Search For Content
Search Result
86 item(s) found so far for this keyword.
Injection using Shims
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an …
Read moreInserting Garbage Bytes
Garbage bytes are random or meaningless data that is inserted into a program's code in order to make reverse engineering and analysis more difficult. This is an anti-disassembling technique, as the insertion of these random bytes can cause disassemblers to misinterpret the code and produce incorrect disassembly results.
The insertion of garbage bytes is usually used in conjunction with …
Read moreRegister Reassignment
Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments …
Read moreOpaque Predicate
Opaque predicate is a term used in programming to refer to decision making where there is only one possible outcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a value that will always return True.
Opaque predicates are often used as anti-disassembling techniques, as they can make it difficult for an analyst …
Read moreHiding Mechanisms
Malware often uses various techniques to hide its presence on a system and avoid detection. One common method is to modify or create entries in the system registry, which is a database of configuration settings for the operating system and installed applications. By modifying these settings, malware can hide itself from security software or other programs that might detect its …
Read moreDNS Tunneling
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.
To carry out DNS tunneling, the attacker typically needs access to a compromised …
Read moreRDTSCP
Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).
This instruction can be used to calculate the …
Read moreGetForegroundWindow
This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.
It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by …
Read moreBypass User Account Control
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.
The impact to the user ranges from denying the operation under high enforcement …
Read moreWordWarping
Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they …
Read more