• Home
  • Search
  • Map
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
  • Downloads
  • About
  • API

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

I'm Feeling Lucky

Search Result

10 item(s) found so far for this keyword.

APC injection Process Manipulating

Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.

Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.

A thread enters an alert table state if it calls SleepEx, …

DLL Injection via CreateRemoteThread and LoadLibrary Process Manipulating

DLL Injection Via CreateRemoteThread and LoadLibrary is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.

The malware writes the path …

Thread Execution Hijacking Process Manipulating

Thread execution hijacking is a technique used by malware to evade detection by targeting an existing thread of a process and avoiding any noisy process or thread creation operations. This technique allows the malware to run its code within the context of the targeted thread, without creating new processes or threads, which can be easily detected by security software.

During …

Process Injection: Dynamic-link Library Injection Defense Evasion [Mitre]

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before …

Process Herpaderping Process Manipulating

Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.

To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the …

ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating

This method allows to inject custom code into a remote process without using WriteProcessMemory - It will use the lpEnvironment parameter in CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.

The lpEnvironment parameter in CreateProcess allows us to specify …

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

  • Anti-debugger techniques that detect/fool any kind of debugger

  • Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers

  • Different encryption algorithms and keys in each protected application

  • Anti-API scanners techniques that avoids reconstruction of original import table

  • Automatic decompilation and scrambling techniques in target application …

Jump With Same Target Anti-Disassembly

Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.

For …

SuspendThread Anti-Debugging

Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread function from the kernel32.dll library or the NtSuspendThread function from the NTDLL.DLL library.

The malware can enumerate the threads of a given process, or search …

NtSetInformationThread Anti-Debugging

NtSetInformationThread can be used to hide threads from debuggers using the ThreadHideFromDebugger ThreadInfoClass (0x11 / 17). This is intended to be used by an external process, but any thread can use it on itself.

After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread …

Made with in 🇫🇷 © 2023. The #UnprotectProject

Terms And Conditions

Contribute