2021
DOI: 10.1016/j.future.2020.11.004
|View full text |Cite
|
Sign up to set email alerts
|

Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
14
0

Year Published

2021
2021
2024
2024

Publication Types

Select...
4
3
2
1

Relationship

4
6

Authors

Journals

citations
Cited by 25 publications
(14 citation statements)
references
References 25 publications
0
14
0
Order By: Relevance
“…Apart from finding 'blind spots' for each EDR, there is also the choice of 'blinding' them by tampering with their telemetry providers in various ways. Unhooking user-mode hooks and utilizing syscalls to evade detection is the tip of the iceberg [18]. The heart of most EDRs lies in the kernel itself as they utilize mini-filter drivers to control file system operations and callbacks in general to intercept activities, such as process creation and loading of modules.…”
Section: Tampering With Telemetry Providersmentioning
confidence: 99%
“…Apart from finding 'blind spots' for each EDR, there is also the choice of 'blinding' them by tampering with their telemetry providers in various ways. Unhooking user-mode hooks and utilizing syscalls to evade detection is the tip of the iceberg [18]. The heart of most EDRs lies in the kernel itself as they utilize mini-filter drivers to control file system operations and callbacks in general to intercept activities, such as process creation and loading of modules.…”
Section: Tampering With Telemetry Providersmentioning
confidence: 99%
“…Apart from finding 'blind spots' for each EDR there is also the choice of 'blinding' them by tampering with their telemetry providers in various ways. Unhooking user-mode hooks and utilising syscalls to evade detection is the tip of the iceberg [2]. The heart of most EDRs lies in the kernel itself as they utilise mini-filter drivers to control file system operations and callbacks in general to intercept activities such as process creation and loading of modules.…”
Section: Tampering With Telemetry Providersmentioning
confidence: 99%
“…cloud computing, some malware is even more targeted, trying to detect sandboxed environments and not simply virtualised [33]. For more on evasion methods the interested reader may refer to [6,15,26,30,31,1,5,2]. These countermeasures from the malware have resulted in the introduction of anti-evasion methods.…”
Section: Related Workmentioning
confidence: 99%