Unprotect Navbar Version Logo
  • Home
  • Techniques
  • Scan
  • Resources
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • Avatar Login

Search For Content

Clear

Search Result

35 item(s) found so far for this keyword.

Evasion using direct Syscalls
Antivirus/EDR Evasion icon
Antivirus/EDR Evasion

In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as VirtualAlloc, VirtualProtect, and CreateThread. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves …

Read more

FuncIn
Antivirus/EDR Evasion icon
Antivirus/EDR Evasion
Anti-Debugging icon
Anti-Debugging
Anti-Disassembly icon
Anti-Disassembly
Anti-Forensic icon
Anti-Forensic

FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.

This approach addresses three primary issues in malware development. Firstly, it mitigates …

Read more

XProtect Encryption Abuse
Data Obfuscation icon
Data Obfuscation

Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details.

This technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.

The encryption process involves …

Read more

Manipulating Debug Logs
Anti-Forensic icon
Anti-Forensic

Using the sed -i command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.

…

Read more

Indirect Memory Writing
Antivirus/EDR Evasion icon
Antivirus/EDR Evasion
Data Obfuscation icon
Data Obfuscation

In local memory movement scenarios, for example, when a loader places a payload into memory for execution, antimalware can detect malicious activity at the moment the payload bytes are written into the newly allocated executable memory region. Attackers may try to evade such detection by avoiding direct writes to new memory region and instead relying on other, legitimate Windows APIs …

Read more
  • 1
  • 2
  • 3
  • 4

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | GDPR

Contribute Now