Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
299 item(s) found so far for this keyword.
VMCPUID Sandbox Evasion
The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.
This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.
By using VMCPUID, malware can adapt its behavior based on …
Checking Installed Software Sandbox Evasion
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
IsDebuggerPresent Anti-Debugging
This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
If you want to understand the underlying process of IsDebuggerPresent API you can check the code snippet section for the following method: IsDebugged …
NtSetInformationThread Anti-Debugging
NtSetInformationThread can be used to hide threads from debuggers using the ThreadHideFromDebugger ThreadInfoClass (0x11 / 17). This is intended to be used by an external process, but any thread can use it on itself.
After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. …
OutputDebugString Anti-Debugging
This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.
It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.
Heap Flag Anti-Debugging
ProcessHeap is located at 0x18 in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags and ForceFlags.
The values of Flags and ForceFlags are normally …
NtGlobalFlag Anti-Debugging
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.
The NtGlobalFlag field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter Sandbox Evasion Anti-Debugging
When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.
Detecting Window with FindWindow API Anti-Debugging Anti-Monitoring
The FindWindowA / FindWindowW function can be used to search for windows by name or class.
It is also possible to use EnumWindows API in conjunction with GetWindowTextLength and GetWindowText to locate a piece of string that could reveal the presence of a known debugger.
Some Known Debuggers
- ImmunityDebugger
- OllyDbg
- IDA
- x64dbg / …
Detecting Running Process: EnumProcess API Sandbox Evasion Anti-Debugging Anti-Monitoring
Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the EnumProcess function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.
By detecting these processes …