Search For Content
Search Result
97 item(s) found so far for this keyword.
Atom Bombing
Atom Bombing is a technique that utilizes Windows Atom Tables, which provide a global storage mechanism for strings, to inject malicious code into a target process.
The technique involves storing a shellcode in an Atom Table, then using the NtQueueApcThread function to force the targeted process to access the specific Atom, causing the injection to occur. To bypass Data …
Extra Window Memory Injection
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).
Registration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each …
Read morePE Injection
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling CreateRemoteThread).
One advantage of PE injection over the LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. The …
Propagate
This technique involves modifying the internal properties of a window in order to intercept and modify or monitor the behavior of the window when it receives messages. To do this, an application creates a buffer containing shellcode and injects it into the target process.
Then, it modifies the internal structure used by the specific properties, such as UxSubclassInfo and …
Read moreCtrl+Inject
The "Control Signal Handler Callback" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process "csrss.exe" in the …
Read moreCOM Hijacking
COM hijacking is a technique used by adversaries to insert malicious code into the Windows operating system through the Microsoft Component Object Model (COM).
COM is a system that allows software components to interact with each other, and adversaries can abuse this system to execute their own code in place of legitimate software. To achieve this, they alter references …
Read moreHiding Mechanisms
Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its …
Read moreAPI Hammering
API hammering is a technique used to delay sandbox analysis and thus avoid malware capability analysis reporting. This technique consists of calling a large amount of benign APIs like "printf" in a loop.
Read moreRDTSCP
Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).
This instruction can be used to calculate the …
Read moreGetForegroundWindow
This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.
It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by …
Read more