Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
85 item(s) found so far for this keyword.
FuncIn Antivirus/EDR Evasion Anti-Debugging Anti-Disassembly Anti-Forensic
FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.
This approach addresses three primary issues in malware development. Firstly, it mitigates …
BlockInput Others
As per Microsoft's documentation, BlockInput function "prevents keyboard and mouse input events from reaching applications," effectively restricting user interaction with the system.
Malware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to BlockInput with the parameter 0. Windows automatically …
NtDelayExecution Sandbox Evasion Anti-Debugging
NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.
Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …
VBA Purging Antivirus/EDR Evasion
VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …