Search Evasion Techniques
Names, Techniques, Definitions, Keywords
7 item(s) found so far for this keyword.
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the
NtCreateProcess[Ex] primitives, along with the
PROCESS_DUP_HANDLE flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the
CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection,
CreateThreadpoolWait is used to create a wait object that is associated with …
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
Registration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance …
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling
One advantage of PE injection over the
LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. The malware …
Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.
In the case of Windows, the
SetWindowsHookEx function can be used by programs to install …
DLL Injection Via
LoadLibrary is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.
The malware writes the path …
NtSetInformationThread can be used to hide threads from debuggers using the
17). This is intended to be used by an external process, but any thread can use it on itself.
After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread …