Author: winternl
-
Designing Emulation Resistant Control Flow
—
by
Antimalware emulators have the Sisyphean task of implementing a complete and accurate clone of the Windows environment. My previous research focused on a generic way to detect the presence of such emulators based upon Windows API artifacts. This is and will continue to be an effective technique in one’s arsenal. One of the most effective…
-
MemFuck: Bypassing User-Mode Hooks
—
by
Preface Dynamic malware analysis is the preferred way to determine the legitimacy of an application for many AVs/EDRs/MDSs. Unlike static analysis, dynamic analysis can capture and analyze Windows API calls made during the course of execution. This method of analysis provides far superior detection rates than static analysis. There are many techniques to capture such…
-
Static Detection of Portable Executable Files
—
by
Preface The cat and mouse game of the AV industry lives on into another decade. All AVs, operate on essentially three modes of detection. This post will provide a high-level overview of how AVs statically determine anomalous and heuristically incorrect PE files. These types of detections are often labeled under some vague descriptor such as…
-
Fuzzing the Windows API for AV Evasion
—
by
What is emulation? Malware Detection Systems (MDSs) use a technique called emulation as perhaps their most effective weapon against novel malware threats. Emulation does not rely on the static structure or signature of a file, but instead, executes the suspicious file for you. Of course, the MDS will not run the file on your computer,…
-
TRunPE
—
by
is a modified process hollowing technique capable of injecting entire PE files. What is process hollowing? Process hollowing or RunPE is a code injection technique which allows for an arbitrary PE file to be run in the context of another, legitimate process. This is perhaps the most popular technique used by in-the-wild malware, and is…
-
ShellcodeStdio
—
by
is an extensible framework for easily writing debuggable, compiler optimized, position-independent, x86 and x64 shellcode for windows platforms. I will be demonstrating how to write optimized, position-independent x86 and x64 shellcode using my ShellcodeStdio framework. Our approach is invaluable in the rapid development of shellcode as ShellcodeStdio maintains distinct advantages over coding in pure assembly.…