cd ../../Random Posts

Hinder naïve malware analysts with change of code execution path

1 minute read


These techniques are not complicated ones, but still can confuse some beginner malware analysts and/or reverse engineers. Change of code execution path using SEH (Structured Exception Handling) is common in malware samples, a simple example is following:


If he/she single steps, he/she will lose control.

But there are other ways to get similar results using Windows API functions with callbacks, we can use these callbacks to hinder an analyst.

ReadFileEx/WriteFileEx are asynchronous analogies for ReadFile and WriteFile, the interesting part is that is calls lpCompletionRoutine completion routine when writing/reading is completed or canceled:


Same there, he/she loses control.

What about EnumDisplayMonitors?


Note: We can stop the enumeration with return FALSE.

What about EnumWindowStations, EnumDesktops, EnumDesktopWindows, EnumThreadWindows, EnumWindows, EnumChildWindows, EnumResourceTypes/Ex, EnumResourceNames/Ex, EnumResourceLanguages/Ex, EnumDirTree, EnumThreadWindows, AddSecureMemoryCacheCallback, SetThreadpoolTimer/Ex, SetThreadpoolThreadMinimum, SetThreadpool, StackWalk64/Ex, EnumerateLoadedModulesEx, EnumerateLoadedModules64 and so on, there are many of them, just play with MSDN little bit.