Hide From Sandboxes And Emulators1 minute read
Most of the #EPP (Endpoint Protection Platforms) products provide some kind of dynamic monitoring capabilities: Sandboxing, Emulation, Hooking, etc.
They monitor when an application calls a library functions (
Kernel32) or use syscalls (
mov rax, xxx; syscall) and based on detection logic used by a product the sample is detected or allowed to continue execution.
If your sample uses
RegSetValue/RegSetValueEx or lower level
NtSetValueKey functions, it’s highly likely that a #EPP product you are targeting monitors those calls, because typically they are used to achieve persistence via Registry.
There is a way to achieve the same goal without using
NtSetValueKey at all.
Offline Registry Library which can be used to modify a registry hive outside of the active system registry.
We can use
NtSaveKey/NtSaveKeyEx to save the specified key to a registry file and use
ORSetValue to set a desired value in the offline registry key:
After modifying the offline registry file, calling
RegRestoreKey function replaces a target key with the modified one from the file:
In the end, the result is the same and the desired value is set without using
It’s also less likely that #EPP products monitor
Offline Registry Library functions.