Plenty of documents are describing how Malwares implement “Escape” techniques in order to evade Malware analysis. I did write posts on several of the most interesting evasion techniques ( available here and here) adding information on my side as well. Today I want to share a personal MAP that I made to correlate evasion techniques to detection techniques. It helped me a lot during some of my past talks as well as during my (research) malware writing nights.
Aims of the following MAP is to correlate evasion techniques to detection techniques without preteding to be “cool/graphically appealing” or “complete”. It wants to be “remind me what happens there”.
The “soul” of the entire chart is stright int the center. Highlighted in blue shape the Analysis techniques. Highlighted in red shape the corresponding evasion techniques. In separate colored boxes significant examples of evasion techniques (again, there are many many many other ways to perform debugging traps/Red Pills/etc../etc… this wants to be only a “remind”).
A glimpse of content:
All the detection techniques could be clustered into two big groups: “Static Analisys” and “Dynamic Analysis”. The Static analysis could be divided into “Signature” based techniques and “Decompiling” based techniques. The first set of techniques are based on signature matching. A signature is a set of bytes (not adjacent). The second set of techniques, look into binaries trying to understand behavior without running the binary on its own. These techniques are quite useful on pieces of data junk or not executable data. On the other side “dynamic analysis” where the analyst run the Malware. These techniques could be divided into “System Centric” and “Program Centric”. The main difference between such techniques is the perspective. If you analyse the binary from inside you are “Program Centric” and so you might debug the bnary and/or look for internal API calls. If you are analyzing the binary from outside you are “System Centric” and you probably are sandboxing the binary.
In the example boxes you find significative pieces of code and/or softwares that are used to achieve the evasion technique. For instance in the green box named “Code not run” PEditor shows how to modify the OEP (Original Entry Point) of a program to run unaligned code. In the box named “Breaking/watching/Catching point handlers” one of the most famous signal handlers have been shown and so forth and so on.
If you find the MAP usefull, please leave a comment, if you’d like to expand it please send me an email I’d like to receive help in expanding it.