• Home
  • Search
  • Map
  • Scan
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • API
    • Unprotect API
    • API Documentation
  • Avatar Login

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

Clear

Search Result

26 item(s) found so far for this keyword.

Connected Printer Sandbox Evasion

Another technique for detecting if a program is running in a sandbox is to look for potential connected printers or identify the default Windows printers, Adobe, or OneNote. This is because sandboxes typically do not have access to printers, and detecting the absence of printers can help identify whether the program is being run in a sandbox environment.

File Splitting Antivirus/EDR Evasion

An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.

Impossible Disassembly Anti-Disassembly

Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode …

SuspendThread Anti-Debugging

Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread function from the kernel32.dll library or the NtSuspendThread function from the NTDLL.DLL library.

The malware can enumerate the threads of a given process, or …

Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]

Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.

On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …

PESpin Packers

PESpin is a Windows executable files protector, compressor coded in Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data, and resources, thus leaving the file protected against patching or disassembling.

  • 1
  • 2
  • 3

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | Cookie Policy | Cookies preferences | GDPR

Contribute Now