• Home
  • Search
  • Map
  • Resources
    • Technique List
    • Snippet List
    • Detection Rule List
    • Featured Evasion API List
  • Downloads
  • About
  • API

Search Evasion Techniques

Names, Techniques, Definitions, Keywords

I'm Feeling Lucky

Search Result

7 item(s) found so far for this keyword.

Bad String Format Anti-Debugging

Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.

For example, the malware may use a string with multiple %s inputs, which OllyDbg …

OutputDebugString Anti-Debugging

This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.

It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.

Disabling Event Tracing for Windows (ETW) Anti-Forensic

Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll.

Since ntdll.dll is a DLL loaded into the …

Breaking BaDDEr Process Manipulating

Dynamic Data Exchange (DDE) is a protocol that allows applications to share data with each other. The Dynamic Data Exchange Management Library (DDEML) is a set of functions that facilitate data sharing using the DDE protocol. DDE and DDEML are commonly used in Microsoft Office to enable data to be shared between applications. In October 2017, a vulnerability was discovered …

NtSetInformationThread Anti-Debugging

NtSetInformationThread can be used to hide threads from debuggers using the ThreadHideFromDebugger ThreadInfoClass (0x11 / 17). This is intended to be used by an external process, but any thread can use it on itself.

After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread …

PE Format Manipulation Antivirus/EDR Evasion

Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.

File Format Confusion Antivirus/EDR Evasion

By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.

Confusing file format is another trick that …

Made with in 🇫🇷 © 2023. The #UnprotectProject

Terms And Conditions

Contribute