Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
21 item(s) found so far for this keyword.
Adding antivirus exception Antivirus/EDR Evasion
This technique involves searching for active antivirus-related processes or modules and terminating execution if any are found. By detecting loaded antivirus libraries, malware can determine whether it is running in a monitored environment and exit to avoid detection.
Unhandled Exception Filter Anti-Debugging
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter …
Misusing Structured Exception Handlers Anti-Disassembly
Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done …
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler) to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP …
Obscuring Control Flow Anti-Disassembly
Obscuring control flow is an anti-disassembling technique that involves using methods of flow control that are difficult or impossible for disassemblers and debuggers to follow. This can make it more difficult for analysts to understand the program's behavior and can also make it more difficult for other tools, such as debuggers, to accurately interpret the program.
One example of …
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port …
VPCEXT Sandbox Evasion
The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.
EventPairHandles Anti-Debugging
An EventPair Object is an event constructed by two _KEVENT structures which are conventionally named High and Low.
There is a relation between generic Event Objects and Debuggers because they must create a custom event called DebugEvent able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a …
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose or CloseHandle with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Interrupts Anti-Debugging
Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling.
By triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it …