this post was submitted on 12 Apr 2025
1 points (100.0% liked)

Technology

85089 readers
1389 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
1
Windows Defender Anti-virus Bypassed Using Direct Syscalls & XOR Encryption (cybersecuritynews.com)
submitted 1 year ago* (last edited 1 year ago) by atrielienz@lemmy.world to c/technology@lemmy.world
5 comments fedilink hide all child comments
 

"According to the research published by Hackmosphere, the technique works by avoiding the conventional execution path where applications call Windows API functions through libraries like kernel32.dll, which then forwards requests to ntdll.dll before making the actual system call to the kernel."

Additional Information:

https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-1/

https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/

top 5 comments
sorted by: hot top controversial new old
[–] Cephalotrocity@biglemmowski.win 0 points 1 year ago (1 children)

They also suggest organizations deploy additional security layers beyond Windows Defender, particularly solutions that can monitor behavior at the kernel level.

Anything like this for the typical home user?

[–] 0x0@lemmy.zip 0 points 1 year ago (1 children)

Sure, bring back Crowdstrike, that went well...

Btw I wasn't aware XOR was encrytion...

[–] Neverclear@lemmy.dbzer0.com 0 points 1 year ago* (last edited 1 year ago) (1 children)

XOR cleartext once with a key you get ciphertext. XOR the ciphertext with the same key you get the original cleartext. At its core this is the way the old DES cipher works.

A bit of useful trivia: If you XOR any number with itself, you get all zeros. You can see this in practice when an assembly programmer XOR's a register with itself to clear it out.

[–] Quazatron@lemmy.world 0 points 1 year ago (1 children)

That's how it was done in the old days to save a few cycles in Z80 assembly. XOR A instead of LD A, 0.

[–] InverseParallax@lemmy.world 0 points 1 year ago

I use that daily in my accelerator work.

Once you learn the trick, you just use it naturally.