Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
58 item(s) found so far for this keyword.
Detecting Virtual Environment Process Sandbox Evasion
Process related to Virtualbox can be detected by malware by query the process list.
The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.
SIDT, Red Pill Sandbox Evasion
Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location.
On a physical machine, the IDTR will contain the address …
CPUID Sandbox Evasion
The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.
You can use the CPUID instruction to retrieve various pieces of information …
Checking Installed Software Sandbox Evasion
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
IsDebuggerPresent Anti-Debugging
This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
If you want to understand the underlying process of IsDebuggerPresent API you can check the code snippet section for the following method: IsDebugged …
NtQueryInformationProcess Anti-Debugging
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the ProcessDebugPort (0x7) information class.
A nonzero value returned by the call indicates that the process is being debugged.
NtQueryObject Anti-Debugging
This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.
CsrGetProcessID Anti-Debugging
This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled.
However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able …
RDTSC Anti-Debugging
The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX.
It will execute RDTSC twice and then calculate the difference between low order values and check it with …
TLS Callback Anti-Debugging
TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.
As an anti-debugging technique, a program can use a TLS callback …