The reason as to why I chose the exit procedure is due to how a lot of anti-virus scanners as well as virtualisation agents operate. Generally, these detection systems will either be signature based or try to run the software and detect any malicious behaviour. A common malicious behaviour that is detected is the attempt to connect out of the system to the internet. There were many suggested methods to bypass virtualisation such as using a delay upon opening software before launching the malicious code in hope that it times out. However, some virtualisation engines can make use of the system clock to speed up this process. If we use the exit procedure instead and require user interaction, an automated script will find it difficult to trigger our payload and analyse its behaviour. In most cases, a user will need to exit the process so a click of the “X” at the top right of an application is generally the way — doing so will trigger the exit branch code. In this paper, we will find where that exit branch is and find an arbitrary point to redirect flow to our code cave.