Search Evasion Techniques
Names, Techniques, Definitions, Keywords
55 item(s) found so far for this keyword.
Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it.
For example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored by …
INT3 is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value
0xCC (INT3 / Breakpoint Interrupt).
EXCEPTION_BREAKPOINT (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector …
Another technique for detecting if a program is running in a sandbox is to look for potential connected printers or identify the default Windows printers, Adobe, or OneNote. This is because sandboxes typically do not have access to printers, and detecting the absence of printers can help identify whether the program is being run in a sandbox environment.
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the
ProcessDebugPort (0x7) information class.
A nonzero value returned by the call indicates that the process is being debugged.