Git Product home page Git Product logo

chkp-ramanl / evasions Goto Github PK

View Code? Open in Web Editor NEW

This project forked from checkpointsw/evasions

0.0 0.0 0.0 2.21 MB

Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment. Methods are grouped into categories for ease of searching and understanding. Also provided are code samples, signature recommendations and countermeasures within each category for the described techniques.

License: MIT License

JavaScript 19.56% HTML 56.63% SCSS 23.80%

evasions's Introduction

Evasions

Words of gratitude

This encyclopedia wouldn't be possible without invaluable assistance of the following Check Point researchers:

  • Aliaksandr Trafimchuk (@a14xt)
  • Alexey Bukhteyev

Site

Compiled encyclopedia resides here: https://evasions.checkpoint.com.

Description

As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. It's a very common case when malware samples are executed in some kind of virtualized environment.

These environments differ from usual host systems by a huge amount of artifacts: non-common files, registry keys, system objects, etc. By examining such artifacts malware samples are able to say if they are run in a virtualized environment. Depending on the answer to this question, malware will continue its usual execution thus giving the researchers an opportunity to monitor its behavior - or will behave itself in an unexpected way and reveal nothing about its behavior.

If the latter was the case, we say that malware has successfully applied evasion technique, or simply evasion.

In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later.

Within each category the reader will find the following information:

  • description of the technique
  • code sample showing its usage
  • signature recommendations to track attempts to apply this technique
  • table with breakdown of which particular environments are detected with the help of certain constants
  • possible countermeasures

A lot of solutions with implemented techniques exist in open-source community. These solutions are used throughout the encyclopedia in the form of code excerpts from them. We are giving credits to open-source projects from where code sampes were taken:

It's important to add that Check Point researchers have produced their own tool called InviZzzible.

If you want to contribute to this encyclopedia, you're more than welcome to create pull requests here.

So check out all the repositories, browse through evasions encyclopedia and enjoy the journey!

Raman Ladutska (@DaCuriousBro)

evasions's People

Contributors

chkp-ramanl avatar chkp-yaroslavh avatar chkp-alexanderc avatar chkp-alexeybu avatar chkp-michaele avatar chkp-roniz avatar a1ext avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.