Search Evasion Techniques
Names, Techniques, Definitions, Keywords
11 item(s) found so far for this keyword.
Evasion using direct Syscalls Antivirus/EDR Evasion
In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as
CreateThread. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves …
Shellcode Injection via CreateThreadpoolWait Process Manipulating
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the
CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection,
CreateThreadpoolWait is used to create a wait object that is associated with …
Tamper DLL Export Names & GetProcAddress Spoofing Process Manipulating
When a process is running, it is possible to change the results of the call to
GetProcAddress API, for the exported functions of a module along with modifying the export's offsets and name at runtime.
For example, the offset of
VirtualAlloc can be change to the offset of another function. When
VirtualAlloc is called (after getting its address …
Reflective DLL injection Process Manipulating
Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a
LoadLibrary function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.
Process Injection: Dynamic-link Library Injection Defense Evasion [Mitre]
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before …
Process Injection: Process Hollowing Defense Evasion [Mitre]
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A …
Process Injection: Thread Execution Hijacking Defense Evasion [Mitre]
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with …
Process Injection: Portable Executable Injection Defense Evasion [Mitre]
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
GetThreadContext: retrieves the …
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling
One advantage of PE injection over the
LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. The malware …