Search Evasion Techniques
Names, Techniques, Definitions, Keywords
9 item(s) found so far for this keyword.
Call to Interrupt Procedure Anti-Debugging
This anti-debugging technique involves using the
INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int
0x03 instruction is executed, followed by a
ret (0xCD03, 0xC3) nested in a
__try, __except block. If a debugger is present, the except block will not be executed, and …
DNS API Injection Process Manipulating
DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …
Extra Window Memory Injection Process Manipulating
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
Registration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance …
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling
One advantage of PE injection over the
LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. The malware …
Hook Injection Process Manipulating
Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.
In the case of Windows, the
SetWindowsHookEx function can be used by programs to install …
APC injection Process Manipulating
Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.
Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.
A thread enters an alert table state if it calls
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port called …
INT3 Instruction Scanning Anti-Debugging
INT3 is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value
0xCC (INT3 / Breakpoint Interrupt).
EXCEPTION_BREAKPOINT (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector …
INT 0x2D Anti-Debugging
When the instruction
INT2D is executed, the exception
EXCEPTION_BREAKPOINT is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while
INT2D is executed.