VPCEXT Sandbox Evasion

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

Onset Delay Sandbox Evasion

Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.

The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis …

Checking Recent Office Files Sandbox Evasion

Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.

Checking Installed Software Sandbox Evasion

By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.

This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …

Evading Specific Signature Antivirus/EDR Evasion

Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.

PE Format Manipulation Antivirus/EDR Evasion

Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.

Disabling Antivirus Antivirus/EDR Evasion

Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..

CsrGetProcessID Anti-Debugging

This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled.

However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able …

Heap Flag Anti-Debugging

ProcessHeap is located at 0x18 in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags and ForceFlags.

The values of Flags and ForceFlags are normally …

Performing Code Checksum Anti-Debugging

Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take …

Search Evasion Techniques

Search Result