Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
16 item(s) found so far for this keyword.
NtQueryInformationProcess Anti-Debugging
This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the ProcessDebugPort (0x7)
information class.
A nonzero value returned by the call indicates that the process is being debugged.
Debugger Evasion Defense Evasion [Mitre]
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they …
IsDebugged Flag Anti-Debugging
While a process is running, the location of the PEB can be referenced by the location fs:[30h]
. For anti-debugging, malware will use that location to check the BeingDebugged
flag, which indicates whether the specified process is being debugged.
ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating
This method allows to inject custom code into a remote process without using WriteProcessMemory
- It will use the lpEnvironment
parameter in CreateProcess
to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
The lpEnvironment
parameter in CreateProcess
allows us to specify …
Hijack Execution Flow: KernelCallbackTable Defense Evasion [Mitre]
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.
An adversary may hijack the execution flow of a process using …
CheckRemoteDebuggerPresent Anti-Debugging
CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.
Process Doppelgänging Process Manipulating
This technique leverages the Transactional NTFS
functionality in Windows. This functionality helps maintain data integrity during an unexpected error. For example, when an application needs to write or modify a file, if an error is triggered mid-write, the data can be corrupted. To avoid this kind of behavior, an application can open the file in a transactional mode to perform …
Process Camouflage, Masquerading Process Manipulating
Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as svchost.exe
, and placing it in a legitimate folder.
Masquerading can occur when the name or location of an executable, whether …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess
: in a suspended mode with the CreationFlag at 0x0000 0004.GetThreadContext
: retrieves the …
NLS Code Injection Through Registry Process Manipulating
Dll injection through registry modification of NLS code page ID is a technique used by malware to inject a malicious DLL into a process by modifying the NLS code page ID in the registry.
There are two ways to accomplish this technique:
1. Calling the SetThreadLocale
function and setting up an export function named NlsDllCodePageTranslation
, where the main payload …