EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

Podcast/EP 02
The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques cover art
REMAEP 02
12 May 2026

The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques

Go behind the binary to see how modern malware fights back. In this technical deep dive, we explore the self-defence mechanisms used by threats like njRAT to detect sandboxes, sabotage debuggers, and hide in plain sight.

0:00 / 0:00
EpochZero Tech Talks — The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques

Transcript

Conversation between Alex and Maya

Alex — leftMaya — right
Alex
Imagine you are a detective, right?
Maya
Oh, yeah.
Alex
And you have, you finally cornered a prime suspect in a locked room.
Maya
Okay, I'm following.
Alex
But when you kick the door down, the suspect isn't just gone.
Maya
They have completely deleted the door, erased your memory of the chase, and, you know, they're currently sitting at the desk wearing your partner's uniform.
Alex
That is a terrifying level of deception.
Maya
Exactly.
Alex
And that is exactly what analyzing modern malware feels like today.
Maya
We really need to throw out that outdated idea of a static, dumb file, just, you know, waiting on a hard drive to be double-clicked.
Alex
Modern malware is fundamentally a living, defensive organism.
Maya
Yeah, it really is an arms race of survival.
Alex
The organism checks its surroundings.
Maya
It exhibits this, well, this calculated fight-or-flight response.
Alex
It puts on complex disguises and actively sabotages the forensics before the authorities even know a crime occurred.
Maya
Right.
Alex
So welcome to this technical deep dive for the Epoch Zero platform.
Maya
Today, we are...
Alex
We're exploring the art of deception, specifically anti-analysis and evasion techniques.
Maya
We are unpacking Unit 6 of the REMA material and correlating it with the NGR at Student Reports.
Alex
Yeah, focusing strictly on detection evasion and self-defending malware.
Maya
Exactly.
Alex
So we are going to look under the hood at how these payloads evaluate their environment, how they intentionally break our analysis tools, the system-level mechanics of process manipulation, and finally, how they execute the melt technique to just vanish from the disk.
Maya
Let's unpack...
Alex
Let's unpack the core logic here.
Maya
The logical place to start tracing this execution flow is the very first millisecond the malicious process is loaded into memory.
Alex
Right, before it does anything.
Maya
Exactly.
Alex
Before this organism attempts to establish persistence or, you know, before it reaches out to a command and control server, it pauses.
Maya
It evaluates the hardware and the operating system to answer one question.
Alex
Which is, am I trapped in an analyst's lab?
Maya
Right.
Alex
Am I in a sandbox?
Maya
And just to set a baseline for everyone, when we talk about a sandbox, it's not just a sandbox.
Alex
When we talk about a sandbox, we mean throwing a sample into something like a cuckoo sandbox, a dynamic analysis pipeline.
Maya
And the malware is basically looking for the seams in that simulation.
Alex
Yeah.
Maya
The NJRAT reports highlight this beautifully, actually.
Alex
If you look at the execution flow, it actively traverses the Windows process list.
Maya
Oh, right.
Alex
It uses the CreateToolHelp32 snapshot API.
Maya
Yes, exactly.
Alex
It iterates through every running process, looking for the telltale signs of a virtualized environment.
Maya
So if it spots vboxservice.exe or vmware.tray.exe running in the background, it knows instantly that the environment is synthetic.
Alex
And the telemetry collection doesn't just stop at the process level, does it?
Maya
No, no.
Alex
NJRAT goes much deeper into the hardware abstraction layer.
Maya
It actually queries the MAC address of the network adapter.
Alex
Because hypervisors have specific prefixes.
Maya
Right.
Alex
VMware, by default, assigns M-ASU addresses, starting with the organizationally unique identifier 0.0c.29.
Maya
And VirtualBox uses 0.08.00.27, I think.
Alex
Yep, you got it.
Maya
So when the malware retrieves that string and sees the hypervisor prefix, it doesn't fight.
Alex
It simply calls exit process.
Maya
It just plays dead.
Alex
Exactly.
Maya
It plays dead.
Alex
Which is so frustrating.
Maya
Because that forces you, the threat researcher, to manually patch those checks in memory just to get the payload to detonate so you can study it.
Alex
Right.
Maya
But sophisticated actors, they don't just rely on checking for generic hypervisor strings anymore.
Alex
Yeah.
Maya
The source material outlines environmental keying, which I think is important.
Alex
I think it's a much more elegant solution.
Maya
It really is.
Alex
It ties the payload cryptographically to a specific victim's machine.
Maya
So I look at environmental keying like a biometric safe.
Alex
So the lock doesn't just check if you have a key, right?
Maya
It measures the air pressure, the temperature, the specific heartbeat of the target room.
Alex
That is a great analogy, actually.
Maya
Yeah.
Alex
So the malware might hash the volume serial number of the target's hard drive, append the specific Active Directory domain, SID, and then use that resulting hash as the actual AES decryption key for the primary payload.
Maya
And the brilliant part of that architecture is that the malware doesn't even contain the logic to check if it is in a sandbox.
Alex
Wait, really?
Maya
It doesn't even check?
Alex
No, it just simply attempts the decryption.
Maya
If you, the analyst, detonate that file in your generic lab environment, the volume serial number is wrong.
Alex
The domain SID is wrong.
Maya
Oh, so the resulting hash is just garbage.
Alex
Exactly.
Maya
The decryption routine runs.
Alex
But it produces a useless blob of random bytes, and the execution just crashes.
Maya
Or it silently terminates.
Alex
That is incredibly smart.
Maya
And as an analyst looking at the static file, this introduces the concept of entropy, right?
Alex
If the actual malicious code is heavily encrypted and sitting inside the .tech section of the portable executable, we are looking at a massive spike in randomness.
Maya
Yeah, so we use Shannon entropy to measure that randomness.
Alex
Right, on a scale from 0 to 8 bits per byte.
Maya
Correct.
Alex
Normal compiled by 80 bits.
Maya
The .pe6 assembly code has a very predictable structure.
Alex
The opcodes for pushing to the stack or moving registers, they repeat constantly.
Maya
So a normal .tech section usually hovers around what, an entropy of 6.0 to 6.5?
Alex
Right around there, yeah.
Maya
But AES encrypted data, that is mathematically indistinguishable from pure random noise.
Alex
So it pushes the score way up.
Maya
Yeah, it pushes the entropy score up to 7.8 or 7.99.
Alex
When you load a .pe file into a tool like .pe studio, and you see the executable section glowing red with an entropy of 7.9, you know you are dealing with a dormant payload.
Maya
It is heavily armored just waiting for the correct environmental key to unpack itself.
Alex
Exactly.
Maya
Okay, so we have an organism that is curled up tight.
Alex
Let's assume the malware finds the correct environment, or we have managed to extract the key and manually force the unpacking company We get the raw decrypted code, and we attached our debugger to trace the execution flow.
Maya
Well, the moment you do that, the malware goes darn ginny.
Alex
goes on the offensive.
Maya
Right.
Alex
This is the realm of anti-debugging.
Maya
Yes.
Alex
The malware's primary goal now is to detect the presence of your debugger and completely sabotage the session.
Maya
How does it do that fundamentally?
Alex
Well, the most basic check happens in the process environment block, the PB.
Maya
Every running process in Windows has a P structure that the OS uses to manage it.
Alex
And at an offset of just two bytes into that structure, there is a flag literally called being debugged.
Maya
Wow, they made it easy.
Alex
Yeah, it requires a single assembly instruction for the malware to read that flag.
Maya
If the value is one, the malware knows an analyst is watching the CPU registers, and it aborts.
Alex
But I mean, we know they check the PB.
Maya
As analysts, we use rootkit-like plug-ins, right, like or similar tools to hook the APIs querying the PB.
Alex
And we just spoof that flag.
Maya
We tell the malware it's completely alone.
Alex
We do.
Maya
And because we lie to the malware, the author shifted tactics to something we cannot easily spoof, the fundamental passage of time.
Alex
The material dives deep into the use of RDTSC timing checks.
Maya
RDTSC, right, read timestamp counter.
Alex
Exactly.
Maya
It's an assembly instruction that returns the total number of CPU cycles that have elapsed since the system was powered on.
Alex
So how does that detect a debugger?
Maya
Well, the mechanism here relies on the massive performance overhead introduced by debugging.
Alex
When an application runs natively, the CPU executes billions of instructions per second.
Maya
But when an analyst attaches a debugger and single steps through the assembly code, the debugger has to capture the context, update the UI, wait for the analyst to press a key, and then resume.
Alex
So the malware executes RDTSC, saves the cycle count to a register, runs a few innocuous instructions, and then calls RDTSC again.
Maya
Yes.
Alex
And it subtracts the first value from the second to get the delta.
Maya
OK, but I have to ask a question here.
Alex
If the malware is just looking for a large time delta, couldn't a naturally lagging operating system or just like a very old thermal throttling potato PC trigger, this anti-debugging check by accident?
Maya
That's a fun theory.
Alex
I mean, could having a severely underpowered machine actually prevents the payload from running and save you from an infection?
Maya
It is a logical assumption, but the math rules it out entirely, unfortunately.
Alex
Why?
Maya
Because the threshold the malware authors calibrate for is orders of magnitude larger than any natural system latency.
Alex
Look, a slow CPU might delay an instruction by a few thousand cycles if there is a cache miss or a context switch.
Maya
But a human analyst taking half a second, a second to click, step over, and by 64 dB translates to millions or even billions of CPU cycles.
Alex
Oh, wow.
Maya
Yeah, that's a huge difference.
Alex
The material shows malware comparing the delta to massive hexadecimal thresholds.
Maya
A potato PC operates in microseconds.
Alex
A human analyst operates in seconds.
Maya
So the malware is not looking for hardware latency.
Alex
It is literally mathematically isolating the speed of human thought.
Maya
Exactly, which means the timing check is incredibly reliable.
Alex
That is brilliant.
Maya
And it gets even more aggressive when we look at how the malware hunts for software breakpoints.
Alex
Oh, yeah, the INT3 checks.
Maya
Yeah, because when we are tracing code, we don't just step line by line forever.
Alex
We set breakpoints at critical API calls, like internet connect W.
Maya
So the execution pauses right before it calls out to the command of the control server.
Alex
Right.
Maya
And to make that happen, the debugger physically overwrites the very first byte of that API function in memory with the opcode 0xcc.
Alex
The magic 0xcc byte.
Maya
Yes.
Alex
That translates to the INT3 assembly instruction.
Maya
It is a hardware interrupt.
Alex
So when the CPU tried to execute that specific byte, it halts the thread and hands control back to the debugger.
Maya
Exactly.
Alex
And once the analyst hits resume, the debugger puts the original byte back, executes it, and puts the 0xcc back again.
Maya
But the terrifying part is how self-defending malware actively hunts for those tracking devices.
Alex
It's fascinating.
Maya
It will spin up a separate thread whose sole purpose is to continuously scan its own text section in memory.
Alex
Just constantly looping.
Maya
Yes.
Alex
Reading its own body, byte by byte, searching for 0xcc.
Maya
And what happens if it finds one?
Alex
It doesn't just quit gracefully, right?
Maya
No.
Alex
The response is rarely graceful.
Maya
Advanced variants will maliciously patch their own memory space to attack the analyst.
Alex
Wow.
Maya
Yeah.
Alex
If it detects it as being debugged, it might intentionally corrupt the stack pointer or write a garbage address into the instruction pointer register.
Maya
So it causes a massive unhandled exception.
Alex
Which doesn't just crack.
Maya
If you crash the malware, it frequently crashes the debugger itself.
Alex
Destroying hours of the analyst's program.
Maya
Yep.
Alex
It kicks you right out.
Maya
It is actively fighting the researcher.
Alex
That is wild.
Maya
OK.
Alex
So let's say we've patched out the VM checks, we've bypassed the RDTSC traps, and we are successfully tracing the execution.
Maya
The malware's ultimate goal isn't just to annoy the reverse engineer in a lab.
Alex
It has a payload to deploy on a real victim's endpoint.
Maya
And it needs to bypass the system's end to create detection and response platform.
Alex
Right.
Maya
Because it cannot just run an executable named evilpayload.exe without triggering every alarm on the network.
Alex
No, it needs a disguise.
Maya
Which brings us to stealth execution.
Alex
And the most prominent evasion technique we see in the source material for this phase is process hollowing.
Maya
Process hollowing is everywhere.
Alex
I always explain process hollowing as the hermit crab of the digital world.
Maya
The hermit crab.
Alex
Right.
Maya
Walk us through that.
Alex
So the mailer looks for a trusted, legitimate system process like svcoast.exe.
Maya
Right.
Alex
Or explorer.exe.
Maya
It uses the create process API to launch that legitimate executable.
Alex
Right.
Maya
But crucially, it passes a flag telling the OS to start the process in a suspended state.
Alex
Yes, the create suspended flag.
Maya
Exactly.
Alex
So the OS allocates the memory and loads the legitimate svcoast binary.
Maya
But the primary thread is frozen.
Alex
And then the malware eats the original crab.
Maya
Literally hollows it out.
Alex
The mechanism of eating the crab relies on the NTED unmapped view of section API.
Maya
OK.
Alex
So it unmaps the memory.
Maya
Right.
Alex
The malicious loader reaches across the operating system's boundaries and literally hollows out the memory space of that suspended svcoast.exe, deallocating all the legitimate executable code.
Maya
Leaving an empty trusted shell.
Alex
Precisely.
Maya
Next, the malware uses virtual Allegex to carve out new memory inside that shell.
Alex
Can make room for itself.
Maya
And then it uses write process memory to inject its own malicious PE headers and sections right into the space where the legitimate code used to be.
Alex
Wow.
Maya
Finally, it uses setthread context to point the instruction pointer to the entry point of its new malicious code and calls resume thread.
Alex
And to the Windows task manager or the firewall or rudimentary antivirus scanners, it just sees svcoast.exe running from the legitimate system32 directory.
Maya
The disguise is nearly perfect.
Alex
But there is a different approach, right, that doesn't involve starting a new process at all.
Maya
Sometimes the malware just injects its venom directly into a healthy, already running system.
Alex
And that's what we call running grab.
Maya
Ah, yes.
Alex
We see this with DLL injection.
Maya
Right.
Alex
How does that differ?
Maya
Well, DLL injection offers a different operational security advantage.
Alex
Instead of hollowing a suspended process, the malware forces a remote honest process, say, an active instance of iExplore.exe or a web browser to load a malicious dynamic link library.
Maya
How does it force a clean process to do that?
Alex
The malware uses the create a remote thread API to force the target process.
Maya
And then it uses that process to execute the load library function.
Alex
And it passes the file path of the malicious DLL as the argument.
Maya
So the OPSEC advantage there is basically network communication.
Alex
Exactly.
Maya
Because if a random unknown process tries to open a port and call out to a command and control server, the host firewall is going to flag it immediately.
Alex
Right.
Maya
But a web browser is supposed to communicate over the internet.
Alex
So by injecting the DLL into the browser's memory space, the malicious code inherits the browser's network permissions.
Maya
Yes.
Alex
The firewall sees HTTPS.
Maya
The HTTP traffic originating from a trusted browser.
Alex
And it just lets the data exfiltration walk right out the front door.
Maya
Unbelievable.
Alex
Yeah.
Maya
But whether the malware uses process hollowing or DLL injection, it ultimately needs to manipulate how these compromised processes interact with the operating system, right?
Alex
Yes.
Maya
And this requires API hooking.
Alex
Let's define that simply.
Maya
Hooking is basically wiretapping the OS.
Alex
That's a good way to put it.
Maya
Whenever a program wants to interact with the hardware, read a file, query the registry, list running processes, it must make an API call to the OS kernel.
Alex
Right.
Maya
So if the malware wants to maintain its SCELF, it has to control those API calls.
Alex
How does it physically achieve that wiretap at the system level?
Maya
There are two main mechanisms we see.
Alex
Import address table hooking and inline hooking.
Maya
Let's start with the IAT.
Alex
So the import address table, or IAT, is essentially a lookup directory inside the executable.
Maya
When the program wants to call and query system information to get a list of running processes, it checks the IAT to find the memory address of that function.
Alex
Okay, so it looks up the phone number in the directory.
Maya
Exactly.
Alex
And the malware simply overwrites the memory address in the IAT with a pointer to its own malicious function.
Maya
So the program thinks it's calling the operating system, but it's actually calling the malware's custom code.
Alex
You got it.
Maya
But the more aggressive method is inline hooking.
Alex
How does that work?
Maya
The malware navigates to the actual OS function in memory, and overwrites the very first few bytes of the function with a JMP, a jump instruction.
Alex
A detour.
Maya
A forced detour.
Alex
When any program on the system calls that API, the moment the CPU hits the first line of the function, the jump instruction forcefully redirects the execution flow to the malware's rootkit.
Maya
Wow.
Alex
The rootkit executes, calls the original OS function to get the real process list, strips its own malicious process out of the results, and hands the filtered list back to the user.
Maya
So the malware essentially lies to the operating system, doesn't it?
Alex
It absolutely does.
Maya
Okay, so the organism has checked its environment, it's survived the debugger, it's hollowed out a system process, and hooked the APIs to blind the security software.
Alex
Quite a journey.
Maya
Yeah.
Alex
But there is only one phase left in this execution flow.
Maya
The cleanup.
Alex
Ah, yes.
Maya
A true professional hit leaves no weapon at the crime scene.
Alex
Because the threat researcher is eventually going to look for the initial file the user clipped on, the dropper.
Maya
Right.
Alex
The carrier that dropped the payload onto the system.
Maya
Right.
Alex
And if that original carrier executable is still sitting on the disk, we can reverse engineer the entire attack chain.
Maya
Which means the malware must clean up after itself.
Alex
And this introduces the MELT technique.
Maya
The MELT technique.
Alex
Both the NJRAT and Jigsaw Ransomware reports highlight this capability specifically.
Maya
But deleting a file should be simple, right?
Alex
You would think so.
Maya
No.
Alex
But the challenge the malware faces is a fundamental rule of the Windows operating system.
Maya
A running executable cannot delete itself.
Alex
Right.
Maya
Because the OS places a strict file lock on the executable the moment it runs.
Alex
Exactly.
Maya
And I think understanding why Windows does that is crucial for our listeners.
Alex
It comes down to demand paging.
Maya
Yes.
Alex
Mm-hmm.
Maya
Walk us through demand paging.
Alex
So the OS doesn't load a, say, 20 megabyte executable into RAM all at once.
Maya
That would be inefficient.
Alex
It maps the file into memory and loads chunks of it only as needed.
Maya
Right.
Alex
So if the executable were deleted from the hard drive while it was running, the next time the CPU tried to execute a block of code that hadn't been executed yet, it would be a failure.
Maya
Right.
Alex
So if the executable were deleted from the hard drive while it was running, the next time the CPU tried to execute a block of code that hadn't been loaded into RAM yet, it would cause a massive page fault.
Maya
And likely blue screen the entire system.
Alex
Exactly.
Maya
So to prevent that, the kernel holds an open handle to the file on the disk.
Alex
And as long as that handle exists, the delete command will just fail with a file in use error.
Maya
So since the malware cannot bypass the kernel's file lock directly, it has to construct an asynchronous workaround.
Alex
How does Jigsaw do it?
Maya
Well, the Jigsaw ransomware achieves this using a specific function called remove itself.
Alex
Before the primary malware process terminates, it creates a secondary temporary file it creates a secondary temporary file in the user's %tmp% directory.
Maya
in the user's %tmp% directory.
Alex
Usually a simple batch script, right, with a .bat extension?
Maya
Yes, exactly.
Alex
And the malware populates this batch script with a few lines of code designed to run in a hidden, infinite loop.
Maya
It uses a basic go-to statement.
Alex
Right.
Maya
The loop executes the del command, targeting the absolute file path of the original malware executable.
Alex
Over and over again, the batch script just hammers the disk trying to delete the file and failing because the file lock is still active.
Maya
But the timing orchestration here is beautiful.
Alex
The malware uses the WinExec API to launch the batch script and specifically passes the swh aid flag.
Maya
to launch the batch script and specifically passes the swh aid flag.
Alex
So the command prompt window is completely invisible to the user.
Maya
Yes.
Alex
The script begins its infinite loop in the background.
Maya
But before the batch script starts launching the script, the main malware process calls exit process to gracefully terminate itself.
Alex
Ah.
Maya
So the moment exit process is called, the Windows kernel begins tearing down the application.
Alex
It un-maps the memory sections and it closes all open handles.
Maya
And the instant the handle count to the executable file object drops to zero, the OS releases the file lock.
Alex
And in that exact millisecond, the batch script's looping del command finally succeeds.
Maya
That leaves the batch script sitting in the %tmp% directory, which is a forensic artifact itself.
Alex
You'd think so, but the authors account for that too.
Maya
Overdue.
Alex
The very last line of the batch script executing immediately after the successful deletion of the malware is del pr0.
Maya
Ah.
Alex
Because in Windows batch scripting, pr0 0 represents the file path of the script currently executing.
Maya
Exactly.
Alex
The script literally deletes itself as its final action.
Maya
Wow.
Alex
It is the perfect setup.
Maya
The original file melts away like ice.
Alex
It really does.
Maya
The analyst is left with a compromised machine, malicious code injected into the memory space of sdcos.exe, hooked system APIs lying to the task manager, but absolutely zero trace of the initial payload on the hard drive.
Alex
The weapon simply ceases to exist.
Maya
Which is, frankly, deeply frustrating from a forensic standpoint.
Alex
Yeah.
Maya
But you really have to appreciate how much time and effort it takes to create a system that can do everything it needs to do.
Alex
Yeah.
Maya
I mean, it's just so much work.
Alex
Yeah.
Maya
We've created sandboxes that mimic real human behavior.
Alex
We've programmed them to simulate fake mouse clicks, generate realistive browser histories, and populate fake active directory environments just to trick the malware into It leaves you with a final lingering thought to explore on your own.
Maya
As this infinite arms race accelerates, the line between simulation and reality is basically blurring.
Alex
Are we approaching a horizon where malware simply refuses to detonate unless it can cryptographically prove that a warm-blooded, unpredictable human being is physically sitting in front of the screen?
Maya
And if we reach that point, how do we automate our defenses when the malware is smarter than the simulation?
Alex
That is the big question.
Maya
Keep digging into the technical mechanics, keep mapping those API calls, and stay curious.
Alex
Because in this field, the deepest secrets are always buried in the execution flow.

Show Notes

Key topics covered: - The Virtual Trap: How malware fingerprints VMware and VirtualBox using artefact checks. - Sabotaging the Analyst: The mechanics of 0xCC (INT 3) detection and self-patching. - Stealth Logistics: Environmental Keying and Process Hollowing (The Hermit Crab Analogy). - Lab Link: Real-world observations from the njRAT student walkthroughs showing these evasion tactics in action.
Previous episode
EP 01 · The Binary Physics of Memory Corruption
Next episode
EP 03 · The Malicious Process Lifecycle: From Execution to Evasion
More Episodes
The Binary Physics of Memory Corruption
EP 01REMA

The Binary Physics of Memory Corruption

The Malicious Process Lifecycle: From Execution to Evasion
EP 03REMA

The Malicious Process Lifecycle: From Execution to Evasion

Spotting Forensic Gold in Malware Strings
EP 04REMA

Spotting Forensic Gold in Malware Strings

Malware Blueprints in Portable Executable Headers
EP 05REMA

Malware Blueprints in Portable Executable Headers

The Cloud-Malware Paradox: Bridging Forensics and Defense
EP 06Cloud Security

The Cloud-Malware Paradox: Bridging Forensics and Defense

The Hypervisor Is Your True Security Perimeter
EP 07Cloud Security

The Hypervisor Is Your True Security Perimeter

View all episodes →