GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → CheckPointSW → Evasions

CheckPointSW / Evasions

Licence: mit
Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment. Methods are grouped into categories for ease of searching and understanding. Also provided are code samples, signature recommendations and countermeasures within each category for the described techniques.

Labels

htmlmalware

Projects that are alternatives of or similar to Evasions

Ergo Pe Av
🧠 🦠 An artificial neural network and API to detect Windows malware, based on Ergo and LIEF.
Stars: ✭ 130 (-24.86%)
Mutual labels:  malware
Pafish
Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
Stars: ✭ 2,026 (+1071.1%)
Mutual labels:  malware
Malware
Rootkits | Backdoors | Sniffers | Virus | Ransomware | Steganography | Cryptography | Shellcodes | Webshells | Keylogger | Botnets | Worms | Other Network Tools
Stars: ✭ 156 (-9.83%)
Mutual labels:  malware
Threadboat
Program Uses Thread Execution Hijacking To Inject Native Shell-code Into a Standard Win32 Application
Stars: ✭ 132 (-23.7%)
Mutual labels:  malware
Networm
Python network worm that spreads on the local network and gives the attacker control of these machines.
Stars: ✭ 135 (-21.97%)
Mutual labels:  malware
Binsnitch
Detect silent (unwanted) changes to files on your system
Stars: ✭ 144 (-16.76%)
Mutual labels:  malware
Deathransom
A ransomware developed in python, with bypass technics, for educational purposes.
Stars: ✭ 126 (-27.17%)
Mutual labels:  malware
Nginx Ultimate Bad Bot Blocker
Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Stars: ✭ 2,351 (+1258.96%)
Mutual labels:  malware
Sheep Wolf
Wolves Among the Sheep
Stars: ✭ 138 (-20.23%)
Mutual labels:  malware
Malwaretrainingsets
Free Malware Training Datasets for Machine Learning
Stars: ✭ 151 (-12.72%)
Mutual labels:  malware
Uitkyk
Runtime memory analysis framework to identify Android malware
Stars: ✭ 133 (-23.12%)
Mutual labels:  malware
Ypsilon
Automated Use Case Testing
Stars: ✭ 135 (-21.97%)
Mutual labels:  malware
Docker Misp
Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Stars: ✭ 148 (-14.45%)
Mutual labels:  malware
Practicalmalwarelabs
Keep track of the labs from the book "Practical Malware Analysis"
Stars: ✭ 130 (-24.86%)
Mutual labels:  malware
Antidebugging
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
Stars: ✭ 161 (-6.94%)
Mutual labels:  malware
Mass Rat
Basic Multiplatform Remote Administration Tool - Xamarin
Stars: ✭ 127 (-26.59%)
Mutual labels:  malware
Blocklist Ipsets
ipsets dynamically updated with firehol's update-ipsets.sh script
Stars: ✭ 2,011 (+1062.43%)
Mutual labels:  malware
Misp Taxonomies
Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Stars: ✭ 168 (-2.89%)
Mutual labels:  malware
Ddoor
DDoor - cross platform backdoor using dns txt records
Stars: ✭ 168 (-2.89%)
Mutual labels:  malware
Flare Floss
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Stars: ✭ 2,020 (+1067.63%)
Mutual labels:  malware
View All Similar Projects ➔

Evasions

Words of gratitude

This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:

  • Aliaksandr Trafimchuk (@a14xt)
  • Alexey Bukhteyev

Site

Compiled encyclopedia resides here: https://evasions.checkpoint.com.

Description

As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. It's a very common case when malware samples are executed in some kind of virtualized environment.

These environments differ from usual host systems by a huge amount of artifacts: non-common files, registry keys, system objects, etc. By examining such artifacts malware samples are able to say if they are run in a virtualized environment. Depending on the answer to this question, malware will continue its usual execution thus giving the researchers an opportunity to monitor its behavior - or will behave itself in an unexpected way and reveal nothing about its behavior.

If the latter was the case, we say that malware has successfully applied evasion technique, or simply evasion.

In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later.

Within each category the reader will find the following information:

  • description of the technique
  • code sample showing its usage
  • signature recommendations to track attempts to apply this technique
  • table with breakdown of which particular environments are detected with the help of certain constants
  • possible countermeasures

A lot of solutions with implemented techniques exist in open-source community. These solutions are used throughout the encyclopedia in the form of code excerpts from them. We are giving credits to open-source projects from where code sampes were taken:

It's important to add that Check Point researchers have produced their own tool called InviZzzible.

If you want to contribute to this encyclopedia, you're more than welcome to create pull requests here.

So check out all the repositories, browse through evasions encyclopedia and enjoy the journey!

Raman Ladutska (@DaCuriousBro)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].