Persistence Mechanisms

Once malware gains access to a system, it often looks to be there for a long time. This behavior is known as persistence. If the persistence mechanism is unique enough, it can even serve as a great way to fingerprint a given piece of malware.

In this section, we begin with a discussion of the most commonly achieved method of persistence: modification of the system’s registry. Next, we review how malware modifies files for persistence through a process known as trojanizing binaries. Finally, we discuss a method that achieves persistence without modifying the registry or files, known as DLL load-order hijacking.

The Windows Registry

When we discussed the Windows registry in Chapter 7, we noted that it is common for malware to ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.