Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
140 item(s) found so far for this keyword.
Adding antivirus exception Antivirus/EDR Evasion
Another way for a malware is to add an exception into the antivirus.
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter
function will be called. It is possible to register a custom unhandled exception filter using …
Treepoline Process Manipulating
Tree-view controls are a type of user interface element that is used to display hierarchical data in a graphical user interface (GUI). They are commonly used in Windows applications and allow users to navigate and explore complex data structures.
To display its content, a tree-view control must sort the items it shows. The sorting routine for a tree-view control can …
Misusing Structured Exception Handlers Anti-Disassembly
Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done …
Hijack Execution Flow: Path Interception by PATH Environment Variable Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or …
Hijack Execution Flow: Path Interception by Search Order Hijacking Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. …
Hijack Execution Flow: Path Interception by Unquoted Path Defense Evasion [Mitre]
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths and shortcut paths may also be vulnerable to path interception if the path …
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler
technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler)
to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP
exception, …
Obscuring Control Flow Anti-Disassembly
Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.
One example of this …
Disassembly Desynchronization Anti-Disassembly
Disassembly desynchronization is a technique that is used to prevent disassemblers from accurately reconstructing the original instructions of a program. It involves the creative use of instructions and data in a way that breaks the normal, predictable sequence of instructions in a program. This can cause disassemblers to become "desynchronized" and generate incorrect disassembly output.
For example, suppose a program …