I built a malware analysis test lab and i used Pafish to detect analysis environment and i want to patch some fault. How could I hide the registry keys and processes from malware VM detection?
Asked
Active
Viewed 412 times
-1
1 Answers
0
In Windows, there are many points where the operating system enables programs to intercept calls to operating system functions (these are called "hooks"). For example, a program can "hook" the calls to the file system functions that return the entries in a directory. Normally, a program hooks a function to monitor and measure performance, or perhaps to add an additional level of validation.
A rootkit or SANDBOX can use a hook to check every value returned by the function, and skip any value that represents a part of the rootkit. In the case of the directory enumerator, when the next file to be returned is a part of the rootkit, it is skipped - the file becomes "invisible".
Similarly, a hook on the function that returns registry values can hide a registry entry that you dont want the sandboxed app to check.
Ori a
- 314
- 1
- 8