Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
57 item(s) found so far for this keyword.
NixImports Packers
A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …
BuildCommDCBAndTimeoutA Sandbox Evasion
This technique uses a BuildCommDCBAndTimeoutsA
API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.
SuspendThread Anti-Debugging
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread
function from the kernel32.dll library or the NtSuspendThread
function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or search …
Debug Registers, Hardware Breakpoints Anti-Debugging
Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.
LocalSize(0) Anti-Debugging
The function LocalSize
retrieves the current size of the specified local memory object, in bytes. By setting the hMem
parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler
technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler)
to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP
exception, …
Shikata Ga Nai (SGN) Data Obfuscation
Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the …