecting Virtual Environment Files",
"description": "Some files are created by Virtualbox and VMware on the system. \r\n\r\nMalware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.\r\n\r\nMalware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.\r\n\r\n### Some Files Example\r\nBelow is a list of files that can be detected on virtual machines:\r\n\r\n- \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\"",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:58:16Z",
"tags": "",
"modification_date": "2023-10-04T10:44:52.297000Z",
"category": [
1
],
"rules": [
31,
41
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 10,
"key": "detecting-virtual-environment-process",
"unprotect_id": "U1334,B0009.004",
"name": "Detecting Virtual Environment Process",
"description": "Process related to Virtualbox can be detected by malware by query the process list.\r\n\r\nThe VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:57:29Z",
"tags": "",
"modification_date": "2023-10-04T10:43:08.365000Z",
"category": [
1
],
"rules": [
17
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 8,
"key": "detecting-mac-address",
"unprotect_id": "U1335,B0009.028",
"name": "Detecting Mac Address",
"description": "Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.\r\n\r\n* The usual mac address used by Virtualbox starts with the following number: 08:00:27.\r\n* The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.\r\n\r\nMalware can use this simple trick to detect if it is running in a virtual environment and decide to not run properly.",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-11T07:56:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:05.695000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 7,
"key": "querying-the-io-communication-port",
"unprotect_id": "U1336,B0009.025",
"name": "Querying the I/O Communication Port",
"description": "VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.",
"resources": "https://www.aldeid.com/wiki/VMXh-Magic-Value",
"creation_date": "2019-03-11T07:55:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:03.259000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
