Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
125 item(s) found so far for this keyword.
OutputDebugString Anti-Debugging
This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.
It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.
EventPairHandles Anti-Debugging
An EventPair
Object is an event constructed by two _KEVENT
structures which are conventionally named High and Low.
There is a relation between generic Event Objects and Debuggers because they must create a custom event called DebugEvent
able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a …
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Heap Flag Anti-Debugging
ProcessHeap
is located at 0x18
in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags
and ForceFlags
.
The values of Flags and ForceFlags
are normally …
NtGlobalFlag Anti-Debugging
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68
. If the value at this location is 0x70
, we know that we are running in a debugger.
The NtGlobalFlag
field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
RDTSC Anti-Debugging
The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX
.
It will execute RDTSC twice and then calculate the difference between low order values and check it with …
GetTickCount Anti-Debugging
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount
reads from the KUSER_SHARED_DATA
page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates …
TLS Callback Anti-Debugging
TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.
As an anti-debugging technique, a program can use a TLS callback …
Bad String Format Anti-Debugging
Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.
For example, the malware may use a string with multiple %s inputs, which …
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter
function will be called. It is possible to register a custom unhandled exception filter …