Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
5 item(s) found so far for this keyword.
Dirty Vanity Process Manipulating
Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.
It uses the RtlCreateProcessReflection
or NtCreateProcess[Ex]
primitives, along with the PROCESS_VM_OPERATION
, PROCESS_CREATE_THREAD
, and PROCESS_DUP_HANDLE
flags to reflect and execute code in a new process.
The technique also makes use of various methods, such as …
Process Argument Spoofing Defense Evasion [Mitre]
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor …
Shellcode Injection via CreateThreadpoolWait Process Manipulating
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait
function, which is a part of the Windows thread pool API.
In the context of shellcode injection, CreateThreadpoolWait
is used to create a wait object that is associated with …
SuspendThread Anti-Debugging
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread
function from the kernel32.dll library or the NtSuspendThread
function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or search …
NtSetInformationThread Anti-Debugging
NtSetInformationThread can be used to hide threads from debuggers using the ThreadHideFromDebugger
ThreadInfoClass
(0x11
/ 17
). This is intended to be used by an external process, but any thread can use it on itself.
After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread …