Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
33 item(s) found so far for this keyword.
Disassembly Desynchronization Anti-Disassembly
Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become "desynchronized" and generate incorrect disassembly output.
For example, suppose a program …
NOP Sled Anti-Disassembly
In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …
Abusing the Return Pointer Anti-Disassembly
Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.
The RETN instruction is normally …
Dynamically Computed Target Address Anti-Disassembly
Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing …
CPUID Sandbox Evasion
The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.
You can use the CPUID instruction to retrieve various pieces of information about …
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port called …
Code Transposition Anti-Disassembly
Code transposition is a technique used by malware authors to evade detection and analysis by rearranging the instructions of a piece of code without changing its behavior. This technique is used to make the code more difficult to read and understand for disassemblers and reverse engineers, as well as to hide the true intent of the code.
There are two …
Spaghetti, Junk Code Anti-Disassembly
Junk code is a technique used to add meaningless or irrelevant instructions to a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior.
Junk code can be inserted …
VMCPUID Sandbox Evasion
The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.
This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.
By using VMCPUID, malware can adapt its behavior based on the context …
Call to Interrupt Procedure Anti-Debugging
This anti-debugging technique involves using the INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int 0x03 instruction is executed, followed by a ret (0xCD03, 0xC3) nested in a __try, __except block. If a debugger is present, the except block will not be executed, and …