Search Evasion Techniques
Names, Techniques, Definitions, Keywords
16 item(s) found so far for this keyword.
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the
ProcessDebugPort (0x7) information class.
A nonzero value returned by the call indicates that the process is being debugged.
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they …
While a process is running, the location of the PEB can be referenced by the location
fs:[30h]. For anti-debugging, malware will use that location to check the
BeingDebugged flag, which indicates whether the specified process is being debugged.
ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating
This method allows to inject custom code into a remote process without using
WriteProcessMemory - It will use the
lpEnvironment parameter in
CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
lpEnvironment parameter in
CreateProcess allows us to specify …
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.
An adversary may hijack the execution flow of a process using …
CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.
This technique leverages the
Transactional NTFS functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform …
Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as
svchost.exe, and placing it in a legitimate folder.
Masquerading can occur when the name or location of an executable, whether …
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
GetThreadContext: retrieves the …
Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.
There are two ways to accomplish this technique:
1. Calling the
SetThreadLocale function and setting up an export function named
NlsDllCodePageTranslation, where the main payload …