Antivirus Evasion | Bypass Techniques.
While playing around with machines I came up with a very interesting scenario, where my executable payloads on as soon as getting copied to windows victim machine, were getting removed from the system. Nevertheless how quick I have been, I was unable to execute them and get the reverse shell.Then I came up to a conclusion that antivirus’s real time protection features must have been kept Active or Enabled, to prevent execution of malicious payloads supplied by hackers. So today I will discuss on bypass AV mechanism, techniques.
ANTIVIRUS
Originally made to detect computer virus, as the name suggests, the antivirus is software made to prevent, detect and remove malware.
Antivirus Types
There are major three types / methods based on which Antivirus are designed.
Signature Based : These kind of antivirus engines are made based on some signatures (patterns created to detect certain sequence of bytes) created to detect what type of code the following executable could have contained. If the code or pattern of bytes is present in blacklisted content, then AV alert is triggered.
Heuristic Based : Modern technique of detecting malicious payload by defining some rules and algorithms such that, if the code contains certain set of code / instructions or executable segments, which do certain actions which might prove malicious , then AV alert is triggered.
Behavior Based : This technique analyses the behavior of the binary file and categorizes it into malicious and non-malicious. If malicious AV is triggered.
ANTIVIRUS EVASION TECHNIQUES
Ways to fool the antivirus by applying certain changes in code residing on disk or in memory.
We can broadly classify the techniques to be On-disk or In-memory based on what and how we are making changes in codes of process.
Let’s discuss each one by one.
- OBFUSCATORS : The obfuscators hide the malicious code into legitimate code of process. They reorganize and make such changes to code that it becomes nearly impossible to reverse engineer it and so gain what it could be doing on disk. They can add dead code , or can change the semantics of existing instructions with equally but malicious code instructions.
- PACKERS : In this evasion technique we will reduce the size of our payload. For example earlier we used to zip our malicious code , example : Taking one image file and one executable and compressing it using winRAR to zip it and execute it one after the other. But now a days, packers reduce the size of executable and make a completely new binary structure for the file on disk.
- CRYPTORS : This mechanism cryptographically changes the code of program/executable and makes a decryption function or subprocess like stub. When the program is sent it is encrypted and the decrypting stub is hidden. Making it totally seem useless to AV, and thus bypassing it. The decryption of encrypted code works on memory, and decrypted executable code is left on disk. Thus AV could not remove it before executing.
- PROTECTORS: The protectors were actually made to prevent any code from reversing, debugging, getting tested on virtual machine emulation process. But we can leverage this functionality to befool Anti-Virus solutions, by crafting payload under protectors and sending to victim.
- PROCESS MEMORY INJECTION : This method of in-memory injection is very common. We abuse the HANDLES of Windows API to which we have executable privileges. How ? The windows offers us an advantage of memory and process management; if there is a running process or process which you have access to run. You can claim it’s handle ( an object to basically initiate functioning and working with thread you are trying to gain access to). If process is already running you can use function OpenProcess() to open the process . Then use VitualAllocEx() function to allocate memory to it. Then use function WriteProcessMemory() to write to the executing process. Then try to gain HANDLE using GetModuleHandle(), and get the address of process using GetProcessAddress(). Once you have got address and HANDLE, you can create your own thread using CreateRemoteThread(). Once you create Remote thread in memory, it will be automatically loaded and executed.
6. DLL INJECTION : This method is same as process memory injection. Here we inject DLL in memory and it is executed. This method is not same as DLL injection on disk and calling it via LoadLibrary ().
7. INLINE HOOKING: In this method we take a function which is doing some normal task. We make a sub routine kind of route, i.e. basically we add some code and change the course of flow of execution , such that while normal function execution our malicious code is executed somewhere in between and the function completes it’s task normally, without knowing it performed something malicious.
Suppose this is normal method call to function A
Call A();// where A has following set of instructions
A()
mov edi,edi
push ebp
mov ebp,esp
push 0
push [ebp+10]
pop ebp
retn 0
Now we will add our code here.
Call A();A()
mov edi,edi
push ebp
mov ebp,esp
jmp malicious__Offs3cg33k+5 //5 bytes=32-bit jmp_opcode_space
push 0
push [ebp+10]
pop ebp
retn 0malicious__Offs3cg33k()
/* reverse shell code here */
retn 0
So we see here how the flow of code execution changes , making it undetectable by AV
8. PROCESS HALLOWING: In this method we start a process either in suspended state or send it to suspended state. Then we change the image of process in memory , by first deleting it then adding malicious executable in place of it. Then resume the process. Making it difficult for AV to detect it. How to determine address of process ? When Process A(non — malicious was loaded , it’s executable block(PEB) containing imagebaseaddress was loaded too. Thus we can determine the PEB.imageBaseAddress and wipe the Executable section. Now Process B (malicious) , rewrites the PE Headers and PE Base, and makes start address of the suspended thread to the address of entry point of the injected executable. Finally resumes suspended thread.
HOW CAN THE ABOVE TECHNIQUES BE DETECTED ????
Process Memory Injection / DLL injection can be detected as follows
Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such asVirtualAllocEx/WriteProcessMemory, may be used for this technique [1]
Process Hallowing can be detected
a. By detecting parent child process relationship
b. Comparing PEB and VAD structure.
c. Detecting suspicious memory protection. [2]
This is all a summary and we have scratched just the surface. If you loved it please like. Happy Hacking!!!
