Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
40 item(s) found so far for this keyword.
Process Injection: Extra Window Memory Injection Defense Evasion [Mitre]
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance …
Process Injection: Process Hollowing Defense Evasion [Mitre]
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A …
Process Injection: ListPlanting Defense Evasion [Mitre]
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate …
GetTickCount Anti-Debugging
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount
reads from the KUSER_SHARED_DATA
page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the …
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess
: in a suspended mode with the CreationFlag at 0x0000 0004.GetThreadContext
: retrieves the …
DLL Injection via CreateRemoteThread and LoadLibrary Process Manipulating
DLL Injection Via CreateRemoteThread
and LoadLibrary
is a technique used by malware to inject its code into a legitimate process. This technique is similar to hook injection, where the malware inserts a malicious DLL to be used by the system. It is one of the most common techniques used to inject malware into another process.
The malware writes the path …
Reflective DLL injection Process Manipulating
Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary
function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.
The …
PE Injection Process Manipulating
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and force it to execute (either via a small shellcode, or by calling CreateRemoteThread
).
One advantage of PE injection over the LoadLibrary
technique is that the malware does not have to drop a malicious DLL on the disk. The malware …
Ctrl+Inject Process Manipulating
The "Control Signal Handler Callback" technique involves injecting malicious code into a process by using a callback function for control signal handlers. When a control signal, such as Ctrl+C, is received by a process, the system creates a new thread to execute a function to handle the signal. This thread is typically created by the legitimate process "csrss.exe" in the …
Inline Hooking Process Manipulating
Inline hooking is a technique used to intercept calls to target functions. It is commonly used by antiviruses, sandboxes, and malware to perform a variety of tasks, such as checking parameters, shimming, logging, spoofing returned data, and filtering calls.
The process of inline hooking involves directly modifying the code within the target function, usually by overwriting the first few bytes …