GET /api/techniques/?format=api&page=4
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 351,
    "next": "https://unprotect.it/api/techniques/?format=api&page=5",
    "previous": "https://unprotect.it/api/techniques/?format=api&page=3",
    "results": [
        {
            "id": 218,
            "key": "change-module-base-address-at-runtime",
            "unprotect_id": "U1239",
            "name": "Change Module Base Address at Runtime",
            "description": "It is possible to change the `DllBase` of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address. \r\n\r\nThis is achieved by accessing the process PEB's member 'Ldr', in particular it has a member `InOrderMemoryLinks` which we can iterate through to get a list of the process's modules. On each iteration we get a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member PVOID `DllBase`, that can be overwritten with the new module base address.",
            "resources": "",
            "creation_date": "2022-07-18T07:01:37.901000Z",
            "tags": "",
            "modification_date": "2022-07-18T07:01:37.901000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 217,
            "key": "change-module-name-at-runtime",
            "unprotect_id": "U1238",
            "name": "Change Module Name at Runtime",
            "description": "It is possible to change the name of the current process or any of its modules at runtime. This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member 'InOrderMemoryLinks' which we can iterate through to get a list of the process's modules. \r\n\r\nOn each iteration it gets a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member `UNICODE_STRING FullDllName`, which can be overwritten with the module name.",
            "resources": "",
            "creation_date": "2022-07-18T06:56:56.957000Z",
            "tags": "",
            "modification_date": "2022-07-18T06:56:56.957000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 216,
            "key": "flirt-signatures-evasion",
            "unprotect_id": "U0220",
            "name": "FLIRT Signatures Evasion",
            "description": "FLIRT Signature evasion is a technique used by malware to hide malicious code inside legitimate functions from known libraries. FLIRT (Fast Library Identification and Recognition Technology) is a database that contains signature patterns for identifying known functions from legitimate libraries. \r\n\r\nMalware authors can abuse these signatures by modifying or adding specific bytes to the code, so that it appears to be a legitimate function when scanned by a FLIRT database. This can trick reverse engineering tools that rely on FLIRT signatures without performing further analysis, and make it more difficult for security analysts to identify and analyze the malware. \r\n\r\nBy using this technique, malware authors can evade detection and make their code more difficult to understand and analyze.",
            "resources": "https://hex-rays.com/products/ida/tech/flirt/in_depth/\nhttps://github.com/Maktm/FLIRTDB\nhttps://www.virustotal.com/gui/file/a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
            "creation_date": "2022-07-01T07:35:35.174000Z",
            "tags": "FLIRT (Fast Library Identification and Recognition Technology),\r\nSignature evasion,\r\nCode modification,\r\nLegitimate functions,",
            "modification_date": "2023-10-04T10:43:35.037000Z",
            "category": [
                5
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                23
            ],
            "contributors": []
        },
        {
            "id": 215,
            "key": "windows-event-log-evasion-via-native-apis",
            "unprotect_id": "U0307",
            "name": "Windows Event Log Evasion via Native APIs",
            "description": "Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.\r\n\r\nServices are typically created through a standard Windows API call `CreateServiceA` or `CreateService`. This API is also called by the service creating Windows native tool “sc.exe” to register a service on a machine. A call to this API subsequently generates entries in the event log which corresponds to the service creation event IDs. \r\n\r\nAttackers can create services without relying on the typical API call `CreateServiceA` by directly interacting with the Windows native API calls instead. For example, the `StartService` API will a make a call to the native API `NdrClientCall2` along with registering the service start events in the event logs. \r\n\r\nBy directly calling `NdrClientCall2` to start a service that’s had the registry keys manually created, the service is started and running, and no event logs are created allowing to evade forensic analysis. This will result in a malicious service running and without any event log entry. \r\n\r\nTo take this a step further, attackers can remove the evidence in the registry and any correlating evidence loaded in the memory of “services.exe”. This leaves with no registry artefacts and no event log information to analyse.",
            "resources": "https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html",
            "creation_date": "2022-06-27T10:44:00.403000Z",
            "tags": "stuxnet,antiforensic",
            "modification_date": "2023-10-04T10:44:07.307000Z",
            "category": [
                8
            ],
            "rules": [
                83
            ],
            "attachments": [],
            "featured_api": [
                31,
                33,
                331,
                381,
                413
            ],
            "contributors": []
        },
        {
            "id": 214,
            "key": "trap-flag",
            "unprotect_id": "U0131",
            "name": "Trap Flag",
            "description": "There is a Trap Flag in the Flags register. Bit number 8 of the EFLAGS register is the trap flag. When the Trap Flag is set, a SINGLE_STEP exception is generated.",
            "resources": "",
            "creation_date": "2022-06-22T01:50:58.910000Z",
            "tags": "trapflag",
            "modification_date": "2023-10-04T10:43:27.051000Z",
            "category": [
                3
            ],
            "rules": [
                85
            ],
            "attachments": [],
            "featured_api": [
                360,
                593
            ],
            "contributors": [
                2
            ]
        },
        {
            "id": 213,
            "key": "ice-0xf1",
            "unprotect_id": "U0130",
            "name": "ICE 0xF1",
            "description": "ICEBP is an undocumented instruction that serves as a single byte interrupt 1, generating a single step exception. It can be used to detect if the program is traced.",
            "resources": "",
            "creation_date": "2022-06-22T01:46:01.067000Z",
            "tags": "0xf1,icebp",
            "modification_date": "2023-10-04T10:39:34.137000Z",
            "category": [
                3
            ],
            "rules": [
                70,
                87
            ],
            "attachments": [],
            "featured_api": [
                360
            ],
            "contributors": [
                2
            ]
        },
        {
            "id": 212,
            "key": "int-0x2d",
            "unprotect_id": "U0129, B0001.006",
            "name": "INT 0x2D",
            "description": "When the instruction `INT2D` is executed, the exception `EXCEPTION_BREAKPOINT` is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while `INT2D` is executed.",
            "resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int2d",
            "creation_date": "2022-06-22T01:41:35.414000Z",
            "tags": "int2d",
            "modification_date": "2023-10-04T10:43:47.504000Z",
            "category": [
                3
            ],
            "rules": [
                70
            ],
            "attachments": [],
            "featured_api": [
                360,
                593
            ],
            "contributors": [
                2
            ]
        },
        {
            "id": 211,
            "key": "bobsoft-mini-delphi-packer",
            "unprotect_id": "U1428",
            "name": "BobSoft Mini Delphi Packer",
            "description": "The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application \"look legit\" during dynamic analysis. \r\n\r\nThe packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. The first variant of the packer uses `GetForegroundWindow` API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep.",
            "resources": "https://www.mandiant.com/resources/increased-use-of-delphi-packer-to-evade-malware-classification",
            "creation_date": "2022-06-21T23:48:10.193000Z",
            "tags": "delphi,packer",
            "modification_date": "2023-10-04T10:44:06.182000Z",
            "category": [
                12
            ],
            "rules": [
                117
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2
            ]
        },
        {
            "id": 210,
            "key": "cryptone",
            "unprotect_id": "U1427",
            "name": "CryptOne",
            "description": "A packing software called CryptOne became popular among some major threat actors. It was first reported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3, ZLoader, Emotet, Dridex, and Smokeloader.",
            "resources": "https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone\nhttps://github.com/Tera0017/de-CryptOne",
            "creation_date": "2022-06-21T23:43:38.665000Z",
            "tags": "cryptone",
            "modification_date": "2023-10-04T10:43:28.384000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2
            ]
        },
        {
            "id": 209,
            "key": "cloudeyedarkeye",
            "unprotect_id": "U1426",
            "name": "CloudEye/DarkEye",
            "description": "CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about CloudEyE prove that the objective of the program is to aid malicious activities.",
            "resources": "https://www.securitycode.eu/\nhttps://atlas-cybersecurity.com/cyber-threats/cloudeye-darkeye-evolved/",
            "creation_date": "2022-06-21T23:39:37.553000Z",
            "tags": "cloudeye,darkeye",
            "modification_date": "2023-10-04T10:43:29.096000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2
            ]
        },
        {
            "id": 208,
            "key": "nls-code-injection-through-registry",
            "unprotect_id": "U1237",
            "name": "NLS Code Injection Through Registry",
            "description": "Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.\r\n\r\nThere are two ways to accomplish this technique:\r\n1. Calling the `SetThreadLocale` function and setting up an export function named `NlsDllCodePageTranslation`, where the main payload is located.\r\n2. Using the `SetConsoleCp` or `SetConsoleOutputCP` functions to modify the code page ID. If the process is not console-based, it is possible to allocate a console using the `AllocConsole` function.",
            "resources": "https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
            "creation_date": "2022-06-20T04:57:44.171000Z",
            "tags": "Dll injection, registry modification, NLS code page ID, SetThreadLocale, NlsDllCodePageTranslation, SetConsoleCp, SetConsoleOutputCP, AllocConsole, malware, proof of concept, position-independent shellcode, remote process, stager, loading of DLL",
            "modification_date": "2023-10-04T10:42:36.449000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                1,
                3,
                4,
                6,
                12,
                23,
                313,
                321,
                322,
                329,
                356,
                381,
                401,
                411,
                445,
                450
            ],
            "contributors": [
                2
            ]
        },
        {
            "id": 207,
            "key": "dtpacker",
            "unprotect_id": "U1416",
            "name": "DTPacker",
            "description": "DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding. \r\n\r\nThe main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader.  \r\n\r\nThis packer uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis. It is likely distributed on underground forums",
            "resources": "https://www.proofpoint.com/au/blog/threat-insight/dtpacker-net-packer-curious-password-1",
            "creation_date": "2022-06-20T03:02:59.757000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:15.166000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 206,
            "key": "pespin",
            "unprotect_id": "U1425",
            "name": "PESpin",
            "description": "PESpin is a Windows executable files protector, compressor coded in Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data, and resources, thus leaving the file protected against patching or disassembling.",
            "resources": "http://downloads.fyxm.net/PESpin-95477.html",
            "creation_date": "2022-06-20T02:58:01.613000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:16.896000Z",
            "category": [
                12
            ],
            "rules": [
                116
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 205,
            "key": "theark",
            "unprotect_id": "U1424",
            "name": "theArk",
            "description": "Packer tool developed in C/C++. Full implementation of the linker, dynamic decompression and spraying in memory to complete file mapping.",
            "resources": "https://github.com/aaaddress1/theArk",
            "creation_date": "2022-06-20T02:56:05.346000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:09.559000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 204,
            "key": "net-reactor",
            "unprotect_id": "U1423",
            "name": ".Net Reactor",
            "description": ".NET Reactor is used to prevent reverse engineering by adding different protection layers to .NET assemblies. Beside standard obfuscation techniques it includes special features like NecroBit, Virtualization, x86 Code Generation or Anti Tampering.",
            "resources": "https://www.eziriz.com/dotnet_reactor.htm",
            "creation_date": "2022-06-20T02:50:46.208000Z",
            "tags": "",
            "modification_date": "2024-01-10T00:08:43.726000Z",
            "category": [
                12
            ],
            "rules": [
                140,
                144,
                145
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                31
            ]
        },
        {
            "id": 203,
            "key": "net-anti-decompiler",
            "unprotect_id": "U1422",
            "name": ".Net Anti-Decompiler",
            "description": ".Net Anti-Decompiler is a protective tool for .Net assemblies. It provides an extra layer of security and compliance to .Net application from reverse engineering.",
            "resources": "https://www.techipick.com/dotnet-anti-decompiler",
            "creation_date": "2022-06-20T02:48:35.078000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:13.718000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 202,
            "key": "obsidium",
            "unprotect_id": "U1421",
            "name": "Obsidium",
            "description": "Obsidium is a software protection and licensing system that is designed to protect 32-bit and 64-bit Windows software applications and games from reverse engineering, unauthorized modifications (\"cracking\") and redistribution (\"software piracy\") while providing a licensing system.",
            "resources": "https://www.obsidium.de/home",
            "creation_date": "2022-06-20T02:47:00.242000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:15.699000Z",
            "category": [
                12
            ],
            "rules": [
                115
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 201,
            "key": "axprotector",
            "unprotect_id": "U1420",
            "name": "AxProtector",
            "description": "AxProtector encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine. Best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.",
            "resources": "https://www.wibu.com/us/products/protection-suite/axprotector.html",
            "creation_date": "2022-06-20T02:45:08.365000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:11.075000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 200,
            "key": "pelock",
            "unprotect_id": "U1419",
            "name": "PELock",
            "description": "PELock is a software security solution designed for the protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.",
            "resources": "https://www.pelock.com/products/pelock",
            "creation_date": "2022-06-20T02:41:58.804000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:11.843000Z",
            "category": [
                12
            ],
            "rules": [
                114
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 199,
            "key": "hxor-packer",
            "unprotect_id": "U1418",
            "name": "hXOR Packer",
            "description": "hXOR Packer is a PE (Portable Executable) packer with Huffman Compression and Xor encryption.\r\n\r\nThe unpacker will decompress and decrypt the packed PE and execute it directly from memory without needing any hard disk space to execute.",
            "resources": "https://github.com/fscene8/hXOR-Packer",
            "creation_date": "2022-06-20T02:39:51.042000Z",
            "tags": "hxor, packer",
            "modification_date": "2024-01-04T23:13:58.854000Z",
            "category": [
                12
            ],
            "rules": [
                138
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2,
                30
            ]
        },
        {
            "id": 198,
            "key": "confuserex",
            "unprotect_id": "U1417",
            "name": "ConfuserEx",
            "description": "ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. It's primarily designed to make reverse engineering difficult for applications written in .NET languages like C# and VB.NET. ConfuserEx does this by using a variety of techniques like symbol renaming, control flow obfuscation, and encryption of strings and resources.\r\n\r\n- Supports .NET Framework 2.0/3.0/3.5/4.0/4.5/4.6/4.7/4.8\r\n\r\n- Symbol renaming (Support WPF/BAML)\r\n\r\n- Protection against debuggers/profilers\r\n\r\n- Protection against memory dumping\r\n\r\n- Protection against tampering (method encryption)\r\n\r\n- Control flow obfuscation\r\n\r\n- Constant/resources encryption\r\n\r\n- Reference hiding proxies\r\n\r\n- Disable decompilers\r\n\r\n- Embedding dependency\r\n\r\n- Compressing output",
            "resources": "https://github.com/mkaring/ConfuserEx\r\nhttps://cod3nym.github.io/Detecting-Stealthy-ConfuserEx-with-Yara",
            "creation_date": "2022-06-20T02:37:37.730000Z",
            "tags": "",
            "modification_date": "2024-01-09T04:04:09.009000Z",
            "category": [
                12
            ],
            "rules": [
                101,
                137,
                142
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                2,
                31
            ]
        },
        {
            "id": 197,
            "key": "nspack",
            "unprotect_id": "U1416",
            "name": "NsPack",
            "description": "NsPack is a packer for 32bits and 64bits exe, dll, ocx, scr Windows program.",
            "resources": "https://www.sans.org/white-papers/33428/",
            "creation_date": "2022-06-19T07:46:10.909000Z",
            "tags": "NsPack",
            "modification_date": "2023-10-04T10:43:09.033000Z",
            "category": [
                12
            ],
            "rules": [
                96,
                113
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 196,
            "key": "asprotect",
            "unprotect_id": "U1415",
            "name": "AsProtect",
            "description": "ASProtect is a multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.\r\n\r\nIt includes software compression, provides protection methods and tools for software from unauthorized copying, analysis, disassemblers and debuggers.\r\n\r\nASProtect 32 also provides enhanced work with registration keys and the ability to create a single application that can change its functionality or expiration, depending on the entered particular key.",
            "resources": "http://www.aspack.com/asprotect32.html",
            "creation_date": "2022-06-19T07:43:13.379000Z",
            "tags": "asprotect",
            "modification_date": "2023-10-04T10:42:55.472000Z",
            "category": [
                12
            ],
            "rules": [
                112
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 195,
            "key": "pecompact",
            "unprotect_id": "U1414",
            "name": "PECompact",
            "description": "PECompact is a Windows executable compressor.  It has a plugin system that offers virtually customization.",
            "resources": "https://bitsum.com/portfolio/pecompact/",
            "creation_date": "2022-06-19T07:39:51.104000Z",
            "tags": "pecompact",
            "modification_date": "2023-10-04T10:42:55.129000Z",
            "category": [
                12
            ],
            "rules": [
                97
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 194,
            "key": "crinkler",
            "unprotect_id": "U1413",
            "name": "Crinkler",
            "description": "Crinkler is a compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.",
            "resources": "https://github.com/runestubbe/Crinkler",
            "creation_date": "2022-06-19T07:36:46.756000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:05.747000Z",
            "category": [
                12
            ],
            "rules": [
                111
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 193,
            "key": "petite",
            "unprotect_id": "U1412",
            "name": "PEtite",
            "description": "Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor. The compressed executables decompress themselves at run time and can be used just like the original non-compressed versions. \r\n\r\nPetite also adds virus detection to the compressed executables; they will check themselves for infection every time they are executed.",
            "resources": "https://www.un4seen.com/petite/",
            "creation_date": "2022-06-19T07:12:43.337000Z",
            "tags": "petite",
            "modification_date": "2023-10-04T10:42:56.579000Z",
            "category": [
                12
            ],
            "rules": [
                99,
                110
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 192,
            "key": "aspack",
            "unprotect_id": "U1411, F0001.013",
            "name": "AsPack",
            "description": "ASPack is an EXE packer created to compress Win32 executable files and to protect them against reverse engineering.\r\n\r\nThe solution makes Windows programs and libraries smaller up to 70% what leads to a reduction in the download time of compressed applications in local networks and the Internet because of their smaller size compared to uncompressed apps.\r\n\r\nThe ASPack exe compressor also provides protection to programs/applications from unprofessional analysis, debuggers and decompilers.",
            "resources": "http://www.aspack.com/",
            "creation_date": "2022-06-19T07:10:40.496000Z",
            "tags": "aspack",
            "modification_date": "2023-10-04T10:42:59.506000Z",
            "category": [
                12
            ],
            "rules": [
                95,
                109
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 191,
            "key": "vmprotect",
            "unprotect_id": "U1410, F0001.010",
            "name": "VMProtect",
            "description": "VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.",
            "resources": "https://vmpsoft.com/",
            "creation_date": "2022-06-19T07:07:02.355000Z",
            "tags": "vmprotect",
            "modification_date": "2023-10-04T10:43:02.773000Z",
            "category": [
                12
            ],
            "rules": [
                100,
                108
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 190,
            "key": "alienyze",
            "unprotect_id": "U1409",
            "name": "Alienyze",
            "description": "Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.\r\n\r\n\r\n- Anti-Debugger techniques that detect and fool present debuggers\r\n\r\n- Anti-VM techniques that detect sandbox & virtualized environments\r\n\r\n- Protection from disassemblers and software analysis tools\r\n\r\n- Hardware ID locking for making applications machine dependant\r\n\r\n- Integrity checks that detect code patching & tampering\r\n\r\n- Customizable compression and encryption of the applications code\r\n\r\n- Real time protection in running application\r\n\r\n- Project configuration settings Load, Save support\r\n\r\n- Multilingual user interface, language selection support",
            "resources": "https://alienyze.com/",
            "creation_date": "2022-06-19T07:05:32.278000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:42:56.211000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 189,
            "key": "fsg",
            "unprotect_id": "U1408",
            "name": "FSG",
            "description": "The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.",
            "resources": "https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG",
            "creation_date": "2022-06-19T06:59:46.574000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:05.013000Z",
            "category": [
                12
            ],
            "rules": [
                107
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 188,
            "key": "mew",
            "unprotect_id": "U1407",
            "name": "MEW",
            "description": "MEW is an EXE compression tool that was specifically designed to handle small files.",
            "resources": "https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml",
            "creation_date": "2022-06-19T06:57:10.467000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:43:04.676000Z",
            "category": [
                12
            ],
            "rules": [
                106
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 187,
            "key": "themida",
            "unprotect_id": "U1406, F0001.011",
            "name": "Themida",
            "description": "Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption... \r\n\r\n- Anti-debugger techniques that detect/fool any kind of debugger\r\n\r\n- Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers\r\n\r\n- Different encryption algorithms and keys in each protected application\r\n\r\n- Anti-API scanners techniques that avoids reconstruction of original import table\r\n\r\n- Automatic decompilation and scrambling techniques in target application\r\n\r\n- Virtual Machine emulation in specific blocks of code\r\n\r\n- Advanced Mutator engine\r\n\r\n- Anti-disassembly techniques for any static and interactive disassembler\r\n\r\n- Multiple polymorphic layers with more than 50.000 permutations\r\n\r\n- Anti-monitors techniques against file and registry monitors\r\n\r\n- Random garbage code insertion between real instructions\r\n\r\n- Advanced Threads network communication\r\n\r\n- Anti-Memory patching and CRC techniques in target application\r\n\r\n- Metamorphic engine to scramble original instructions\r\n\r\n- Advanced Entry point protection\r\n\r\n- Dynamic encryption in target application\r\n\r\n- Anti-tracing code insertion between real instructions\r\n\r\n- Advanced Anti-breakpoint manager\r\n\r\n- Real time protection in target application\r\n\r\n- Compression of target application, resources and protection code\r\n\r\n- Anti-“debugger hiders” techniques\r\n\r\n- Full mutation in protection code to avoid pattern recognition\r\n\r\n- Real-time simulation in target application\r\n\r\n- Intelligent protection code insertion inside target application\r\n\r\n- Random internal data relocation",
            "resources": "https://www.oreans.com/Themida.php",
            "creation_date": "2022-06-19T06:54:28.145000Z",
            "tags": "themida",
            "modification_date": "2023-10-04T10:44:28.014000Z",
            "category": [
                12
            ],
            "rules": [
                98,
                105
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 186,
            "key": "exestealth",
            "unprotect_id": "U1405",
            "name": "ExeStealth",
            "description": "ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.",
            "resources": "https://www.webtoolmaster.com/exestealth.htm",
            "creation_date": "2022-06-19T06:40:57.569000Z",
            "tags": "ExeStealth",
            "modification_date": "2023-10-04T10:43:03.974000Z",
            "category": [
                12
            ],
            "rules": [
                104
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 185,
            "key": "alternate-exe-packer",
            "unprotect_id": "U1404",
            "name": "Alternate EXE Packer",
            "description": "EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.\r\n\r\nIf a file is compressed the physical file-size is reduced on the respective device. A compressed file decompresses itself while being executed and can be used without this program. This program is freeware. It requires the .NET-framework 2.0 (already included in operation system since Windows Vista).",
            "resources": "https://www.alternate-tools.com/pages/c_exepacker.php?lang=ENG",
            "creation_date": "2022-06-19T06:38:02.569000Z",
            "tags": "packer",
            "modification_date": "2023-10-04T10:43:02.439000Z",
            "category": [
                12
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 184,
            "key": "mpress",
            "unprotect_id": "U1403",
            "name": "MPRESS",
            "description": "MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.\r\n\r\nIt uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS run exactly as before, with no runtime performance penalties.",
            "resources": "https://www.autohotkey.com/mpress/mpress_web.htm",
            "creation_date": "2022-06-19T06:36:36.466000Z",
            "tags": "MPRESS",
            "modification_date": "2023-10-04T10:43:03.756000Z",
            "category": [
                12
            ],
            "rules": [
                103
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 183,
            "key": "upx-ultimate-packer-for-executables",
            "unprotect_id": "U1402, F0001.008",
            "name": "UPX: Ultimate Packer for Executables",
            "description": "UPX is a tool that is used to compress and encrypt executables in order to make them smaller and more difficult to reverse engineer. UPX is free to use, portable, and can be extended with additional features. It is known for its high performance and compatibility with a wide range of executable formats. UPX is commonly used by software developers to reduce the size of their programs and to protect their intellectual property. It is also used by malware authors to make their malicious programs more difficult to detect and analyze.",
            "resources": "https://en.wikipedia.org/wiki/UPX\nhttps://upx.github.io/",
            "creation_date": "2022-06-19T06:06:02.419000Z",
            "tags": "UPX,\r\nExecutable packer,\r\nCompression,\r\nEncryption,\r\nPortability,\r\nExtendability,\r\nHigh performance,",
            "modification_date": "2023-10-04T10:43:29.826000Z",
            "category": [
                12
            ],
            "rules": [
                50,
                94,
                102
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 182,
            "key": "unloading-sysmon-driver",
            "unprotect_id": "U0407",
            "name": "Unloading Sysmon Driver",
            "description": "Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.\r\n\r\nOne way that malware can evade detection by Sysmon is by unloading the Sysmon driver. The Sysmon driver is the kernel-mode component of Sysmon that is responsible for recording the events that Sysmon monitors. By unloading this driver, the malware can prevent Sysmon from recording any further events, and thus avoid being detected.",
            "resources": "https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver",
            "creation_date": "2022-06-19T05:53:40.014000Z",
            "tags": "Sysmon,\r\nsystem activity,\r\nprocess creation,\r\nnetwork connections,\r\nregistry changes,\r\nWindows Event Log,\r\nSysmon driver,",
            "modification_date": "2023-10-04T10:43:01.150000Z",
            "category": [
                6
            ],
            "rules": [
                128
            ],
            "attachments": [],
            "featured_api": [
                425
            ],
            "contributors": []
        },
        {
            "id": 181,
            "key": "shellcode-injection-via-createthreadpoolwait",
            "unprotect_id": "U1236",
            "name": "Shellcode Injection via CreateThreadpoolWait",
            "description": "Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the `CreateThreadpoolWait` function, which is a part of the Windows thread pool API.\r\n\r\nIn the context of shellcode injection, `CreateThreadpoolWait` is used to create a wait object that is associated with a thread pool. The malware can then use this wait object to execute its shellcode within the context of the targeted process, by passing the shellcode as a callback function to the `CreateThreadpoolWait` function.\r\n\r\nHere is a summary of the steps:\r\n\r\n1. The malware creates an event object with the `CreateEvent` function, and sets it to the Signaled state.\r\n\r\n2. The malware allocates read-write-execute (RWX) memory for the shellcode using the `VirtualAlloc` function and writes the shellcode to this memory.\r\n\r\n3. The malware creates a wait object using the `CreateThreadpoolWait` function and specifies the address of the shellcode as the callback function.\r\n\r\n4. The malware sets the wait object using the `SetThreadpoolWait` function.\r\n\r\n5. The malware waits for the wait object to become signaled using the `WaitForSingleObject` function. When the wait object is signaled, the callback function (which contains the shellcode) is executed.\r\n\r\nOther techniques injection includes using APIs such as `CreateRemoteThread`, `QueueUserWorkItem`, and `NtCreateThreadEx`.",
            "resources": "https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
            "creation_date": "2022-06-19T05:36:49.903000Z",
            "tags": "Shellcode injection,\r\nProcess injection,\r\nCreateThreadpoolWait,\r\nEvent object,\r\nVirtualAlloc,\r\nCallback function,\r\nSetThreadpoolWait,\r\nWaitForSingleObject,",
            "modification_date": "2023-10-04T10:44:58.752000Z",
            "category": [
                4
            ],
            "rules": [
                132
            ],
            "attachments": [],
            "featured_api": [
                2,
                3,
                449
            ],
            "contributors": []
        },
        {
            "id": 180,
            "key": "thwarting-stack-frame-analysis",
            "unprotect_id": "U0219",
            "name": "Thwarting Stack-Frame Analysis",
            "description": "Thwarting Stack-Frame Analysis is a technique used by malware to make it more difficult for security analysts to reverse engineer and analyze the code. A stack frame is a collection of data associated with a function, including local variables, arguments passed to the function, and the return address. Disassemblers can use information from the stack frame to understand a function's behavior.\r\n\r\nHowever, malware authors can use various techniques to defeat this analysis and make it harder to understand the code. For example, they may use complex control flow structures, such as nested loops and conditionals, to make it difficult for the disassembler to track the flow of execution. \r\n\r\nThey may also use techniques like code obfuscation and API hashing to hide the names of functions and make it harder to identify potentially malicious behavior. By using these techniques, malware authors can make it more difficult for security analysts to analyze and understand their code, and thwart stack-frame analysis.",
            "resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
            "creation_date": "2022-06-13T23:57:13.593000Z",
            "tags": "Stack frame,\r\nDisassembly,\r\nControl flow,",
            "modification_date": "2023-10-04T10:42:59.213000Z",
            "category": [
                5
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                364,
                376,
                425
            ],
            "contributors": []
        },
        {
            "id": 179,
            "key": "misusing-structured-exception-handlers",
            "unprotect_id": "U0218, B0032.016",
            "name": "Misusing Structured Exception Handlers",
            "description": "Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done is by using the FS segment register to gain access to the Thread Environment Block (TEB), which contains a pointer to the Structured Exception Handler (SEH) chain. \r\n\r\nThe SEH chain functions like a stack, with the most recently pushed function being the one that is executed when an exception occurs. By manipulating the SEH chain, malware authors can make it more difficult for analysts to understand the code and identify any potentially malicious behavior.",
            "resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
            "creation_date": "2022-06-13T23:55:04.099000Z",
            "tags": "Structured Exception Handlers (SEH),\r\nException handling,\r\nThread Environment Block (TEB),\r\nStructured Exception Handler (SEH) chain,\r\nFS segment register,",
            "modification_date": "2023-10-04T10:44:21.079000Z",
            "category": [
                5
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 178,
            "key": "procenvinjection-remote-code-injection-by-abusing-process-environment-strings",
            "unprotect_id": "U1235",
            "name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
            "description": "This method allows to inject custom code into a remote process without using `WriteProcessMemory` - It will use the `lpEnvironment` parameter in `CreateProcess` to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.\r\n\r\nThe `lpEnvironment` parameter in `CreateProcess` allows us to specify a custom environment string for the target process. The environment string contains a set of environment variable entries, such as `PATH=C:\\Windows\\system32;C:\\Windows`. Each environment variable in the list is separated by a null terminator character, and the final entry in the list is a blank string (two null terminator characters). When a new process is created, the environment string will be copied to the virtual memory of the process and it can then be accessed via the PEB.\r\n\r\nIn summary, the injector process takes the following steps:\r\n\r\n1. Create a generic \"code loader\" block which doesn't contain any 0x00 characters - values will be encoded with XOR if necessary.\r\n2. Use `GetEnvironmentStringsW` to retrieve the existing environment string and copy this to a temporary buffer. Our \"generic code loader\" entry will be appended to the end of the existing entries. Some programs make use of the environment variables, so it is not a good idea to overwrite the existing entries.\r\n3. Create a suspended instance of the target EXE process using `CreateProcess` with our custom environment string `lpEnvironment`. We will also use the `CREATE_UNICODE_ENVIRONMENT` flag to specify a wide-char environment value, otherwise the string will be converted from ANSI to wide-char which will break our loader code.\r\n4. Use `NtQueryInformationProcess` to retrieve the PEB address for the target process.\r\n5. Call `NtCreateThreadEx` to call Sleep(0) in the target process and wait for the thread to exit. This will force the necessary PEB fields to become initialised in the target process.\r\n6. Calculate the address of the environment string in the target process (PEB-> `RtlUserProcessParameters` -> Environment)\r\n7. Locate the address of our loader code within the environment string. Call `VirtualProtectEx` to make this data executable.\r\n8. Call `NtCreateThreadEx` to execute the loader code within the target process. This code will read the final payload back from the injector process and execute it.\r\n9. Restore the original memory protection after the payload has finished executing.\r\n10. Call `ResumeThread` to continue normal execution of the target process.",
            "resources": "https://www.x86matthew.com/view_post?id=proc_env_injection",
            "creation_date": "2022-06-13T23:45:30.988000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:44:56.710000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                1,
                2,
                3,
                7,
                8,
                12,
                22,
                23,
                24,
                25,
                132,
                339,
                340,
                341,
                355,
                357,
                363,
                381,
                419,
                425,
                449
            ],
            "contributors": []
        },
        {
            "id": 177,
            "key": "disabling-event-tracing-for-windows-etw",
            "unprotect_id": "U0306",
            "name": "Disabling Event Tracing for Windows (ETW)",
            "description": "Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll. \r\n\r\nSince ntdll.dll is a DLL loaded into the process of a binary, an attacker can have full control over this DLL and therefore the ETW functionality. The most common nypassing technique is patching the function EtwEventWrite which is called to write/log ETW events. It is possible to fetch its address in ntdll.dll, and replace its first instructions with instructions to return 0 (SUCCESS).",
            "resources": "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
            "creation_date": "2022-04-19T00:09:38.360000Z",
            "tags": "anti-forensic",
            "modification_date": "2023-10-04T10:42:56.937000Z",
            "category": [
                8
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                340,
                419,
                425
            ],
            "contributors": []
        },
        {
            "id": 176,
            "key": "anti-upx-unpacking",
            "unprotect_id": "U1008",
            "name": "Anti-UPX Unpacking",
            "description": "Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header includes checksums, packed and unpacked sizes, and compression details.\r\n\r\nThere are some methods to bypass unpacking using \"upx -d\" since a long time ago.\r\n\r\nOne easy way is to change section names to different strings, this is the example. The normal section names packed by UPX are \"UPX0\", \"UPX1\" .. and \".rsrc\". The unpacking command \"upx -d\" raises this kind of exception of \"CantUnpackException: file is possibly modified/hacked/protected; take care!\" in this case and results in preventing from unpacking.\r\n\r\nAnother method is zero-padding against any size or checksum infos in UPX reference structure. The \"upx -d\" raises this kind of exception of \"CantUnpackException: header corrupted\" at this time and results in preventing from unpacking.",
            "resources": "https://github.com/upx/upx/blob/master/src/stub/src/include/header.S\nhttps://bsodtutorials.wordpress.com/2014/11/14/upx-packing-and-anti-packing-techniques/\nhttps://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\nhttps://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/",
            "creation_date": "2022-03-29T23:11:58.387000Z",
            "tags": "antiUPX",
            "modification_date": "2023-10-04T10:44:35.496000Z",
            "category": [
                14
            ],
            "rules": [
                50
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                15
            ]
        },
        {
            "id": 175,
            "key": "volume-shadow-copy-service-vscvss-deletion",
            "unprotect_id": "U0305,T1070.004",
            "name": "Volume Shadow Copy Service (VSC,VSS) Deletion",
            "description": "Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs. \r\n\r\nOn the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.",
            "resources": "https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/vssadmin-delete-shadows\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nhttps://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware\nhttps://blog.avast.com/zepto-ransomware-now-introduces-new-features-to-better-encrypt-your-files\nhttp://www.kazamiya.net/DeletedSC\nhttps://github.com/mnrkbys/vss_carver\nhttps://www.shadowexplorer.com/",
            "creation_date": "2022-02-24T05:19:24.338000Z",
            "tags": "VSC,ShadowCopy,Ransomware",
            "modification_date": "2023-10-04T10:42:47.308000Z",
            "category": [
                8,
                10
            ],
            "rules": [
                33,
                34,
                37,
                56,
                63
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": [
                15
            ]
        },
        {
            "id": 174,
            "key": "user-interaction-are-you-human",
            "unprotect_id": "U1339,E1204",
            "name": "User Interaction (Are you human?)",
            "description": "You can get an advantage against sandboxes by using user interaction techniques. For example, The average user has a username and password and as long as the user you are targeting does not enter their password correctly, you can prevent your malware execution and bypass the possible sandbox control.",
            "resources": "https://github.com/hlldz/pickl3",
            "creation_date": "2021-07-27T13:07:49.117000Z",
            "tags": "",
            "modification_date": "2023-10-04T10:42:17.582000Z",
            "category": [
                1
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                23
            ],
            "contributors": []
        },
        {
            "id": 173,
            "key": "access-token-manipulation-parent-pid-spoofing",
            "unprotect_id": "U1234,T1134.004",
            "name": "Access Token Manipulation: Parent PID Spoofing",
            "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. \r\n\r\nOne way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.\r\n\r\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.\r\n\r\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.",
            "resources": "https://github.com/hlldz/APC-PPID\nhttps://attack.mitre.org/techniques/T1134/004/",
            "creation_date": "2021-07-27T13:05:01.292000Z",
            "tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nparent process identifier (PPID),\r\nevade process-monitoring defenses,\r\nCreateProcess API call,\r\nUser Account Control (UAC),\r\ninherited access token,",
            "modification_date": "2023-10-04T10:42:20.837000Z",
            "category": [
                4,
                10
            ],
            "rules": [
                88
            ],
            "attachments": [],
            "featured_api": [
                3,
                4,
                6,
                11,
                21,
                22,
                23,
                24,
                26,
                27,
                28,
                365
            ],
            "contributors": []
        },
        {
            "id": 172,
            "key": "killing-windows-event-log",
            "unprotect_id": "U0304",
            "name": "Killing Windows Event Log",
            "description": "Killing the Windows Event Log is a technique used by malware to prevent security professionals from detecting and analyzing it. Svchost.exe is a process that manages services on Windows operating systems. \r\n\r\nBy grouping multiple services into a single process, Svchost.exe conserves computing resources and reduces resource consumption. However, this also means that Svchost.exe manages the Event Log service, which is responsible for collecting logs on the system. \r\n\r\nBy targeting the Event Log service and killing the threads responsible for it, malware can prevent the system from collecting logs, making it more difficult for security professionals to detect and analyze the malware.",
            "resources": "https://github.com/hlldz/Phant0m",
            "creation_date": "2021-07-27T13:03:31.911000Z",
            "tags": "Windows Event Log,\r\nAnti-forensic,\r\nSvchost.exe,\r\nServices,\r\nProcess,\r\nEvent Log service,\r\nThreads,",
            "modification_date": "2023-10-04T10:43:11.626000Z",
            "category": [
                8
            ],
            "rules": [
                11
            ],
            "attachments": [],
            "featured_api": [
                18,
                24,
                25,
                28,
                29,
                30,
                412,
                425
            ],
            "contributors": []
        },
        {
            "id": 171,
            "key": "process-ghosting",
            "unprotect_id": "U1232",
            "name": "Process Ghosting",
            "description": "Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded. \r\n\r\nWindows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with `FILE_WRITE_DATA` (to modify it) will fail with `ERROR_SHARING_VIOLATION`. Deletion attempts via `FILE_DELETE_ON_CLOSE`/`FILE_FLAG_DELETE_ON_CLOSE` fail with `ERROR_SHARING_VIOLATION`. `NtSetInformationFile`(`FileDispositionInformation`) requires the `DELETE` access right. Even though the `DELETE` access right is granted to files mapped to image sections, `NtSetInformationFile`(`FileDispositionInformation`) fails with `STATUS_CANNOT_DELETE`. Deletion attempts via `FILE_SUPERCEDE`/`CREATE_ALWAYS` fail with `ACCESS_DENIED`. \r\n\r\nAn important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.\r\n\r\nThe attack flow is:\r\n\r\n1. Create a file\r\n2. Put the file into a delete-pending state using `NtSetInformationFile`(FileDispositionInformation). Note: Attempting to use `FILE_DELETE_ON_CLOSE` instead will not delete the file.\r\n3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.\r\n4. Create an image section for the file.\r\n5. Close the delete-pending handle, deleting the file.\r\n6. Create a process using the image section.\r\n7. Assign process arguments and environment variables.\r\n8. Create a thread to execute in the process.",
            "resources": "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack",
            "creation_date": "2021-06-16T11:50:05Z",
            "tags": "",
            "modification_date": "2023-10-04T10:44:44.110000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        },
        {
            "id": 170,
            "key": "process-herpaderping",
            "unprotect_id": "U1231",
            "name": "Process Herpaderping",
            "description": "Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.\r\n\r\nTo abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the target file and provide it to the OS to use for process creation. The OS kindly maps the original binary for us. Using the existing file handle, and before creating the initial thread, we modify the target file content to obscure or fake the file backing the image. Sometime later, we create the initial thread to begin the execution of the original binary. Finally, we will close the target file handle. Let's walk through this step-by-step:\r\n\r\n1. Write target binary to disk, keeping the handle open. This is what will execute in memory.\r\n2. Map the file as an image section `NtCreateSection, SEC_IMAGE`.\r\n3. Create the process object using the section handle `NtCreateProcessEx`.\r\n4. Using the same target file handle, obscure the file on disk.\r\n5. Create the initial thread in the process `NtCreateThreadEx`.\r\n    * At this point, the process creation callback in the kernel will fire. The contents on the disk do not match what was mapped. Inspection of the file at this point will result in incorrect attribution.\r\n6. Close the handle. `IRP_MJ_CLEANUP` will occur here.\r\n    * Since we've hidden the contents of what is executing, inspection at this point will result in incorrect attribution.",
            "resources": "https://github.com/jxy-s/herpaderping",
            "creation_date": "2021-06-16T11:45:24Z",
            "tags": "",
            "modification_date": "2023-10-04T10:42:52.190000Z",
            "category": [
                4
            ],
            "rules": [],
            "attachments": [],
            "featured_api": [
                2,
                13,
                357,
                381,
                445,
                449,
                459
            ],
            "contributors": []
        },
        {
            "id": 169,
            "key": "localsize0",
            "unprotect_id": "U0128",
            "name": "LocalSize(0)",
            "description": "The function `LocalSize` retrieves the current size of the specified local memory object, in bytes. By setting the `hMem` parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.",
            "resources": "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-localsize",
            "creation_date": "2021-04-29T08:15:47Z",
            "tags": "localsize",
            "modification_date": "2023-10-04T10:42:33.492000Z",
            "category": [
                3
            ],
            "rules": [
                39,
                81
            ],
            "attachments": [],
            "featured_api": [],
            "contributors": []
        }
    ]
}