Search Evasion Techniques
Names, Techniques, Definitions, Keywords
10 item(s) found so far for this keyword.
Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system.
The technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating …
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the
UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter using …
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they …
DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …
This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.
DNS hijacking or DNS redirection is a technique used to subvert the normal domain name resolution process. It involves redirecting DNS queries to a rogue DNS server controlled by an attacker, or modifying the behavior of a trusted DNS server so that it does not comply with internet standards. This can be done for various purposes, such as phishing attacks, …
Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.
For example, the malware may use a string with multiple %s inputs, which OllyDbg …
This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
This anti-debugging technique involves using the
INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int
0x03 instruction is executed, followed by a
ret (0xCD03, 0xC3) nested in a
__try, __except block. If a debugger is present, the except block will not be executed, and …
AddVectoredExceptionHandler technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling
AddVectoredExceptionHandler(1, ourHandler) to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an
EXCEPTION_SINGLE_STEP exception, …