Antivirus Evasion | Bypass Techniques.

ANTIVIRUS

Antivirus Types

ANTIVIRUS EVASION TECHNIQUES

  1. OBFUSCATORS : The obfuscators hide the malicious code into legitimate code of process. They reorganize and make such changes to code that it becomes nearly impossible to reverse engineer it and so gain what it could be doing on disk. They can add dead code , or can change the semantics of existing instructions with equally but malicious code instructions.
  2. PACKERS : In this evasion technique we will reduce the size of our payload. For example earlier we used to zip our malicious code , example : Taking one image file and one executable and compressing it using winRAR to zip it and execute it one after the other. But now a days, packers reduce the size of executable and make a completely new binary structure for the file on disk.
  3. CRYPTORS : This mechanism cryptographically changes the code of program/executable and makes a decryption function or subprocess like stub. When the program is sent it is encrypted and the decrypting stub is hidden. Making it totally seem useless to AV, and thus bypassing it. The decryption of encrypted code works on memory, and decrypted executable code is left on disk. Thus AV could not remove it before executing.
  4. PROTECTORS: The protectors were actually made to prevent any code from reversing, debugging, getting tested on virtual machine emulation process. But we can leverage this functionality to befool Anti-Virus solutions, by crafting payload under protectors and sending to victim.
  5. PROCESS MEMORY INJECTION : This method of in-memory injection is very common. We abuse the HANDLES of Windows API to which we have executable privileges. How ? The windows offers us an advantage of memory and process management; if there is a running process or process which you have access to run. You can claim it’s handle ( an object to basically initiate functioning and working with thread you are trying to gain access to). If process is already running you can use function OpenProcess() to open the process . Then use VitualAllocEx() function to allocate memory to it. Then use function WriteProcessMemory() to write to the executing process. Then try to gain HANDLE using GetModuleHandle(), and get the address of process using GetProcessAddress(). Once you have got address and HANDLE, you can create your own thread using CreateRemoteThread(). Once you create Remote thread in memory, it will be automatically loaded and executed.
https://www.peerlyst.com/posts/bypassing-anti-virus-by-creating-remote-thread-into-target-process-damon-mohammadbagher
Call A();// where A has following set of instructions
A()
mov edi,edi
push ebp
mov ebp,esp
push 0
push [ebp+10]
pop ebp
retn 0
Call A();A()
mov edi,edi
push ebp
mov ebp,esp
jmp malicious__Offs3cg33k+5 //5 bytes=32-bit jmp_opcode_space
push 0
push [ebp+10]
pop ebp
retn 0
malicious__Offs3cg33k()
/* reverse shell code here */
retn 0

HOW CAN THE ABOVE TECHNIQUES BE DETECTED ????

--

--

--

OSCP | CEH | Cyber Security Enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Weekly Yax #21: C4 Audit Review

Make Your P@55w0rd Secure

All about the LCX project | $LCX token...

[Some Interesting] Cloud ‘n Sec news: 29th Apr 22

Published NFT™ — What Is A KYC-NFT (NFT ID)?

#CryptEx contracts were audited externally and internally (at Hashex) and the product is being used…

Lunaray Token Security Scan Report

OS Command Injection

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.

More from Medium

Like Linux ,I want to bring script to add path of binaries

[METHOD] Make easy $200+/day using Instagram.

How to install XAMPP on Ubuntu?

Shakepay + Netcoins — Make a quick $90