Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
14 item(s) found so far for this keyword.
Control Flow Graph Flattening Anti-Disassembly
Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This …
Spaghetti, Junk Code Anti-Disassembly
Junk code is a technique used to add meaningless or irrelevant instructions to a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique is often used by malware authors to make it more difficult for analysts to reverse engineer the malware and understand its behavior.
Junk code can be …
Obscuring Control Flow Using Pointers Anti-Disassembly
The use of pointers in a program can be an issue for disassemblers, because pointers can be used in complex ways that are difficult for the disassembler to accurately interpret. This can make it more difficult for the disassembler to generate correct disassembly output, and can also make it more difficult for analysts to understand the program's behavior.
Pointers …
Abusing the Return Pointer Anti-Disassembly
Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.
The RETN instruction is …
Obscuring Control Flow Anti-Disassembly
Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.
One example of …
Impossible Disassembly Anti-Disassembly
Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode …
Jump With Same Target Anti-Disassembly
Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.
…
Opcode Obfuscation Anti-Disassembly
Opcode obfuscation is an anti-disassembling technique that involves modifying the opcodes of a program's machine language instructions in order to make it more difficult for a disassembler to accurately reconstruct the original instructions. This can be done in a variety of ways, such as by using equivalent but different opcodes for the same operation, by adding additional instructions or data …
Dynamically Computed Target Address Anti-Disassembly
Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing …
Call Trick Anti-Disassembly
The call trick is an anti-disassembling technique that involves modifying the default function's return address. This can be used in conjunction with other techniques, such as the insertion of garbage bytes, to break disassemblers. Disassemblers that use recursive traversal or linear sweep may be particularly vulnerable to this trick, as they may be unable to accurately interpret the next instruction …