Search For Content
Search Result
26 item(s) found so far for this keyword.
Unloading Module with FreeLibrary
Malware authors often use various techniques to evade detection by AV/EDR solutions. One such technique involves checking for the presence of AV/EDR DLLs that may be loaded in the malware's address space and attempting to unload them before executing their malicious code.
To do this, the malware first uses the GetModuleHandleA function to retrieve a handle to the DLL, …
DLL Unhooking
Endpoint Detection and Response (EDR) tools use a technique known as hooking to monitor sensitive system functions within the DLLs of loaded processes. Hooking is a method of live-patching system DLLs, enabling EDRs to intercept the flow of a program and evaluate its legitimacy.
Here's how it works: EDRs modify the first instructions of the functions within the DLLs. …
Read moreHyper-V Signature
Hyper-V has a signature value of "Hv#1" in eax if leaf 0x40000001 is provided to CPUID.
Odd Thread Count
The thread count of the CPU must be an even number, which allows us to detect whether the thread count has been modified through the VM creation stage. If the thread count is not an even number, this is a sign of thread tampering (with a few exceptions which are already covered).
Read morebochs CPU oversights evasion
bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:
bochs may have invalid CPU brands that don't exist.
- For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
- AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …
QEMU CPU brand evasion
QEMU has the CPU brand value of "QEMU Virtual CPU" if KVM is not based on the VM
Read more