Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
7 item(s) found so far for this keyword.
Misusing Structured Exception Handlers Anti-Disassembly
Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done …
Obscuring Control Flow Anti-Disassembly
Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.
One example of …
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler
technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler)
to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP
…
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter
function will be called. It is possible to register a custom unhandled exception filter …
INT3 Instruction Scanning Anti-Debugging
Instruction INT3
is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC
(INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT
(0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the …
Call to Interrupt Procedure Anti-Debugging
This anti-debugging technique involves using the INT n
instruction to generate a call to the interrupt or exception handler specified with the destination operand.
To implement this technique, the int 0x03
instruction is executed, followed by a ret
(0xCD03, 0xC3) nested in a __try, __except block
. If a debugger is present, the except block will not be executed, …