AV Evasion – Behavioral/Heuristic Engine

Posted on

AV Evasion P3 – Behavioral/Heuristic Engine

We discussed Static and Dynamic Engines. In this post I will try to explain heuristic engine bypassing. I don’t like to give direct techniques, like “you must use X codes or Y techniques”. The understanding of system is more important to bypassing solutions. I hope I’m explaining the main ideas well.

Heuristic Engine Bypassing

Let’s start. In this scheme you can see a basic keylogger process:

Basic Keylogging Process

This scheme for general functions of keylogging code. We can use GetAsyncKeyState() for getting keystrokes. For parsing and choosing the name of key, we can use switch case or if statements. In the adding keys to string array, we can see string functions like strcpy, strcat, etc.  The final step is sending information, in this step we can use network functions like socket, connect, send, etc. and we must use additional header files; for more information you can look at the socket programming with C : https://www.geeksforgeeks.org/socket-programming-cc/

Functions and Functionalities

The heuristic engine finds the chain of functions, you can think this similar to human behaviors.  While you’re drinking something in the coffee, the man who look at you annoyed and walking to you, is meaning danger for you. The man is not important, but in this case the behavior (walking annoyed) is so important for defense or attack.

Found chain of functions for harmful activities:

Example Chain of Functions

Main idea is too simple. Now, how to bypass this? Let’s think about it.

Let’s see what we can do.

Virtual Key Examples with Switch Case

You can find the keys: https://docs.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes

  1. After this finding, you can change the name of this Virtual Key Codes. For example, if you want to change A and Space , you can use “ #define Key_A 0x41“ , “ #define Key_Bckspace 0x08“.
  2. You must use GetAsyncKeyState function, you can use this with GetProcAddress() function like function pointer.
  3. In the function calls the C uses AX register for returning values, you can change the AX with inline assembly.

Example:

Int func(int a){

//Do something

Return a%10;

}

Int main(){

Int t;

func(19);

__asm__(“add ax,3;”,

   “add ax, 5;”,

   “sub ax,8;”);

// The AX stores our first value

return 0;

}

For more examples: https://www.codeproject.com/Articles/15971/Using-Inline-Assembly-in-C-C

4. You can use both switch case and if statements.

For example:

Switch(int X){

Case 1:

Case 2:

Default:

        If(X ==3)

        else if (X==4)

}

5. You can add useless/decoy functions like calculation functions, encryption functions, etc.

6. You can add random NOPs or assembly codes with inline assembly.

----Code Snippet----

__asm__(“NOP;”);

----Code Snippet----

----Code Snippet----

__asm__(“NOP;”);

__asm__(“NOP;”);

7. You can add extra auth functions for the network steps, like if the key is true, send keystrokes. Implement encryption to network communication.

8. You can change the function names in the header files. You must use static compiling with this technique, if you use dynamic compile, unwanted things occur.

9.You can write your own protocol, or you can use another protocol like DNS, ARP, etc.

The main idea is getting complicated the tasks of malware. You can find much more techniques and write more effective malware for your operation.

Thanks for your time.

Berk KIRAS

You can find the images: https://www.patreon.com/bksec