1 minute read

These techniques are not complicated ones, but still can confuse some beginner malware analysts and/or reverse engineers. Change of code execution path using SEH ( Structured Exception Handling ) is common in malware samples, a simple example is following:

If he/she single steps, he/she will lose control.

But there are other ways to get similar results using Windows API functions with callbacks, we can use these callbacks to hinder an analyst.

ReadFileEx / WriteFileEx are asynchronous analogies for ReadFile and WriteFile , the interesting part is that is calls lpCompletionRoutine completion routine when writing/reading is completed or canceled:

Same there, he/she loses control.

What about EnumDisplayMonitors ?

Note : We can stop the enumeration with return FALSE.