Search Evasion Techniques
Names, Techniques, Definitions, Keywords
16 item(s) found so far for this keyword.
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
Registration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance …
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling
One advantage of PE injection over the
LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. The malware …
Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.
In the case of Windows, the
SetWindowsHookEx function can be used by programs to install …
Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.
There are two ways to accomplish this technique:
1. Calling the
SetThreadLocale function and setting up an export function named
NlsDllCodePageTranslation, where the main payload …
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount reads from the
KUSER_SHARED_DATA page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the …
Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread.
Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state.
A thread enters an alert table state if it calls