• Home
  • Search
  • Map
  • Scan
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • API
    • Unprotect API
    • API Documentation
  • Avatar Login

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

Clear

Search Result

299 item(s) found so far for this keyword.

NixImports Packers

A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …

LimeCrypter Packers

Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.

Hyper-V Signature Sandbox Evasion

Hyper-V has a signature value of "Hv#1" in eax if leaf 0x40000001 is provided to CPUID.

Odd Thread Count Sandbox Evasion

The thread count of the CPU must be an even number, which allows us to detect whether the thread count has been modified through the VM creation stage. If the thread count is not an even number, this is a sign of thread tampering (with a few exceptions which are already covered).

Cronos-Crypter Packers

Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …

Al-Khaser_WriteWatch Anti-Debugging

Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.

bochs CPU oversights evasion Sandbox Evasion

bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:

bochs may have invalid CPU brands that don't exist.

  • For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
  • AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …

QEMU CPU brand evasion Sandbox Evasion

QEMU has the CPU brand value of "QEMU Virtual CPU" if KVM is not based on the VM

WMI Event Subscriptions Sandbox Evasion

Adversaries may leverage WMI event subscriptions to evade detection by triggering malicious actions only under specific conditions that are unlikely to occur in a sandboxed environment. For instance, a threat actor might configure an event subscription to monitor file system, network, or logon activity, ensuring that their second-stage payload is only downloaded and executed when a particular event suggests real …

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30

The #UnprotectProject is brought to you by 🇫🇷 fr0gger_ and 🇫🇷 DarkCoderSc

Terms And Conditions | Cookie Policy | Cookies preferences | GDPR

Contribute Now