Unprotect Banner

How to Contribute

Introduction

Unprotect is a collaborative platform dedicated to uncovering and documenting malware evasion techniques. As these techniques constantly evolve, maintaining an exhaustive list is nearly impossible—at least, not without your valuable contributions.

We invite you to join us in this exciting journey and add your expertise to our collective efforts. By contributing, you’ll help strengthen the project and push the boundaries of what we can achieve together.

To get started, please take a moment to read through this guide. It explains how to contribute effectively and ensures your input aligns with our goals.

Thank you for your interest, and we look forward to welcoming you as a contributor to the Unprotect project. Let’s build something great together!

How To

To ensure convenience and better tracking of contributions, we have opted to use a dedicated GitHub repository. Simply fork the repository, make your contribution(s), and submit a pull request. Our team will review your submission and merge it if it aligns with the project's goals and standards. Before submitting your pull request, please carefully review the contribution rules and guidelines.

Contribution Rules

  • Avoid Duplication: Before proposing a new evasion technique, ensure it is not already covered by an existing technique. Double-check the repository / web platform for any similar submissions.
  • Include External Resources: If your evasion technique relies on external resources and research (e.g., podcast, video, blog or papers), make sure to include them in the submission template.
  • Credit Original Authors
    • Respect the paternity of code snippets and detection rules. Always credit the original author(s).
    • By default, we will credit you as the author of the evasion technique. Therefore, exercise caution when submitting code snippets or rules derived from external sources.
    • If the code snippet originates from a private source, ensure you have obtained proper authorization before submission. Attribution to the original author remains mandatory.
  • Prohibited Actions
    • Copying and pasting code from external sources without appropriate credit is strictly forbidden.
    • Submitting code or techniques without proper credit or authorization may result in a ban from our contributor program.
  • Reporting Misattribution
    • If you find a code snippet or rule that belongs to you but was submitted without your permission or proper credit, notify us immediately.
    • We will investigate and either attribute the snippet to you or remove it from the repository.
  • Adding Related Rules
    • It is highly encouraged to include related YARA, CAPA, or Sigma rules with your proposed technique.
    • If you authored the rule, add your name to the metadata. If the rule was created by someone else, maintain the original authorship.
  • Code and Rule Validation
    • All code snippets and detection rules must be tested and verified as functional before submission.
    • If a code snippet relies on external libraries, tools, or resources, include this information in the code snippet's description to ensure proper evaluation and reproducibility.
  • Modifying Existing Techniques or Rules
    • To modify an existing technique, code snippet, or rule, locate it in the GitHub repository. Update the relevant files and submit a pull request with your proposed changes.
    • If the technique or rule is not currently in the repository, you may create a new entry for your proposal.
  • Submission Templates: Use the provided templates for all submissions. Adhering to the templates helps streamline the review and merge process.

Templates

Propose New Technique

Before submitting a new evasion technique, use the search box below to check if it is already covered or partially documented in our database. This ensures that duplicate or redundant entries are avoided and maintains the integrity of our collection:

Existing Categories
Sandbox Evasion icon
Sandbox Evasion
Antivirus/EDR Evasion icon
Antivirus/EDR Evasion
Anti-Debugging icon
Anti-Debugging
Process Manipulating icon
Process Manipulating
Anti-Disassembly icon
Anti-Disassembly
Anti-Monitoring icon
Anti-Monitoring
Data Obfuscation icon
Data Obfuscation
Anti-Forensic icon
Anti-Forensic
Network Evasion icon
Network Evasion
Defense Evasion [Mitre] icon
Defense Evasion [Mitre]
Packers icon
Packers
Others icon
Others
 
# Technique Name: **Required**

## Author Information

- Nickname: ** Required **
- First Name: Optional
- Last Name: Optional
- Email: Optional
- Website: Optional
- GitHub: Optional
- Twitter: Optional
- LinkedIn: Optional

## Technique Information

- Technique Category: List(Comma separated value) ** Required **
- Technique Tags: List(Comma separated value) Optional
- Technique General Detail: ** Required **

```
> Provide a general overview of the evasion technique here. If the technique applies to multiple platforms, keep this
> section generic. For platform-specific details, use the optional sections below.

~Markdown Supported~
```

* Technique Platform Specific Detail: Optional

@Windows:
```
> Provide detailed information about the evasion technique specifically for Microsoft Windows.

~Markdown Supported~
```

@Linux:
```
> Provide detailed information about the evasion technique specifically for Linux.

~Markdown Supported~
```

@macOS:
```
> Provide detailed information about the evasion technique specifically for macOS.

~Markdown Supported~
```

## Additional Resources: Optional

> Include external links that provide additional information about the evasion technique.
> These links can enhance understanding, offer practical examples, or point to resources referenced when describing the
> technique in detail. Ensure the links are credible and directly relevant to the topic.

- [Resource 1](URL)
- [Resource 2](URL)
- ...
- [Resource n](URL)

Propose New Code Snippet

case 1: If you are submitting a new evasion technique, you can skip using the code snippet proposal template. Instead, attach the code snippet(s) as file(s) directly to new technique folder (with correct file extension).

case 2: If the code snippet relates to another existing evasion technique and the technique is already present in the contribution GitHub repository, add the code snippet to the corresponding existing folder.

case 3: If the technique exists in the website but not in the repository, create a new folder with technique name and attach the code snippet(s) as file(s) directly to the new technique folder (with correct file extension). Use the template below to identify it: 

# Code Snippet Information

- Programming Language: **Required**
- Existing Technique Name: **Required**
- Existing Technique URL: **Required**
- Technique Description: Optional (Support for Markdown)

# Code

```

```

Propose New Detection Rule

case 1: If you are submitting a new evasion technique, you can skip using the detection rule proposal template. Instead, attach the detection rule(s) as file(s) directly to new technique folder (with correct file extension).

case 2: If the detection rule relates to another existing evasion technique and the technique is already present in the contribution GitHub repository, add the detection rule to the corresponding existing folder.

case 3: If the technique exists in the website but not in the repository, create a new folder with technique name and attach the detection rule(s) as file(s) directly to the new technique folder (with correct file extension). Use the template below to identify it: 

# Detection Rule Information

- Rule Type: Item[YARA, CAPA, SIGMA] **Required**
- Existing Technique Name: **Required**
- Existing Technique URL: **Required**

# Rule Plain Text

```

```
Contribute Now Pull Request Me