Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
259 item(s) found so far for this keyword.
NtGlobalFlag Anti-Debugging
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68
. If the value at this location is 0x70
, we know that we are running in a debugger.
The NtGlobalFlag
field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
GetTickCount Anti-Debugging
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount
reads from the KUSER_SHARED_DATA
page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates …
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter
function will be called. It is possible to register a custom unhandled exception filter …
INT3 Instruction Scanning Anti-Debugging
Instruction INT3
is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC
(INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT
(0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the …
Custom Encoding Data Obfuscation
Malware often uses custom encoding schemes to conceal their payloads and avoid detection. These custom schemes can be full custom layers, or they can be variations of known algorithms such as XOR or Base64. Using custom encoding schemes allows malware to encode their payloads in a unique way that can be difficult for security tools and forensic investigators to detect.
…Indicator Removal: Clear Windows Event Logs Anti-Forensic Defense Evasion [Mitre]
Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.
Event logs can provide valuable information about the actions …
Thermal Zone Temperature Sandbox Evasion
The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.
Interestingly, this method is not valid. Not all …
Bypass User Account Control Defense Evasion [Mitre]
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.
The impact to the user ranges from denying the operation under high enforcement …
Access Token Manipulation: Parent PID Spoofing Process Manipulating Defense Evasion [Mitre]
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified.
One way of explicitly assigning the PPID of a new process is via the CreateProcess
API call, which supports a parameter that defines the …
INT 0x2D Anti-Debugging
When the instruction INT2D
is executed, the exception EXCEPTION_BREAKPOINT
is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while INT2D
is executed.