Written by: Ariel Silver
Article can be found at - https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques-peb-edition/
The article explains and shows the following
- What is the Process Environment Block
- Different ways adversaries can exploit it in order to evade user-mode tools and detections.
- Live attack scenarios that show when and how malwares should use it.
- WinAPI's and system structures (documented and undocumented) that must be used.
- Most important, how Cynet detects this bevavior.
- The full code and solutions for these techniqes can be found in the code folder.
- The code should be compiled in x64 Relsease mode.
- In order to understand the full code you MUST read the article, as it's very detailed and much more in-depth then the code comments.
Previous article - https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/