Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Evading behavior analysis
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #4  
Old 05-14-2018, 23:44
Top10 Top10 is offline
Friend
  
Join Date: Feb 2017
Posts: 23
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 68
Thanks Rcvd at 59 Times in 18 Posts
Top10 Reputation: 3
Its depends on payload's behavior too,if makes many suspicious tasks like add startup key,out connection,copy itself among others,then should be more difficult to hide it to avs.

Depends too of your defense,i mean like anti dumps(try to protect in some way some memory parts), anti emulation and anti debug to avoid av's code emulation and its sandbox.

In personal experience api hook are not needed,you can use other ways like syscalls or change apis flow of your loader or simply both.Here there are some tips about runtime detection:

Quote:
https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Analysis ldmd General Discussion 7 03-09-2025 18:42
Weird behavior in a patched program Doit General Discussion 4 02-23-2022 01:48
armadillo strange behavior drequinox General Discussion 0 02-11-2006 08:52
weird search behavior abitofboth General Discussion 0 01-30-2005 20:48


All times are GMT +8. The time now is 02:43.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )