Search For Content
Search Result
52 item(s) found so far for this keyword.
Injection using Shims
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an …
Read moreNOP Sled
In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …
Read moreRegister Reassignment
Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments …
Read moreKill Process
Malware often employs techniques to evade detection and hinder the efforts of security experts in analyzing its behavior. One notable method involves terminating processes associated with anti-virus software or monitoring tools.
For example, malware may specifically target processes like wireshark.exe, ida.exe, or procmon.exe, which are frequently used by analysts to observe and scrutinize running processes on a system. By …
Read moreProcess Reimaging
Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.
The Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability …
Read moreConsoleWindowClass
One method that has been used to achieve process injection is by manipulating the User Data of a window object.
The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …
Access Token Manipulation: Parent PID Spoofing
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …
Thwarting Stack-Frame Analysis
Thwarting Stack-Frame Analysis is a technique used by malware to make it more difficult for security analysts to reverse engineer and analyze the code. A stack frame is a collection of data associated with a function, including local variables, arguments passed to the function, and the return address. Disassemblers can use information from the stack frame to understand a function's …
Read moreShellcode Injection via CreateThreadpoolWait
Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait function, which is a part of the Windows thread pool API.
In the context of shellcode injection, CreateThreadpoolWait is used to create a wait object that is associated …
DLL Proxying
DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL.
When a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts …
Read more