LogoLogo
  • Welcome to Cyphor
  • .NET Code Obfuscation
    • Getting Started
    • How to Obfuscate
    • Basic Code Obfuscation
      • Symbol Renaming
      • Body Mutation
      • Control Flow
      • Constant Encryption
      • Call Hiding
      • Debug Protection
      • Integrity Checks
      • Self Healing
    • Advanced Obfuscation
      • Attribute-Based Obfuscation
      • Guide to obfuscation
      • Code Inlining
      • What is RASP?
      • Protections that protect each other
      • Program not working after obfuscation
      • Keeping performance with obfuscation
      • Virtualization
  • Dashboard
    • Files
    • Billing
      • Pay as you go
      • Examples
    • Projects
      • Code Guard Tasks
      • Permissions
        • Roles
      • Files
      • SAML and SSO
  • Code Guard
    • Introduction
    • Implement with your licensing system
      • Setting up a gateway
      • Setting up the SDK
    • Secured values
      • Dynamic values
      • Code Encryption
        • Page 1
    • Preventing analysis
    • Enhanced visibility
      • Disabling tracing on production
      • Logging external methods
      • Optimizing Memory Usage
    • Edge connectivity
    • Preventing modifications
      • Preventing assembly load
      • Allowing partial tampering
      • Enterprise EDRs and XDRs
      • Dynamic Hook protection
      • Thread hijacking
      • Guard Checksums
      • DLL Injection
      • Handling complex RE attacks
        • Custom payload detection
    • Granular Integrity Checks
    • Virtualized Environments
    • Troubleshooting
    • Threat database
    • Real time alerts
      • Alert Insights
  • CLI Tool
    • Introduction
    • Global options
    • Profiles
    • Projects
    • Obfuscator
      • Obfuscation Schemes
      • Task templates
      • Protecting files
        • Global obfuscation flags
        • Using templates to obfuscate files
        • Quick obfuscation
      • Monitoring obfuscation jobs
    • Securing local storage
Powered by GitBook
On this page
  • Pattern matching
  • Use cases

Was this helpful?

  1. Code Guard
  2. Preventing modifications
  3. Handling complex RE attacks

Custom payload detection

Custom payload detection is a powerful feature that allows customers to add custom patterns that are matched on memory.

This feature is designed to enhance the detection capabilities of the system and to provide more flexibility to customers. By leveraging this feature, customers can detect specific payloads that are unique to their environment, and take appropriate actions based on the detection results.

It's worth noting that custom payload detection is a powerful and complex feature that can be overwhelming. Customers who are not familiar with this technique may unintentionally introduce false positives or find themselves feeling overwhelmed. As such, it's important to have a clear understanding of how to use this feature effectively and to test any rules thoroughly.

Pattern matching

Using "??", customers can match any single byte sequence. For example, "A4 ?? A1" would match "A4 00 A1","A4 01 A1", and so on.

Use cases

Detecting custom payloads in memory can be extremely useful.

For example, you may want to protect your software against a specific type of tampering, such as uncommon code injection techniques. By creating a custom rule that detects the specific pattern of bytes that are injected into memory during the attack, you can trigger an alert or take an appropriate action to prevent further tampering.

PreviousHandling complex RE attacksNextGranular Integrity Checks

Last updated 2 years ago

Was this helpful?