Search For Content
Search Result
168 item(s) found so far for this keyword.
ConsoleWindowClass
One method that has been used to achieve process injection is by manipulating the User Data of a window object.
The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …
CLIPBRDWNDCLASS
CLIPBRDWNDCLASS is a window class that is registered by the Object Linking & Embedding (OLE) library (ole32.dll) to handle clipboard data. When a window of this class is created, it is assigned a number of window properties that store the addresses of various interfaces that are used to process clipboard data. These interfaces include the ClipboardDataObjectInterface, ClipboardRootDataObjectInterface, and …
DNS API Injection
DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …
Read moreDebug Registers, Hardware Breakpoints
Hardware breakpoints allow a debugger to pause execution at specific memory addresses without modifying the program code. They are stored in special CPU registers (DR0 through DR3 on Intel CPUs).
For anti-debugging, malware can inspect the values of these debug registers. If any of the registers contain a non-empty value, it indicates that a hardware breakpoint has been set …
Read moreExecution Guardrails: Environmental Keying
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving …
Read moreDetecting Online Sandbox
Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.
Detecting Any.Run
-
Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …
ProcEnvInjection - Remote code injection by abusing process environment strings
This method allows to inject custom code into a remote process without using WriteProcessMemory - It will use the lpEnvironment parameter in CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.
The lpEnvironment parameter in CreateProcess allows us to …
Unloading Sysmon Driver
Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.
One way that malware can evade …
Read moreThemida
Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...
-
Anti-debugger techniques that detect/fool any kind of debugger
-
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
-
Different encryption algorithms and keys in each protected application
-
Anti-API scanners techniques that avoids reconstruction …
ConfuserEx
ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. It's primarily designed to make reverse engineering difficult for applications written in .NET languages like C# and VB.NET. ConfuserEx does this by using a variety of techniques like symbol renaming, control flow obfuscation, and encryption of strings and resources.
-
Supports .NET …