-
-
Save FLX-0x00/44a5ed96527071fe4629846f1b8074ce to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Anti-Sandboxing | Antivirus Evasion | Anti-Debugging | Process Manipulating | Anti-Disassembly | Anti-Monitoring | Data Obfuscation | Anti-Forensic | Network Evasion | Others | Packers | Anti-Machine Learning | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Checking memory artifcacts | Evading hash signature | IsDebuggerPresent | Process hollowing | API Obfuscation | Disable process | XOR | Remove event log | Fast flux | Infection by localisation | Packer compression | Direct gradient-based attacks | |
| MAC address detection | Evading specific signature | CheckRemoteDebuggerPresent | Reflective DLL injection | Control Flow Graph Flatening | Check running process | Base64 | Wipe disk | Double fast flux | Detect language installed | Crypter | Attacks against models that report a score | |
| Registry keys detection | PE format tricks | NtQueryInformationProcess | Suspend inject and resume | Dead code insertion | Find window | Cesar/ROT | Melt file | DGA | Malicious shortcut | Virtual machine | Binary black-box attacks | |
| Checking process | Fingerprinting emulator | NtSetInformationThread | Hook injection | Spaghetti code | Detect parent process | ROL | Hidden attributes | DNS Tunnelling | Deadline infection | Binder | Cleverhans Attacks | |
| Checking files | Big file | NtQueryObject | Injection via registry modification | Obscuring flow control | Check token privilege | Cryptography | Delete MBR | Traffic encapsulation | Code Signing | Carlini/Wagner-L2 attacks | ||
| Running process | Loading critical library for the OS | OutputDebugString | APC injection | Impossible disassembly | leverage script languages | Hash algorithm | Encryption | Tor Network | CMSTP (Microsoft Connection Manager Profile Installer ) | DeepFool | ||
| Querying the I/O communication port | File format confusion | EventPairHandles | Atom bombing | Jump with same target | Disabling User Assist | Custom algorithm | Disabling User Assist | Proxy connexion | Control Panel Item | Universal Adversarial Perturbations | ||
| Checking folder | Bypassing static heuristic | CsrGetProcessID | Extra window memory injection | Opcode obfuscation | Disabling Logs File | RC4 | Disabling Logs File | Fuzzy WHOIS | DLL Search Order Hijacking | Concept drift | ||
| Hooked function | File splitting | CloseHandle / NtClose | Injection using shims | Dynamically computed target address | File Deletion | Typosquatting | Modeling error | |||||
| SIDT / Red Pill | Disabling antivirus | IsDebugged Flag | IAT Hooking | Disassembly desynchronisation | Hidden Files and Directories | Peer to peer CnC | Bayes error rate | |||||
| SGDT instruction | Adding antivirus exception | Heap Flag | PE Injection | Constant unfolding | NTFS File Attributes | Social network API | ||||||
| SLDT instruction | Fake signature | NtGlobalFlag | Process Doppelganging | Data encoding schemes | Malwaretising | |||||||
| SMSW instruction | redirect antivirus website | RDTSC | PROPagate | Arithmetic Substitution via identities | ||||||||
| STR instruction | Stolen certificate | GetTickCount | Ctrl+Inject | Pattern based obfuscation | ||||||||
| CPUID instruction | Code Cave | NtQueryPerformanceCounter | Fileless | Functions IN/Out-lining | ||||||||
| IN instruction | FindWindow | Process camouflage / Masquerading | Destruction of Sequential en temporal locality | |||||||||
| RDTSC instruction | FindProcess | COM Hijacking | Processor based control indirection | |||||||||
| VMCPUID instruction | BadStringFormat | Extra Window Memory Injection | OS based control indirection | |||||||||
| VPCEXT instruction | TLS Callback | Image File Execution Options Injection | Opaque predicates | |||||||||
| Onset delay | Unhandled Exception Filter | Indirect Command Execution | Register reassignment | |||||||||
| Stalling code | Performing code checksum | Inline hooking | Code transposition | |||||||||
| Extended sleep code | Interrupts | Process Reimaging | Code normalization | |||||||||
| User interaction | INT Scanning | Garbage byte | ||||||||||
| Office recent files | Suspend thread | Fake conditional jump | ||||||||||
| Screen resolution | SoftICE – Interrupt 1 | Call trick | ||||||||||
| Installed software | Guard Pages | Push Pop Math | ||||||||||
| Memory size | NtSetDebugFilterState | NOP Sequence | ||||||||||
| Drive size | Code Integration | |||||||||||
| Hostname | Junk code insertion | |||||||||||
| USB drive | Stealth Import of the Windows API | |||||||||||
| Printer | Function Call Obfuscation | |||||||||||
| Number of processor | ||||||||||||
| Hardware vendor checking | ||||||||||||
| Check argument |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment