Avoiding Memory Scanners (Yara, Pe-sieve...)
Created the Sunday 29 January 2023. Updated 1 year, 2 months ago.
Avoiding Memory Scanners is a technique that enables malware creators to bypass the detection of endpoint security software and reverse engineers by using memory scanning to locate shellcode and malware in Windows memory.
The technique involves understanding how memory scanners work and implementing a stable evasion method for each of the memory scanning tools, such as PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA. The goal of this technique is to hide the presence of malware from these tools and maintain its malicious functionality.
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- DEF CON 30: Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE sieve, and More - YouTube
- GitHub - kyleavery/AceLdr: Cobalt Strike UDRL for memory scanner evasion.