Search For Content
Search Result
105 item(s) found so far for this keyword.
Process Ghosting
Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.
Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with FILE_WRITE_DATA (to modify it) will fail with ERROR_SHARING_VIOLATION. Deletion attempts via FILE_DELETE_ON_CLOSE/FILE_FLAG_DELETE_ON_CLOSE fail with …
Access Token Manipulation: Parent PID Spoofing
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …
ProcEnvInjection - Remote code injection by abusing process environment strings
This method allows to inject custom code into a remote process without using WriteProcessMemory - It will use the lpEnvironment parameter in CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
The lpEnvironment parameter in CreateProcess allows us to …
Misusing Structured Exception Handlers
Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done …
Read moreShellcode Injection via CreateThreadpoolWait
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection, CreateThreadpoolWait is used to create a wait object that is associated …
Alternate EXE Packer
EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.
If a file is compressed the physical file-size is reduced on the respective device. A …
Read morePEtite
Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor. The compressed executables decompress themselves at run time and can be used just like the original non-compressed versions.
Petite also adds virus detection to the compressed executables; they will check themselves for infection every time they are executed.
Read moreBobSoft Mini Delphi Packer
The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application "look legit" during dynamic analysis.
The packer goes to great lengths to ensure that it is not running in an …
Read more