Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
249 item(s) found so far for this keyword.
Detecting Hostname, Username Sandbox Evasion
Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.
Detecting USB Drive Sandbox Evasion
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Heap Flag Anti-Debugging
ProcessHeap
is located at 0x18
in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags
and ForceFlags
.
The values of Flags and ForceFlags
are normally set …
NtGlobalFlag Anti-Debugging
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68
. If the value at this location is 0x70
, we know that we are running in a debugger.
The NtGlobalFlag
field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit …
GetTickCount Anti-Debugging
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount
reads from the KUSER_SHARED_DATA
page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the …
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter
function will be called. It is possible to register a custom unhandled exception filter using …
INT3 Instruction Scanning Anti-Debugging
Instruction INT3
is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC
(INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT
(0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the protector …
Custom Encoding Data Obfuscation
Malware often uses custom encoding schemes to conceal their payloads and avoid detection. These custom schemes can be full custom layers, or they can be variations of known algorithms such as XOR or Base64. Using custom encoding schemes allows malware to encode their payloads in a unique way that can be difficult for security tools and forensic investigators to detect. …
Indicator Removal: Clear Windows Event Logs Anti-Forensic Defense Evasion [Mitre]
Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.
Event logs can provide valuable information about the actions taken …