This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 6 of REMA
Examining Self-Defending Malware
Debugger detection, VM and sandbox detection, embedded data protection, code misdirection, advanced unpacking, and evasion beyond packing.
Topics
Overview of Anti-Analysis Defences
The four defence categories in self-defending malware, the analyst countermeasure for each, defence prevalence by malware class, ScyllaHide setup, and the analytical mindset for Unit 6.
Debugger Detection Techniques
API-based detection (IsDebuggerPresent, NtQueryInformationProcess), PEB-based detection (BeingDebugged, NtGlobalFlag, heap flags), timing checks, 0xCC self-scan, debug register detection, TLS callbacks, and the bypass priority sequence.
VM and Sandbox Detection
Four categories of VM detection — registry/file artefacts, hardware checks (CPUID hypervisor bit), behavioural user activity checks, and sandbox-specific checks — with bypass techniques and a lived-in VM configuration checklist.
Protecting Embedded Data
Multi-byte and rolling XOR, encrypted configuration blocks in Cobalt Strike and Emotet, per-string encryption with zeroing, FLOSS runtime string recovery, and a five-step data extraction workflow.
Code Misdirection Techniques
Six code misdirection techniques — opaque predicates, overlapping instructions, indirect jumps, SEH-based hidden flow, TLS callbacks, and Heaven Gate — with static and dynamic bypass for each.
Advanced Unpacking Defences
Stolen bytes, nanomites, PE header erasure, guard page anti-dumping, the six-step anticipatory unpacking methodology, packer reference table, and Process Doppelgänging and Process Ghosting.
Unit 6 Knowledge Check
Test your understanding of all Unit 6 topics — anti-analysis overview, debugger detection, VM and sandbox detection, embedded data protection, code misdirection, and advanced unpacking defences — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.