Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
257 item(s) found so far for this keyword.
STR Sandbox Evasion
Stores the segment selector from the Task Register (TR).
CPUID Sandbox Evasion
The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.
You can use the CPUID instruction to retrieve various pieces of information …
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port …
Checking Recent Office Files Sandbox Evasion
Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.
Checking Installed Software Sandbox Evasion
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
Detecting Hostname, Username Sandbox Evasion
Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.
Detecting USB Drive Sandbox Evasion
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Heap Flag Anti-Debugging
ProcessHeap
is located at 0x18
in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags
and ForceFlags
.
The values of Flags and ForceFlags
are normally …
NtGlobalFlag Anti-Debugging
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68
. If the value at this location is 0x70
, we know that we are running in a debugger.
The NtGlobalFlag
field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …