Malware abuse of process trick to stay undetected. Windows API allows program to manipulate memory with some trick. Malware authors often go beyond this basic functionality to implement specific techniques to hide from the user or system administrator, using rootkits or process injection, or to otherwise thwart analysis and detection. Some of this tricks are describing here with a way to defeat its during malware analysis.
Below is a list of all the process tricks techniques in Unprotect Project:
|Process hollowing||Process hollowing is a technique uses by malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload.|
|Process camouflage||Process camouflage is a basic concept that consist to rename the malicious file by a legitimate file (e.g: svchost.exe) and copy to a legitimate folder.|
|Parent process||Parent process is a basic technique that consists to detect the parent process of the current process. Most of the user processes have as a parent |
|Header entry point||The entry point is the beginning of the exe file during execution. Some techniques change or relocate the real entry point to protect the code from analysis.|
|Executing code from memory|