Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
52 item(s) found so far for this keyword.
CheckRemoteDebuggerPresent Anti-Debugging
CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.
SuspendThread Anti-Debugging
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread
function from the kernel32.dll library or the NtSuspendThread
function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or search …
IAT Hooking Process Manipulating
IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting of replacing one legitimate function from imported DLL by a malicious one.
IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate …
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling CreateRemoteThread
).
One advantage of PE injection over the LoadLibrary
technique is that the malware does not have to drop a malicious DLL on the disk. The malware …
Hiding Mechanisms Others
Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its …
Thermal Zone Temperature Sandbox Evasion
The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.
Interestingly, this method is not valid. Not all Windows …
CLIPBRDWNDCLASS Process Manipulating
CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the ClipboardDataObjectInterface
, ClipboardRootDataObjectInterface
, and …
Detecting Online Sandbox Sandbox Evasion
Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.
-
Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In addition, the QEMU …
Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess
API call, which supports a parameter that defines the PPID …
Disabling Event Tracing for Windows (ETW) Anti-Forensic
Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll.
Since ntdll.dll is a DLL loaded into the …