Hinder naïve malware analysts with change of code execution path1 minute read
These techniques are not complicated ones, but still can confuse some beginner malware analysts and/or reverse engineers.
Change of code execution path using
Structured Exception Handling) is common in malware samples, a simple example is following:
If he/she single steps, he/she will lose control.
But there are other ways to get similar results using Windows API functions with callbacks, we can use these callbacks to hinder an analyst.
WriteFileEx are asynchronous analogies for
WriteFile, the interesting part is that is calls
lpCompletionRoutine completion routine when writing/reading is completed or canceled:
Same there, he/she loses control.
Note: We can stop the enumeration with return FALSE.
EnumerateLoadedModules64 and so on, there are many of them, just play with
MSDN little bit.