|
|
#1
03-16-2018, 18:32
|
|||
|
|||
Evading behavior analysis
This is my first post on exetools so hello to all,
so i generally experiment with post exploitation tools, sometime develop my own. what i have noticed working with major antivirus is that evading detection statically or in memory is easy (call apis dynamically and obfuscate strings, followe by ghostwriting or process hollowing), but the behavior analysis at the run time detects the payload. as i was testing with kaspersky and avast, the payload executed succesfully but after few minutes it was detected by the behaviour analysis module and neutralized. to resolve this problem i proposed if i can hook all api calls in the payload exe and choose a random time interval or apicall before the execution of the original api, maybe behaviour detection can be evaded. i would like to discuss on this more, and want to know what you thought are on this, and if someone can propose a better solution. please enlighten and apologies if i did something wrong. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Malware Analysis | ldmd | General Discussion | 7 | 03-09-2025 18:42 |
| Weird behavior in a patched program | Doit | General Discussion | 4 | 02-23-2022 01:48 |
| armadillo strange behavior | drequinox | General Discussion | 0 | 02-11-2006 08:52 |
| weird search behavior | abitofboth | General Discussion | 0 | 01-30-2005 20:48 |
Threaded Mode