Unusual/Undocumented API Calls

From ema
Jump to navigation Jump to search
EMA ID: ema-1274
Description: Unusual APIs are called to block non-exhaustive emulators (particularly anti-virus).
Associated Behavior: emulator prevention

Supporting Details:
The most typically used antiemulation technique is the use of undocumented APIs or the use of non common ones such as, in example, SetErrorMode:
 DWORD dwCode = 1024;
 SetErrorMode(1024);
 if (SetErrorMode(0) != 1024)
   printf("Hi emulator!\n");


References:
Date Malware Family URL
February 23, 2010 http://joxeankoret.com/blog/2010/02/23/antiemulation-techniques-malware-tricks-ii/