Malware Development – AV Evasion P2
Hi everyone in this post we will talk about bypassing AV Engines which we talked about on YouTube videos.
Firstly, let’s remember the static and dynamic engines. What do these mean?
Static Engine: The static engine controls the variables, variable or function names, etc. We can say while reading the code, if you can see any harmful stuffs, the static engine sees too.
Dynamic Engine: The dynamic engine controls the functions, procedures, macros (not VB Macros) like keylogging functions, screenshare or screenshot functions, etc. The dynamic engine finds harmful behavioral parts of the code. (These harmful things not chains of functions, you can think only one function about keylogging or sending harmful packets like functions. The chain of harmful parts is behavioral engine’s job.)
Let’s write some code with “process injection” technique. You can develop your own reverse shellcode for more stealth, but this is not our main topic in this post. We will cover this in another post.
The static engine bypass is easer than others, you can choose right names, strings; use string functions and done. So easy! (There is an important key point about usage of functions, you can find this later.)
Dynamic one is harder than. But not impossible 🙂 You will hear process injection techniques, like the “process hollowing” or “process doppelgänging” while researching.
Give me some time for explain with the basic injection scheme:
The idea is so simple, the techniques contain several differences like using sections for storing shellcodes or changing some permissions into the memory, etc.
I want to explain techniques with example codes. Let’s start!
Static Engine Example
Suspicious strings and values:
Try to change some strings and use concatanation, etc.
Now only 1 engine says this executable is malware. This example is for the static engine especially. Actually, some AV Engines says harmful for everything 😀
Dynamic Engine Example
Now we will try to bypass dynamic engines.
First, we will create a general local process dropper for executing our shellcode.
Let’s scan:
And these are the engines which says malicious:
Try to implement basic injection technique:
Note: This code wrote for only researching purposes, if you want to use this, you can change some parts. After the changing, try in your lab.
Note: While finding pid of the process, you can see strcmp or stricmp examples. You can get a few errors with incompatible variable types. The solution is using wcscmp function with wchar_t type.
And we bypassed some engines with basic local process injection, our score is 4/26.
You can find and use any injection technique for bypassing dynamic engine. More information about process injection: https://attack.mitre.org/techniques/T1055/
Note: You must not think about “I must bypass every engine”, not do that. This waste your time in your operations. If you can find used AV engine in the company, just bypass this. Other engines useless for you, is that make sense? You know the answer.
Note2: I said a key point in the static engine paragraph. Try to research and use GetProcAddress() with DLLs. If you use the GetProcAddress() for your functions, you can not see your used functions like VirtualAllocEx, WriteProcessMemory, etc. Thanks to this, you can escape from juniors.
Also, you can add some additional controls for bypassing sandbox solutions, you can add packing techniques or adding encryption, etc. We will talk about these in another post. And I will explain more and more in the “Malware Development and Programming Fasttrack” course.
Github: https://github.com/berkotako/mdev_p2
Further Readings and Links:
- https://metadefender.opswat.com/
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://www.cynet.com/attack-techniques-hands-on/process-injection-technique
- https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
- https://attack.mitre.org/techniques/T1055/
Thanks for your time.
Berk KIRAS