Search Evasion Techniques
Names, Techniques, Definitions, Keywords
10 item(s) found so far for this keyword.
Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.
Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.
A thread enters an alert table state if it calls
DLL Injection Via
LoadLibrary is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.
The malware writes the path …
Thread execution hijacking is a technique used by malware to evade detection by targeting an existing thread of a process and avoiding any noisy process or thread creation operations. This technique allows the malware to run its code within the context of the targeted thread, without creating new processes or threads, which can be easily detected by security software.
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before …
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of the …
ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating
This method allows to inject custom code into a remote process without using
WriteProcessMemory - It will use the
lpEnvironment parameter in
CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
lpEnvironment parameter in
CreateProcess allows us to specify …
Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...
Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction of original import table
Automatic decompilation and scrambling techniques in target application …
Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the
SuspendThread function from the kernel32.dll library or the
NtSuspendThread function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or search …
NtSetInformationThread can be used to hide threads from debuggers using the
17). This is intended to be used by an external process, but any thread can use it on itself.
After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread …