Abusing the Return Pointer Anti-Disassembly

Abusing the return pointer is an anti-disassembling technique that involves using the return instruction (RETN) in a way that is not expected by the disassembler. This can make it more difficult for the disassembler to accurately reconstruct the program's original instructions and can also make it more difficult for analysts to understand the program's behavior.

The RETN instruction is …

Obscuring Control Flow Anti-Disassembly

Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.

One example of …

Impossible Disassembly Anti-Disassembly

Impossible disassembly is an anti-disassembling technique that involves inserting data bytes after a conditional jump instruction in order to prevent the real instruction that follows from being disassembled. This technique takes advantage of a basic assumption in disassembly, which states that one byte is only interpreted in the context of one instruction. By inserting a byte that is the opcode …

Jump With Same Target Anti-Disassembly

Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.

…

Process Hollowing, RunPE Process Manipulating

Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.

The process is the following:

CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.
…

Parent Process Detection Anti-Monitoring

Parent process is a technique used by malware to evade detection by security analysts. The parent process of a given process is the process that spawned it.

For example, most user processes on a Windows system have explorer.exe as their parent process. By checking the parent process of a given process, malware can determine whether it is being monitored …

Entry Point Modification Process Manipulating

The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.

Hook Injection Process Manipulating

Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.

In the case of Windows, the SetWindowsHookEx function can be used by programs to …

FIleless Mechanisms Process Manipulating

Fileless malware is a type of malware that is designed to reside and execute entirely in the memory of a host system, without leaving any trace on the local disk. This can make it more difficult for security tools to detect and remove the malware, as it does not leave any files on the system that can be scanned or …

Redirect Antivirus Website Antivirus/EDR Evasion

To avoid connection to anti malware website, malware can modify the host file to redirect the connexion.

Search Evasion Techniques

Search Result