Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
147 item(s) found so far for this keyword.
Detecting Hostname, Username Sandbox Evasion
Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.
File Splitting Antivirus/EDR Evasion
An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.
EventPairHandles Anti-Debugging
An EventPair
Object is an event constructed by two _KEVENT
structures which are conventionally named High and Low.
There is a relation between generic Event Objects and Debuggers because they must create a custom event called DebugEvent
able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal …
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter Sandbox Evasion Anti-Debugging
When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.
Interrupts Anti-Debugging
Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling.
By triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it is …
INT3 Instruction Scanning Anti-Debugging
Instruction INT3
is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC
(INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT
(0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector …
API Obfuscation Anti-Disassembly
API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess
: in a suspended mode with the CreationFlag at 0x0000 0004.GetThreadContext
: retrieves the …
FIleless Mechanisms Process Manipulating
Fileless malware is a type of malware that is designed to reside and execute entirely in the memory of a host system, without leaving any trace on the local disk. This can make it more difficult for security tools to detect and remove the malware, as it does not leave any files on the system that can be scanned or …