ConsoleWindowClass Process Manipulating

One method that has been used to achieve process injection is by manipulating the User Data of a window object.

The User Data of a window is a small amount of memory that is usually used to store a pointer to a class object. This memory can be set using the SetWindowLongPtr API and the GWLP_USERDATA parameter. In the …

EditWordBreakProc Process Manipulating

Edit controls, including Rich Edit controls, are a common type of Windows control found in many applications. They can be embedded directly in the application or as subclassed windows.

When these controls display text in multiline mode, they use a callback function called EditWordBreakProc. This function is called every time the control needs to do something related to …

Debug Registers, Hardware Breakpoints Anti-Debugging

Hardware breakpoints allow a debugger to pause execution at specific memory addresses without modifying the program code. They are stored in special CPU registers (DR0 through DR3 on Intel CPUs).

For anti-debugging, malware can inspect the values of these debug registers. If any of the registers contain a non-empty value, it indicates that a hardware breakpoint has been set …

LocalSize(0) Anti-Debugging

The function LocalSize retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.

Process Herpaderping Process Manipulating

Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.

To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of …

ProcEnvInjection - Remote code injection by abusing process environment strings Process Manipulating

This method allows to inject custom code into a remote process without using WriteProcessMemory - It will use the lpEnvironment parameter in CreateProcess to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.

The lpEnvironment parameter in CreateProcess allows us to …

Shellcode Injection via CreateThreadpoolWait Process Manipulating

Shellcode injection is a technique used by malware to execute arbitrary code within the context of a targeted process. One method of achieving this is through the use of the CreateThreadpoolWait function, which is a part of the Windows thread pool API.

In the context of shellcode injection, CreateThreadpoolWait is used to create a wait object that is associated …

MPRESS Packers

MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.

It uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS …

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction …

ConfuserEx Packers

ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. It's primarily designed to make reverse engineering difficult for applications written in .NET languages like C# and VB.NET. ConfuserEx does this by using a variety of techniques like symbol renaming, control flow obfuscation, and encryption of strings and resources.

Supports .NET …

Search Evasion Techniques

Search Result