Reverse Engineering

Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.

Malware Research

Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide crucial insights that aid in devising effective defensive strategies, contributing to a better understanding and stronger defense against emerging cyber threats.

Penetration Testing

We offer penetration testing services, identifying vulnerabilities by simulating real-world attacks on your digital infrastructure. Our process uncovers potential threats, providing actionable insights for improved security measures, ensuring robust defense and resilience for your business operations.

Open-Source

Our involvement in open-source focuses on offensive security techniques and tools. We utilize and contribute to community-driven projects. This collaborative approach promotes innovative solutions, ultimately strengthening defense against evolving cyber threats.

I’m currently overwhelmed with commitments and unable to dedicate time to my public research and tools. Unfortunately, I can't predict when I’ll be more available. However, I’m still addressing bug fixes and urgent requests. I appreciate your understanding and continued support!

A new Unprotect evasion technique has been added, showcasing a sophisticated evasion technique named FuncIn with a working open-source demo. In short, FuncIn employs a payload staging strategy, diverging from the conventional method where all malicious functionalities are embedded within the malware file or stored in a third-party file/network location, such as a web server. Rather, with FuncIn, these functionalities are transmitted over the network selectively, triggered by the Command and Control (C2) server as needed.

2 months, 2 weeks ago

Here is a short example demonstrating the reflective loading of a Dynamic Link Library (DLL) into memory, whether sourced from disk or memory (supporting streams). This approach supports both 32-bit (PE) and 64-bit (PE+) DLLs. The technique enables the loading of exported functions either by their ordinal value or by the exported function name.

3 months, 1 week ago

New technique added: "Named Pipes / SMB," featuring two code snippets for demonstration purposes. The first snippet uses .NET (C#) to showcase Named Pipes usage, while the second employs WinAPI with Delphi. Both examples aim to illustrate the application of Named Pipes in different programming environments.

6 months ago

New evasion technique and snippet added for file extension manipulation using the Right-to-Left Override (RLO) character (U+202E). Malicious actors exploit this Unicode control character in file names to alter the visual display of extensions, making dangerous executables appear harmless to users. For example, invoice.pdf becomes invoiceexe.pdf by strategically placing the RLO character. This deception aims to trick users into unwittingly executing potentially harmful files.

6 months, 4 weeks ago

An alternative version of the code snippet, crafted in Delphi, has been introduced for the "C2 via FTP(S)" technique. This variant expertly demonstrates the employment of the Windows API's from Windows Internet (WinInet) library.

8 months, 2 weeks ago

A freshly added Unprotect C# code snippet elucidates the implementation of the "C2 via FTP(S)" technique. This example adeptly showcases the utilisation of the .NET Framework's WebRequest and FtpWebRequest classes, illustrating the steps to effectively execute tasks, handle requests, and manage responses through FTP (File Transfer Protocol).

8 months, 2 weeks ago

A new version of the unprotect portal has been released with updates including:

  • Migration from Bootstrap 4.x to the latest 5.x
  • A complete rewrite of the style using SASS
  • Multiple improvements, optimizations and refactoring
  • Implementation of the first version of FeaturedAPI.

FeaturedAPI is a new feature that allows for the mapping of common Microsoft Windows API's used by specific evasion techniques, with the ability to consult the most commonly used API's for each technique and their associated caution level (Low, Medium, High) as well as access to official and unofficial documentation.

The team is also making progress on the sample scanner to match scanned samples to potential fitting techniques.

1 year, 1 month ago

New Unprotect C# Code Snippet added for technique Timestomp.

This tiny code snippet demonstrate the principle of file time stomping.

Steps:

  • Enumerate files in current directory (excluding the target file).
  • Sort enumerated files by modification date.
  • Takes the most recent file and apply its File Creation Date, File Last Modification and File Last Access to our target file.

Additional information:

  • Supports relative target file.
  • If no files lives inside the current directory, then current directory (parent folder) date information are used.
  • If no files lives inside the current directory and current directory is a root path, then timestomp procedure fails.

1 year, 6 months ago

New Unprotect Delphi code snippet added for technique Process Hollowing, RunPE with support of both x86-32 and x86-64 in a single code.

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique Checking Mouse Activity

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique DLL Injection via CreateRemoteThread and LoadLibrary with both support of x86-32 and x86-64.

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique ProcEnvInjection - Remote code injection by abusing process environment strings for both x86-32 and x86-64.

1 year, 8 months ago

New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on an external command line interpreter process that attempt to delete malware sample when sample process is terminated.

1 year, 8 months ago

New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on code injection to a remote process that is tasked to inspect for malware sample process end.

3 years ago

New code snippet that demonstrate how to automatically detect code caves in Microsoft Windows PE Files.

It is then possible to inject a shellcode in located code-cave (optionally encrypted) and redirect PE file entrypoint to shellcode.

This was a common technique used by old school viruses to inject other applications and self-replicate.

Available commands:

  • -f / --file : Valid PE File location (Ex: /path/to/calc.exe).
  • -p / --payload : Shellcode Payload (Example: "\x01\x02\x03…\x0a").
  • -x / --encrypt : Encrypt main section (entry point section).
  • -k / --encryption-key : Define custom encryption key (1 Byte only).
  • -c / --cave-opcodes : Define code opcode list to search for.
  • -s / --cave-min-size : Minimum size of region to be considered as code cave.
  • -e / --egg : Define a custom egg name (ESP Restore Mechanism).

3 years, 3 months ago

New snippet that demonstrate the use of Windows API OutputDebugStringA and OutputDebugStringW to detect the presence of debuggers.

3 years, 5 months ago

New code snippet that demonstrate the usage of SuspendThread to detect the presence of debuggers.

3 years, 5 months ago

New code snippet that demonstrate how Malware authors detects the presence of debuggers using both Microsoft Windows API's: FindWindowA and FindWindowW API's.

3 years, 5 months ago

New code snippet that demonstrate how Malware authors detects the presence of debuggers using both Microsoft Windows API's: FindWindowA and FindWindowW API's.

3 years, 5 months ago

New code snippet that demonstrate how malware control the Debug flag from a running process PEB (Process Environment Block) in order to detect the presence of a debugger.

3 years, 6 months ago