Register Reassignment Anti-Disassembly

Register reassignment is a technique used in code obfuscation and anti-disassembling to make reverse engineering and analysis more difficult. It involves modifying the instructions in a program to use different registers in different versions or instances of the program. This can make it more difficult for a reverse engineer or disassembler to understand the program's behavior, as the register assignments …

Code Transposition Anti-Disassembly

Code transposition is a technique used by malware authors to evade detection and analysis by rearranging the instructions of a piece of code without changing its behavior. This technique is used to make the code more difficult to read and understand for disassemblers and reverse engineers, as well as to hide the true intent of the code.

There are …

Opaque Predicate Anti-Disassembly

Opaque predicate is a term used in programming to refer to decision making where there is only one possible outcome. This can be achieved through the use of complex or hard-to-understand logic, such as calculating a value that will always return True.

Opaque predicates are often used as anti-disassembling techniques, as they can make it difficult for an analyst …

Tor Network C2 Network Evasion

Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as "relays," to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.

Malware …

Peer to peer C2 Network Evasion

Peer-to-peer (P2P) botnets are a type of botnet that uses a decentralized network structure, without a central command and control (C&C) server. Each infected machine in a P2P botnet maintains a list of other trusted computers (including other infected machines), as well as information drop locations and locations where the malware can be updated. Some P2P botnets also use encryption …

API Hammering Sandbox Evasion

API hammering is a technique used to delay sandbox analysis and thus avoid malware capability analysis reporting. This technique consists of calling a large amount of benign APIs like "printf" in a loop.

GetForegroundWindow Sandbox Evasion

This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.

It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by …

Detecting Online Sandbox Sandbox Evasion

Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.

Detecting Any.Run

Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …

Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.

One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the …

Alienyze Packers

Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.

Anti-Debugger techniques that detect and fool present debuggers
Anti-VM techniques that detect sandbox & virtualized environments
Protection from disassemblers and software analysis tools
Hardware …

Search Evasion Techniques

Search Result