• XSS.stack #1 – первый литературный журнал от юзеров форума

Why PE injection methods are so good to evade antivirus euristics?

Отслеживать
3c2n90yt57489t3y8794

3c2n90yt57489t3y8794

RAID-массив
Пользователь
Регистрация
01.09.2020
Сообщения
66
Реакции
5
Hello, I know antivirus:
- have a sort of list of "trusted applications"
- record API call of executables in order to find untrusted patterns
I'm not really sure why PE Injection should be good to evade euristics, I suppose because untrusted patters are executed by trusted applications (applications where the malware is injected).
Are there any other reasons? Do antivirus block injection API calls? If not, why?
Any additional post, thread, blog or resource is appreciated.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
3c2n90yt57489t3y8794 сказал(а):
I'm not really sure why PE Injection should be good to evade euristics, I suppose because untrusted patters are executed by trusted applications (applications where the malware is injected).
It is not euristics per se, it is usually called runtime detection. Trusted processes usually are not watched as much as untrusted ones, because you know... they are trusted.

3c2n90yt57489t3y8794 сказал(а):
Do antivirus block injection API calls?
It depends on the concrete antivirus. Some blocks better than others. The same applies to other ways of detecting malware.

3c2n90yt57489t3y8794 сказал(а):
If not, why?
You can't monitor everything, it would be too slow. Some injection technics are easier to block, some are harder, especially ones that use windows subsystem. It really can't be hooked that easy.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
3c2n90yt57489t3y8794 сказал(а):
I'm not sure what do you mean exactly for windows subsystem (WSL?)
There a few subsystems in windows OS, like console, native and windows. Windows stuff is shared among processes, like for example you can SetWindowLong on explorer.exe's window Shell_TrayWnd from other process and it will lead to code execution inside explorer.exe. This is an old trick used in PowerLoader as far as I remember like 10 or something years ago and it still works for some antiviruses. Things like this is kinda tricky to detect at runtime, it is possible, but tricky.

3c2n90yt57489t3y8794 сказал(а):
Also a blog/post is good
modexp.wordpress.com

injection – modexp

Posts about injection written by odzhan
modexp.wordpress.com modexp.wordpress.com
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх