Process Tricks

From Unprotect Project
Jump to: navigation, search

Technique Description

Malware abuse of process trick to stay undetected. Windows API allows program to manipulate memory with some trick. Malware authors often go beyond this basic functionality to implement specific techniques to hide from the user or system administrator, using rootkits or process injection, or to otherwise thwart analysis and detection. Some of this tricks are describing here with a way to defeat its during malware analysis.

Techniques

Below is a list of all the process tricks techniques in Unprotect Project:

Process Tricks
Techniques Description
Process hollowing Process hollowing is a technique uses by malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload.
Process camouflage Process camouflage is a basic concept that consist to rename the malicious file by a legitimate file (e.g: svchost.exe) and copy to a legitimate folder.
Parent process Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent explorer.exe, a simple way consist to check is the parent process is this one.
Header entry point The entry point is the beginning of the exe file during execution. Some techniques change or relocate the real entry point to protect the code from analysis.
Hook injection A hook is basically a technique to alter the behaviour of an internal function of an operating system or an application. Malware are able to insert malicious function to be use by another process.
Library injection Similar to a hook injection a process can insert a malicious DLL to be use by the system.
Executing code from memory Some malware are downloaded and run into the memory without write any file into the disk. This kind of malware is called "Fileless"
File hiding
Trojanizing

References

https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/
https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files