NixImports
Created the Sunday 14 January 2024. Updated 10 months ago.
A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type and method. Consequently, HInvoke doesn't generate any import references for the methods accessed through it.
Additionally, NixImports is designed to minimize the use of well-known methods. Wherever possible, it opts for internal methods over their standard wrappers. This strategy helps in evading the basic hooks and monitoring systems used by certain security tools.
Technique Identifier
Technique Tags
Detection Rules
Contributors
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- GitHub - dr4k0nia/NixImports: A .NET malware loader, using API-Hashing to evade static analysis
- NixImports a .NET loader using HInvoke | dr4k0nia