Difference between revisions of "Process Tricks"

From Unprotect Project
Jump to: navigation, search
(Techniques)
(Techniques)
Line 20: Line 20:
 
|-
 
|-
 
!colspan="2"|Parent process
 
!colspan="2"|Parent process
|
+
|Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent <code>explorer.exe</code> a simple way consist to check is the parent process is this one.
 
|-
 
|-
 
!colspan="2"|Header entry point
 
!colspan="2"|Header entry point

Revision as of 15:31, 30 December 2016

Technique Description

Malware abuse of process trick to stay undetected. Windows API allows program to manipulate memory with some trick. Malware authors often go beyond this basic functionality to implement specific techniques to hide from the user or system administrator, using rootkits or process injection, or to otherwise thwart analysis and detection. Some of this tricks are describing here with a way to defeat its during malware analysis.

Techniques

Below is a list of all the process tricks techniques in Unprotect Project:

Process Tricks
Techniques Description
Process hollowing Process hollowing is a technique uses by malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload.
Process camouflage Process camouflage is a basic concept that consist to rename the malicious file by a legitimate file (e.g: svchost.exe) and copy to a legitimate folder.
Parent process Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent explorer.exe a simple way consist to check is the parent process is this one.
Header entry point
Hook injection
Library injection
Executing code from memory
File hiding
Trojanizing

References