NtDelayExecution Sandbox Evasion Anti-Debugging

NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.

Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …

Event Triggered Execution: Linux Inotify Process Manipulating

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.

Dynamically Computed Target Address Anti-Disassembly

Dynamically computed target addresses is an anti-disassembling technique that involves using dynamically computed addresses as the targets of branch instructions in a program. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the correct target addresses for the branch instructions without actually executing …

Entry Point Modification Process Manipulating

The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.

Hook Injection Process Manipulating

Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.

In the case of Windows, the SetWindowsHookEx function can be used by programs to …

DLL Injection via CreateRemoteThread and LoadLibrary Process Manipulating

DLL Injection Via CreateRemoteThread and LoadLibrary is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.

The malware writes the …

APC injection Process Manipulating

Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.

Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.

A thread enters an alert table state if it calls …

Atom Bombing Process Manipulating

Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process.

The technique involves storing a shellcode in an Atom Table, then using the NtQueueApcThread function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data …

NOP Sled Anti-Disassembly

In computer security, a NOP slide is a sequence of NOP (no-operation) instructions that is inserted at the beginning of a code section. When a program branches to the start of this code section, it will "slide" through the NOP instructions until it reaches the desired, final destination. This technique is commonly used in software exploits to direct program execution …

ConsoleWindowClass Process Manipulating

One method that has been used to achieve process injection is by manipulating the User Data of a window object.

The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …

Search Evasion Techniques

Search Result