Difference between revisions of "Process Tricks"
|Line 42:||Line 42:|
Latest revision as of 15:10, 30 December 2016
Malware abuse of process trick to stay undetected. Windows API allows program to manipulate memory with some trick. Malware authors often go beyond this basic functionality to implement specific techniques to hide from the user or system administrator, using rootkits or process injection, or to otherwise thwart analysis and detection. Some of this tricks are describing here with a way to defeat its during malware analysis.
Below is a list of all the process tricks techniques in Unprotect Project:
|Process hollowing||Process hollowing is a technique uses by malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload.|
|Process camouflage||Process camouflage is a basic concept that consist to rename the malicious file by a legitimate file (e.g: svchost.exe) and copy to a legitimate folder.|
|Parent process||Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent |
|Header entry point||The entry point is the beginning of the exe file during execution. Some techniques change or relocate the real entry point to protect the code from analysis.|
|Hook injection||A hook is basically a technique to alter the behaviour of an internal function of an operating system or an application. Malware are able to insert malicious function to be use by another process.|
|Library injection||Similar to a hook injection a process can insert a malicious DLL to be use by the system.|
|Executing code from memory||Some malware are downloaded and run into the memory without write any file into the disk. This kind of malware is called "Fileless"|