• Home
  • Search
  • Map
  • Scan
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
    • Contributors
    • Scanned Samples
  • Tools
  • About
  • API
    • Unprotect API
    • API Documentation
  • Avatar Login

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

Clear

Search Result

17 item(s) found so far for this keyword.

Process Doppelgänging Process Manipulating

This technique leverages the Transactional NTFS functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform …

Shellcode Injection via CreateThreadpoolWait Process Manipulating

Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait function, which is a part of the Windows thread pool API.

In the context of shellcode injection, CreateThreadpoolWait is used to create a wait object that is associated …

Dirty Vanity Process Manipulating

Dirty Vanity is a process injection technique that exploits the Windows forking (process reflection and snapshotting) feature to inject code into a new process.

It uses the RtlCreateProcessReflection or NtCreateProcess[Ex] primitives, along with the PROCESS_VM_OPERATION, PROCESS_CREATE_THREAD, and PROCESS_DUP_HANDLE flags to reflect and execute code in a new process.

The technique also makes use of various methods, …

Hijack Execution Flow: KernelCallbackTable Defense Evasion [Mitre]

Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.

An adversary may hijack the execution flow of a process …

Obfuscated Files or Information: Embedded Payloads Defense Evasion [Mitre]

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.

Adversaries …

ConsoleWindowClass Process Manipulating

One method that has been used to achieve process injection is by manipulating the User Data of a window object.

The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …

Reflective Code Loading Defense Evasion [Mitre]

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs …

  • 1
  • 2

The #UnprotectProject is brought to you by 🇫🇷 DarkCoderSc and 🇫🇷 fr0gger_

Terms And Conditions | Cookie Policy | Cookies preferences | GDPR

Contribute Now