Antivirus Evasion Techniques and Countermeasures

•

3 likes•12,922 views

This presentation throws light on innovative techniques for bypassing antivirus detection. This will be useful for researchers and pen testers to develop successful post exploitation techniques.

Technology

Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

Why How Countermeasure Legal Statement  Agenda

I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

Techniques: Code injection in another process Jump and Execute Loaders HOW #3

Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

“Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

Why should we use TDD to develop in Elixir? When we are applying it correctly? What are the differences that we can find in a code developed with TDD and in code not developed with it? Is it TDD about testing? Really? In this talk, I'll show what is TDD and how can be used it in functional programming like Elixir to design the small and the big parts of your system, showing what are the difference and the similarities between an OOP and FP environment. Showing what is the values of applying a technique like TDD in Elixir and what we should obtain applying it.

What's hot

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

securityxploded

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

securityxploded

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

securityxploded

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

securityxploded

Reversing & malware analysis training part 2 introduction to windows internals

securityxploded

Application Virtualization

securityxploded

Reversing & Malware Analysis Training Part 13 - Future Roadmap

securityxploded

Advanced Malware Analysis Training Session 8 - Introduction to Android

securityxploded

Reversing malware analysis training part6 practical reversing

Cysinfo Cyber Security Community

Anatomy of Exploit Kits

securityxploded

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

securityxploded

Advanced malware analysis training session5 reversing automation

Cysinfo Cyber Security Community

Advanced malwareanalysis training session2 botnet analysis part1

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

securityxploded

Hunting Rootkit From the Dark Corners Of Memory

securityxploded

Reversing malware analysis training part11 exploit development advanced

Cysinfo Cyber Security Community

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

securityxploded

Reverse Engineering Malware

securityxploded

Defeating public exploit protections (EMET v5.2 and more)

securityxploded

What's hot (20)

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Reversing & malware analysis training part 2 introduction to windows internals

Application Virtualization

Reversing & Malware Analysis Training Part 13 - Future Roadmap

Advanced Malware Analysis Training Session 8 - Introduction to Android

Reversing malware analysis training part6 practical reversing

Anatomy of Exploit Kits

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

Advanced malware analysis training session5 reversing automation

Advanced malwareanalysis training session2 botnet analysis part1

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

Hunting Rootkit From the Dark Corners Of Memory

Reversing malware analysis training part11 exploit development advanced

Advanced malware analysis training session 7 malware memory forensics

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

Reverse Engineering Malware

Defeating public exploit protections (EMET v5.2 and more)

Similar to Antivirus Evasion Techniques and Countermeasures

#nullblr bachav manual source code reviewSantosh Gulivindala

Tdd is not about testing

Gianluca Padovani

Intro To AOPelliando dias

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

pCloudy

Intro to Reverse Engineering

Null Bhubaneswar

Secure programming with php

Mohmad Feroz

Bypassing anti virus scannersmartacax

Debugging in .Net

Muhammad Amir

How secure is your code?

Mikee Franklin

Bypassing anti virus scannersmartacax

Web backdoors attacks, evasion, detection

n|u - The Open Security Community

Quick Intro to Clean CodingEcommerce Solution Provider SysIQ

Code Review

Tu Hoang

6-Error Handling.pptx

amiralicomsats3

Return address

Cysinfo Cyber Security Community

Code Review Looking for a vulnerable code. Vlad Savitsky.DrupalCampDN

Medium Trust for Umbraco

Warren Buckley

Server Side Template Injection by Mandeep Jadon

Mandeep Jadon

Demystifying dot NET reverse engineering - Part1Soufiane Tahiri

Securing Underprotected APIs - Deja vu Security

Deja vu Security

Similar to Antivirus Evasion Techniques and Countermeasures (20)

#nullblr bachav manual source code review

Tdd is not about testing

Intro To AOP

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

Intro to Reverse Engineering

Secure programming with php

Bypassing anti virus scanners

Debugging in .Net

How secure is your code?

Bypassing anti virus scanners

Web backdoors attacks, evasion, detection

Quick Intro to Clean Coding

Code Review

6-Error Handling.pptx

Return address

Code Review Looking for a vulnerable code. Vlad Savitsky.

Medium Trust for Umbraco

Server Side Template Injection by Mandeep Jadon

Demystifying dot NET reverse engineering - Part1

Securing Underprotected APIs - Deja vu Security

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

DevOps and Testing slides at DASA Connect

Kari Kakkonen

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Mind map of terminologies used in context of Generative AI

Kumud Singh

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing

20240607 QFM018 Elixir Reading List May 2024

By Design, not by Accident - Agile Venture Bolzano 2024

Artificial Intelligence for XMLDevelopment

20240609 QFM020 Irresponsible AI Reading List May 2024

DevOps and Testing slides at DASA Connect

A tale of scale & speed: How the US Navy is enabling software delivery from l...

PCI PIN Basics Webinar from the Controlcase Team

The Art of the Pitch: WordPress Relationships and Sales

Pushing the limits of ePRTC: 100ns holdover for 100 days

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

UiPath Test Automation using UiPath Test Suite series, part 6

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Mind map of terminologies used in context of Generative AI

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Epistemic Interaction - tuning interfaces to provide information for AI support

GridMate - End to end testing is a critical piece to ensure quality and avoid...

Antivirus Evasion Techniques and Countermeasures

1. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

2. Why How Countermeasure Legal Statement  Agenda

3. I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

4. Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

5. Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

6. Techniques: Code injection in another process Jump and Execute Loaders HOW #3

7. Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

8. HOW #4 – Technique #1 - Demo

9. Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

10. HOW #4 – Technique #2 - Demo

11. Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

12. HOW #4 – Technique #3 -Demo

13. What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

14. Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

15. Shellcode Detection - Demo

16. “Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

Editor's Notes

Reference: Three ways to inject code into a remote process - http://www.codeproject.com/KB/threads/winspy.aspx

Antivirus Evasion Techniques and Countermeasures

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Antivirus Evasion Techniques and Countermeasures

Similar to Antivirus Evasion Techniques and Countermeasures (20)

More from securityxploded

More from securityxploded (20)

Recently uploaded

Recently uploaded (20)

Antivirus Evasion Techniques and Countermeasures

Editor's Notes