memory dump obstruction

From ema
Jump to navigation Jump to search
EMA ID: ema-1173
Description: Hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing.


  • Encrypts the executing malware instance code (in memory)
  • Erase the PE header from memory
  • Hide arbitrary segments of virtual memory belonging to the malware instance.
  • SizeOfImage
  • Tampering: Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).
  • Page Guard: Blocks of code are encrypted individually, and decrypted temporarily only upon execution. AKA guard pages. One variant uses self-debugging to accomplish.
  • On-the-Fly APIs: API address is resolved before each use to prevent complete dumping.
  • Byte Stealing: Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.
  • Import Obfuscation: Add obfuscation between imports calls and APIs (obfuscation, virtualization, stealing, etc.).
  • Feed Misinformation: Report inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved.
  • Hooking: Alter API behavior, for example by inserting JMP/JCC instruction(s) at start of API code or to redirect benign API to a critical one. Sometimes used for anti-dump. (Hooking is an ATT&CK technique.)

Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis
Aliases: anti-dumping

Associated With memory dump obstruction
BehaviorInstance.png Guard Pages