Search For Content
Search Result
168 item(s) found so far for this keyword.
VMCPUID
The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.
This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.
By using VMCPUID, malware can adapt its behavior based on …
Read moreAdding antivirus exception
This technique involves searching for active antivirus-related processes or modules and terminating execution if any are found. By detecting loaded antivirus libraries, malware can determine whether it is running in a monitored environment and exit to avoid detection.
Read moreNtGlobalFlag
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.
The NtGlobalFlag field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
GetTickCount
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount reads from the KUSER_SHARED_DATA page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates …
TLS Callback
TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.
As an anti-debugging technique, a program can use a TLS callback …
Read morePerforming Code Checksum
Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take …
Read moreINT3 Instruction Scanning
Instruction INT3 is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC (INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the …
API Obfuscation
API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …
Read moreControl Flow Graph Flattening
Control flow flattening is a technique used to obfuscate the control flow of a program, in order to make it more difficult for a disassembler to accurately interpret the program's behavior. This technique involves breaking up the nesting of loops and if-statements in a program, and then hiding each of them in a case of a large switch statement. This …
Read more