Techniques
A searchable catalog of reverse engineering, anti-analysis and binary protection techniques.
/
131 results
Packing & Cryptersbeginner
Bundling malware inside a compiled AutoIt executable, where the interpreter stub carries the obfuscated script and payload as appended resources.
windows
Living off the Landintermediate
Attackers abuse the signed esentutl.exe to copy locked files via VSS or pull payloads from remote shares under a trusted Windows binary.
windows
Anti-Analysisbeginner
Malware probes real outbound connectivity and bails when it hits the fake or filtered internet that analysis sandboxes commonly simulate.
windowslinux
Command & Controladvanced
A botnet replaces its central server with a peer-to-peer overlay, so nodes relay commands to each other with no single C2 address to seize.
windowslinux
Living off the Landintermediate
Attackers pass base64-encoded scripts to powershell.exe via -EncodedCommand to obfuscate intent and evade command-line inspection under a trusted shell.
windows
Persistenceintermediate
Attackers replace or redirect accessibility binaries like sethc.exe or utilman.exe so a payload runs from the logon screen with SYSTEM privileges.
windows
Anti-Forensicintermediate
Multi-pass overwriting destroys payload contents to defeat file carving, but metadata, slack, and journal residue often survive to prove a file existed.
windowslinux
Persistenceadvanced
Malware registers a permanent WMI event subscription — a filter bound to a consumer — so the WMI service runs its payload: fileless SYSTEM persistence.
windows
Anti-Forensicbeginner
Attackers clear browser history, cache, and cookies to hide payload downloads and C2 visits, but SQLite WAL and disk slack retain the records.
windowslinuxmacos
Obfuscationintermediate
Malware resolves API addresses by walking the PEB loader module list and parsing each DLL's export table at runtime instead of relying on the import address table.
windows
Anti-Analysisbeginner
Using GetTickCount uptime and the scarcity of recently-used files to detect freshly-booted automated analysis sandboxes.
windows
Living off the Landintermediate
Attackers abuse the signed wmic.exe to spawn processes, run remote XSL scriptlets, and execute commands on remote hosts under a trusted binary.
windows
Packing & Cryptersadvanced
Code virtualization, mutation, and anti-dump layers from commercial protectors like Themida and VMProtect, abused by malware to turn whole functions into bytecode for a custom virtual machine.
windows
Anti-Forensicadvanced
Embedding a null byte in a key name via the native API makes a registry entry invisible to regedit while it still runs at boot.
windows
Anti-Disassemblyadvanced
Uses push/ret and call-to-pop sequences as obfuscated control transfers so branches do not appear as calls or jumps, defeating call-graph recovery.
windowslinuxmacos
Anti-Disassemblyintermediate
Dense chains of unconditional jumps shatter a function into scattered fragments, defeating linear flow and inflating the control-flow graph.
windowslinux
Anti-Analysisadvanced
The INT 2D kernel-debugging interrupt skews the instruction pointer under a debugger, so a debugger that mishandles it is revealed.
windows
Obfuscationadvanced
Malware rewrites simple operations and constants as tangled mixes of arithmetic and bitwise operators that compute the same value, defeating constant propagation and symbolic expression analysis.
windowslinuxmacos
Persistenceadvanced
Malware registers a helper DLL with netsh so the library loads into the netsh.exe process whenever the tool runs, yielding stealthy registry-backed persistence.
windows
Persistencebeginner
Malware creates a Background Intelligent Transfer Service job that downloads and executes a payload on a trigger, abusing a trusted Windows service.
windows
Command & Controladvanced
Malware hides commands and payloads inside the pixels or metadata of image and media files, so C2 rides in objects that look like harmless media.
windowslinuxmacos
Packing & Cryptersadvanced
Stacking multiple packers and stages so each unpacking step only reveals the next packed layer, forcing analysts to recurse to the real payload.
windowslinuxmacos
Persistencebeginner
Malware installs or hijacks a Windows service so the Service Control Manager starts its payload automatically at boot, typically running as SYSTEM.
windows
Living off the Landbeginner
Attackers abuse the signed forfiles.exe to spawn child processes and proxy command execution under a trusted Windows binary.
windows
Anti-Disassemblyintermediate
Encoded or computed switch tables hide branch targets behind arithmetic, defeating automatic control-flow recovery and leaving dead-end indirect jumps.
windowslinuxmacos
Anti-Forensicbeginner
Attackers delete Prefetch files, Recent items, and Jump Lists to hide which programs ran, but execution evidence survives in many parallel artifacts.
windows
Anti-Analysisintermediate
Detecting the Wine compatibility layer by probing for Wine-specific exports such as wine_get_unix_file_name in ntdll.
windows
Living off the Landbeginner
Attackers abuse the signed certutil.exe to download remote payloads and to base64/hex decode staged files, proxying ingress under a trusted binary.
windows
Command & Controlintermediate
Operator-supplied profiles let a C2 framework reshape its beacon traffic to mimic legitimate web services, controlling URIs, headers, and how data is encoded and hidden in requests.
windowslinux
Anti-Analysisadvanced
Malware raises an exception routed through its own SEH handler; if a debugger swallows it first the handler never runs, revealing the analysis.
windows
Command & Controlintermediate
Malware tunnels its DNS-based C2 through DoH resolvers, wrapping resolution in HTTPS so on-network DNS inspection and sinkholing never see the queries.
windowslinuxmacos
Anti-Analysisbeginner
Querying the display size lets malware spot the small or unusual resolutions typical of headless automated sandboxes and refuse to run.
windows
Anti-Forensicintermediate
Intruders delete or truncate /var/log and journald files to hide activity, but sequence numbers, forwarders, and inodes expose the cut.
linux
Persistenceintermediate
Malware registers a DLL in the AppInit_DLLs registry value so it is loaded into nearly every user-mode process that links against User32.dll.
windows
Anti-Disassemblyintermediate
Position-independent code recovers its own runtime address with a call/pop pair, spawning a phantom call xref that confuses static analysis.
windowslinuxmacos
Anti-Analysisintermediate
Malware scans its own executable code pages for stray 0xCC (INT3) bytes that a debugger writes when planting a software breakpoint, then bails out or corrupts itself if any are found.
windowslinux
Command & Controladvanced
Malware hides the true C2 destination behind a high-reputation CDN by putting an innocuous domain in the TLS SNI while the encrypted HTTP Host header points to the real backend.
windowslinuxmacos
Persistenceintermediate
Malware repoints the screensaver registry values at a malicious .scr executable so Windows launches the payload after a period of user inactivity.
windows
Command & Controlintermediate
Malware uses a legitimate web service like GitHub, Pastebin, or a cloud API as its C2 channel, hiding tasking inside trusted, encrypted traffic.
windowslinuxmacos
Living off the Landintermediate
Attackers abuse the signed Windows binary rundll32.exe to load malicious DLLs and execute exported functions, proxying code under a trusted process.
windows
Obfuscationintermediate
Obfuscators interleave semantically inert instruction sequences — dead code and NOP-equivalents — among real logic to bloat binaries, confuse disassembly, and break byte-pattern signatures.
windowslinuxmacos
Persistenceintermediate
Malware redirects a Component Object Model (COM) class to its own DLL by populating a per-user CLSID registry entry, so the payload loads whenever a legitimate program instantiates that COM object.
windows
Packing & Cryptersintermediate
A small unpacking stub that decrypts the real payload into freshly allocated RWX memory and transfers control to the reconstructed original entry point.
windowslinux
Anti-Forensicintermediate
Deleting the NTFS change journal erases a record of file activity, but it is recoverable from the MFT, $LogFile, and shadow copies.
windows
Anti-Disassemblyadvanced
A single byte is part of two valid, both-reachable instructions, so no flat linear listing can be correct — only a path-sensitive view recovers it.
windowslinux
Anti-Analysisintermediate
Detecting analysis sandboxes by checking for injected monitoring DLLs such as sbiedll.dll and cuckoomon.dll, or for API hooks they install.
windows
Anti-Analysisadvanced
Arming memory with PAGE_GUARD turns the first access into a one-shot STATUS_GUARD_PAGE_VIOLATION, exposing single-steppers and memory-scanning tools.
windows
Packing & Cryptersintermediate
Corrupting the UPX magic, version, or l_info fields so the standard `upx -d` refuses to unpack, while the runtime stub still decompresses normally.
windowslinux
Command & Controlintermediate
A C2 resilience technique that rapidly rotates the IP addresses behind a domain through a large pool of compromised proxy hosts, keeping the real backend hidden and takedown-resistant.
windowslinux
Obfuscationintermediate
An obfuscation pass replaces simple instructions with longer functionally-equivalent sequences — e.g. add becomes a push/pop/lea or sub/neg chain — to break signatures and obscure intent.
windowslinuxmacos
Living off the Landintermediate
Attackers abuse the signed InstallUtil.exe to run attacker code in installer hooks of a .NET assembly, proxying execution under a trusted binary.
windows
Anti-Forensicintermediate
Hiding a payload in a file's named ADS keeps it off a normal directory listing, but the stream is fully indexed in the MFT.
windows
Anti-Disassemblyintermediate
An always-taken conditional jump is followed by a garbage opcode byte that a linear-sweep disassembler wrongly consumes, derailing the listing.
windowslinuxmacos
Anti-Analysisbeginner
Malware checks CPU core count, RAM and disk size and exits without running its payload if the host looks too small — a hallmark of automated sandboxes.
windowslinux
Anti-Forensicadvanced
Attackers delete or forge Amcache and Shimcache entries to erase execution evidence, but the two artifacts and their backups rarely agree.
windows
Anti-Analysisbeginner
Enumerating running processes and window titles to spot reverse-engineering tools such as x64dbg, Process Monitor, Wireshark, and OllyDbg.
windows
Command & Controlintermediate
Malware reaches its C2 through a Tor onion service, hiding the operator's real address behind the Tor network's multi-hop, encrypted relay circuits.
windowslinuxmacos
Packing & Cryptersintermediate
Compressing a payload with aPLib's LZ-based codec so the real code is unreadable on disk until a tiny depacker inflates it in memory at runtime.
windowslinux
Packing & Cryptersintermediate
Destroying or hiding the original Import Address Table so static tools see an empty or tiny import list, while the packer reconstructs the real API pointers at runtime.
windows
Persistenceintermediate
Malware modifies Winlogon's Userinit, Shell, or Notify registry values so its executable or DLL runs during the interactive logon sequence.
windows
Anti-Analysisadvanced
A process debugs itself or a forked child so the single debug port is occupied, blocking any external debugger from attaching.
windowslinux
Packing & Cryptersintermediate
Compressing an ELF binary with UPX or a modified packer so its code only materialises after a self-decompressing stub runs at load time on Linux.
linux
Command & Controlintermediate
Malware smuggles C2 commands and data inside ICMP echo payloads, riding a non-application-layer protocol many networks pass without inspection.
windowslinuxmacos
Persistencebeginner
Malware drops a LaunchAgent or LaunchDaemon property list so macOS launchd starts its payload at login or boot, the dominant persistence mechanism on macOS.
macos
Living off the Landadvanced
Attackers abuse the signed cmstp.exe and a crafted INF to proxy code execution and bypass UAC under a trusted Windows binary.
windows
Anti-Disassemblyintermediate
Malware recovers its own runtime address through the FPU's saved instruction pointer via fnstenv, hiding the GetPC step from static xref analysis.
windowslinux
Anti-Disassemblyadvanced
Branch instructions are replaced with INT3 traps that a debugger-parent resolves from a hidden table at runtime, erasing control flow from the binary.
windows
Anti-Analysisintermediate
Reading the 12-byte vendor signature returned by CPUID leaf 0x40000000 to identify the specific hypervisor a sample is running under.
windowslinux
Code Injectionadvanced
Abuses NTFS transactional (TxF) file operations to run a process image from a transacted, never-committed file, leaving no malicious file on disk.
windows
Obfuscationbeginner
Malware builds sensitive strings character-by-character on the stack at runtime so they never appear as static literals in the binary, defeating simple string-search analysis.
windowslinuxmacos
Code Injectionintermediate
Malware places a trojan DLL in a directory searched before the legitimate library location, causing Windows to load the malicious version when the target application starts.
windows
Code Injectionadvanced
Malware stores shellcode in the Windows global Atom Table via GlobalAddAtom, then uses NtQueueApcThread to force a target process to copy and execute it, bypassing traditional injection defences.
windows
Packing & Cryptersbeginner
Hiding an encrypted second-stage payload inside the PE .rsrc section, loaded at runtime via FindResource/LoadResource and decrypted before execution.
windows
Code Injectionadvanced
Malware suspends an existing thread in a target process, overwrites its instruction pointer via SetThreadContext, and resumes it to redirect execution to injected shellcode.
windows
Code Injectionintermediate
Malware installs a global Windows message hook via SetWindowsHookEx to force its DLL into target processes, executing code whenever a hooked event fires.
windows
Code Injectionintermediate
Malware queues a shellcode pointer to a target thread's APC queue via QueueUserAPC, executing it when the thread enters an alertable wait state.
windows
Packing & Cryptersintermediate
Malware registers Thread Local Storage callbacks that execute before the PE entry point, running anti-debug or unpacking logic that most debuggers miss at startup.
windows
Obfuscationintermediate
Malware replaces imported function names with pre-computed hash values and resolves addresses at runtime by walking the PE export table, hiding API usage from static analysis.
windows
Anti-Analysisintermediate
Malware monitors mouse movements, click counts, or browser history to determine whether it is running in a real user environment rather than an automated sandbox.
windowslinux
Anti-Analysisbeginner
Malware measures elapsed wall-clock time with GetTickCount to detect the artificial slowdown caused by single-stepping or software breakpoints in a debugger.
windows
Anti-Analysisintermediate
Malware enumerates running processes to verify its parent is explorer.exe; an unexpected parent (e.g., a sandbox or analysis tool) triggers evasive behaviour.
windows
Anti-Analysisbeginner
Malware calls CheckRemoteDebuggerPresent (or NtQueryInformationProcess with ProcessDebugPort) to detect a user-mode debugger attached to the process.
windows
Command & Controlintermediate
Malware reads its real C2 address from content stashed on a legitimate website or social profile, hiding the live infrastructure behind a trusted host.
windowslinuxmacos
Anti-Analysisintermediate
Malware reads the CPU debug registers DR0–DR3 via GetThreadContext to detect hardware breakpoints set by a debugger.
windows
Living off the Landintermediate
Attackers abuse the signed MSBuild.exe to compile and run inline C# tasks from a project file, executing code under a trusted developer binary.
windows
Anti-Analysisintermediate
Querying ProcessDebugPort, ProcessDebugFlags, and ProcessDebugObjectHandle through NtQueryInformationProcess to detect an attached debugger.
windows
Living off the Landintermediate
Attackers abuse regsvr32.exe to fetch and run a remote COM scriptlet, executing code under a signed binary while bypassing application allow-listing.
windows
Persistencebeginner
Malware installs a systemd unit or timer so init re-launches its payload at boot or on a schedule, giving durable, often root-level persistence on modern Linux.
linux
Anti-Analysisintermediate
Malware inspects the Flags and ForceFlags fields of the process heap header (via PEB.ProcessHeap) to detect debugger-modified heap metadata.
windows
Anti-Analysisintermediate
Malware reads the NtGlobalFlag field of the PEB (offset 0x68/0xBC) to detect if the process was launched under a debugger via the 0x70 heap flag combination.
windows
Anti-Analysisbeginner
Malware compares each NIC's MAC OUI prefix against known VMware, VirtualBox, Hyper-V and QEMU ranges to decide if it is running inside a VM.
windowslinux
Living off the Landintermediate
Attackers abuse the signed odbcconf.exe REGSVR action to load and execute a malicious DLL under a trusted Windows binary.
windows
Anti-Disassemblyadvanced
A jump lands inside a multi-byte instruction so the same bytes decode two ways, desynchronising linear-sweep disassemblers and hiding real code.
windowslinux
Anti-Forensicintermediate
Malware rewrites a file's MACB timestamps to defeat timeline analysis, but the forged values rarely survive a full NTFS examination.
windowslinux
Code Injectionadvanced
Loading a DLL straight from memory by implementing the Windows loader inside the payload itself, so no DLL is ever written to disk or registered in the process module list.
windows
Packing & Cryptersadvanced
Code that rewrites its own instructions at runtime — decrypting or generating the real logic on the fly so a static disassembly never sees the bytes that actually execute.
windowslinux
Anti-Analysisintermediate
Sandboxes often patch Sleep() to fast-forward time so samples detonate quickly; malware detects the skipped delay by comparing wall-clock timestamps before and after sleeping.
windows
Anti-Analysisintermediate
On Linux, a process calls ptrace(PTRACE_TRACEME) on itself so that any debugger trying to attach later fails — a single process can only be traced once.
linux
Obfuscationbeginner
Storing strings XOR-encrypted and decrypting them on demand at runtime so that static tools and `strings` reveal nothing useful about the binary's behavior.
windowslinuxmacos
Command & Controlintermediate
Malware randomizes callback intervals and obfuscates its sleeping memory to defeat the periodicity heuristics defenders rely on to spot beacons.
windowslinuxmacos
Obfuscationadvanced
Replacing a function's natural branching with a single dispatcher loop driven by a state variable, destroying the original control-flow graph that decompilers rely on.
windowslinuxmacos
Anti-Analysisintermediate
Calling NtSetInformationThread with ThreadHideFromDebugger detaches a thread from the debugger so its exceptions stop reaching the analyst.
windows
Packing & Cryptersbeginner
Compressing an executable with UPX so its real code and strings are only revealed after a self-unpacking stub runs at load time, defeating naive static analysis.
windowslinuxmacos
Code Injectionadvanced
Spawning a legitimate process in a suspended state, unmapping its image and replacing it with malicious code before resuming — runs malware under a trusted process name.
windows
Persistencebeginner
Malware registers a Windows scheduled task that re-launches its payload on a trigger — logon, a fixed interval, or system idle — providing durable, often privileged, persistence.
windows
Command & Controlintermediate
Malware algorithmically generates large numbers of candidate C2 domains from a seed so that takedowns cannot keep pace, while only a handful are ever registered by the operator.
windowslinux
Persistenceintermediate
Malware sets a Debugger value under an Image File Execution Options key so its payload launches whenever the targeted executable is started.
windows
Anti-Analysisbeginner
A timing-based anti-analysis check that uses the high-resolution performance counter to detect single-stepping or breakpoint-induced execution delays.
windows
Anti-Forensicbeginner
Attackers unset HISTFILE or shred .bash_history to hide commands, but the shell, kernel, and disk all retain copies the wipe never reaches.
linuxmacos
Anti-Analysisbeginner
Reading registry keys and service entries left by VirtualBox and VMware Guest Additions reveals a virtual machine to evasive malware.
windows
Anti-Disassemblyintermediate
Data bytes embedded mid-function are wrongly decoded as instructions by a linear sweep, desynchronising the listing and hiding the real code.
windowslinux
Persistencebeginner
Malware drops a program or shortcut into a Windows Startup folder so Explorer launches it automatically at user logon, a low-privilege persistence technique requiring only file-write access.
windows
Obfuscationadvanced
Inserting conditional branches whose outcome is known at obfuscation time but hard to resolve statically, breaking control-flow recovery in disassemblers and decompilers.
windowslinuxmacos
Anti-Analysisintermediate
Detecting a virtualized environment by checking bit 31 of ECX returned by CPUID leaf 1, and reading the hypervisor vendor string from leaf 0x40000000.
windowslinux
Packing & Cryptersintermediate
An open-source .NET protector that compresses the assembly into a packed module, then anti-tampers and decrypts constants and methods at runtime.
windows
Persistencebeginner
Malware adds a crontab entry or drops a file into a cron directory so the system re-launches its payload on a fixed schedule, surviving reboots on Linux.
linux
Command & Controlintermediate
Malware encodes C2 traffic or exfiltrated data inside DNS queries and responses, abusing a protocol that egress filters and proxies almost always allow to pass.
windowslinuxmacos
Code Injectionadvanced
Queues a user-mode APC to the main thread of a process created suspended, so the payload runs at the first alertable wait before the real entry point executes or EDR userland hooks settle.
windows
Anti-Forensicbeginner
Attackers wipe Windows event logs to destroy evidence, but the clearing itself is logged and leaves recoverable gaps and residue.
windows
Living off the Landbeginner
Attackers abuse the signed mshta.exe to run HTML Applications and inline VBScript/JScript, proxying code execution under a trusted Windows binary.
windows
Anti-Analysisbeginner
A legacy Windows trick that calls OutputDebugStringA after clearing the last-error code, then checks GetLastError: on old systems the call left the error untouched only when a debugger was attached.
windows
Packing & Cryptersbeginner
An encrypted or compressed payload appended after the last section of a PE file — the overlay — that the loader never maps but the stub reads from disk and unpacks at runtime.
windows
Anti-Analysisintermediate
Using the RDTSC instruction to measure execution time and detect the slowdown caused by single-stepping or breakpoints in a debugger.
windowslinux
Anti-Forensicbeginner
Wiping shadow copies blocks rollback before ransomware encryption, but the deletion is loud and the snapshots are often recoverable.
windows
Anti-Analysisbeginner
A Windows API call that reads the BeingDebugged flag in the PEB to detect a user-mode debugger attached to the current process.
windows
Anti-Disassemblyintermediate
A conditional jump whose taken and fall-through paths reach the same address, planting a junk byte in the gap that derails a linear-sweep disassembler.
windowslinuxmacos
Obfuscationbeginner
Sensitive strings are stored as RC4 ciphertext inside the binary and decrypted on demand with an embedded key, keeping URLs, API names, and config out of static string output.
windowslinuxmacos
Persistencebeginner
Malware writes a value under a Run/RunOnce registry key so its executable launches automatically every time the user logs on, the oldest and most common Windows persistence mechanism.
windows
Living off the Landbeginner
Attackers abuse the signed bitsadmin.exe to queue background BITS jobs that download payloads under a trusted service, blending into normal updates.
windows
Packing & Cryptersbeginner
Wrapping malware inside a Nullsoft (NSIS) installer so the payload ships as compressed data the setup stub extracts and runs at install time.
windows
Living off the Landbeginner
Attackers abuse the signed wscript.exe and cscript.exe script hosts to run malicious JScript and VBScript under trusted Windows binaries.
windows