Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
172 item(s) found so far for this keyword.
Redirect Antivirus Website Antivirus/EDR Evasion
To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.
Stolen certificate Antivirus/EDR Evasion
To avoid detection, attackers can use stolen certificates from known companies. It allows the malware to bypass security solution.
NtSetDebugFilterState Anti-Debugging
The NtSetDebugFilterState
and DbgSetDebugFilterState
functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.
When a kernel mode debugger is present, the debug filter will be …
Guard Pages Anti-Debugging
Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a "guard page" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its …
SuspendThread Anti-Debugging
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread
function from the kernel32.dll library or the NtSuspendThread
function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or …
Injection using Shims Process Manipulating
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an …
IAT Hooking Process Manipulating
IAT hooking is a way to run malicious code by modifying the Import Address Table of a specific executable. Consisting of replacing one legitimate function from imported DLL by a malicious one.
IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a …
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling CreateRemoteThread
).
One advantage of PE injection over the LoadLibrary
technique is that the malware does not have to drop a malicious DLL on the disk. The …
Inline Hooking Process Manipulating
Inline hooking is a technique used to intercept calls to target functions. It is commonly used by antiviruses, sandboxes, and malware to perform a variety of tasks, such as checking parameters, shimming, logging, spoofing returned data, and filtering calls.
The process of inline hooking involves directly modifying the code within the target function, usually by overwriting the first few …
Register Reassignment Anti-Disassembly
Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments …