No matter how sophisticated a packer may evolve, malware payload always interacts with Windows OS to perform malicious behavior(eg., code remote injection and ransomware's file encryption)

packer usually removes the payload's import address table to impede reverse engineering. Afterwards, the unpacking routine will obtain each API's address and rebuild the IAT at run time. In this way, the restored payload can invoke Windows APIs properly.

When a packed binary starts running, the original code is written in memory pages sometime and then get executed.(written-then-executed)

If an API is invoked through looking up a rebuilt IAT, it indicates that the original code has been restored, and the control flow has reached OEP already.(rebuilt-then-called)

The end of unpacking:

1. the reconstruction of payload IAT happens ahead of the jump to OEP
2. at run time, if an API is called through a rebuilt IAT rather than the unpacking routine IAT, it indicates that malware payload has been restored.

The advantages of stolen code: As many user-level API hooking techniques identify their target API calls by matching the virtual addresses where these APIs are expected to locate, stolen code will make such API hooking tools miss the target.

The advantages of child process and process hollowing: These two evasions are used to hide the presence of a malicious process. https://www.anquanke.com/post/id/145003

The concepts of crash hooking module: The packer tries to create an access violation exception by arbitrarily calling APIs with invalid arguments. In a non-hooking environment, Windows OS default exception handlers can handle such errors, so packed ransomware can run properly.

The advantages of DLL hijacking: Dll hijacking is immune to crash hooking module attack as it can naturally deliver runtime errors to Windows OS's exception handlers.

There are two types of evasion techniques used in current malware: hook evasion and target evasion Hook evasion is a technique to evade hooks set on the entry of APIs for monitoring. Target evasion is used for obfuscating the caller instruction of APIs. T How to set taint tags in a program: Pre-boot disk tainting and code taint propagation

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed.