Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Messing around avs

Presentation for my talk at Null Delhi Chapter Meet on Bypassing AVs.

  • Login to see the comments

  • Be the first to like this

Messing around avs

  1. 1. Messing Around AvsShubham Mittal
  2. 2. • Who am I ?Agen • Why need AV bye passing ? • How AVs work ? • Bye pass ? HTF ? da • • W00t W00t  More research requirement.. • Shoot your questions..
  3. 3. Who Am I ? • Security Consultant @ Hackplanet Technologies • Penetration tester • Spoken at various National Level Conferences (Techno Tryst 2012, NSWET 2011, etc.) • Current Areas : • > SOC, Malware Analysis, MSF, Network Forensics
  4. 4. Why need AV bypassing ?  Firewalls can be bypassed with Client Side attacks, which require some piece of code on the remote machine but AV picks it up.  You made a virus and sent it to remote machine, but AV picks it up.  You have a payload which you want to execute. You social engineered the owner to execute your payload, but AV picks it up.
  5. 5. Signature Based Detection
  6. 6. Byepass ? HTF ? Crypters (UPX, etc.) - Old approach Smart Crypter ( We will do it ) Shell code Injection ( We will do it too  )
  7. 7. Crypters, hmm…But, AVs are not fool too. They have mind.
  8. 8. Smart Crypyters – PE Crypter  Hyperion : By Christian Ammann (Null Security Team)  Packs the PE file format with AES.  Key used for encryption is “SMALL”.  At runtime, the key is brute forced. Algorithm :- 1. Copy the encrypted file in memory as backup. 2. Guess the key. 3. Decrypt the DATA. 4. Verify the DATA with checksums”. 5. If key is right, cheers ! 6. If no, restore the data section from back and go to step 2. More info : ,
  9. 9. Shellcode Injection  Inject you shellcode into a process.  Can be used for backdooring;  Can be used for getting different shells at remote system.  Shellcodeexec (  Syringe.exe (
  10. 10. Syringe.exe References : 1. Paper on Exploit-db by infog33k 2. A comment on 3. Creating self extractor with 7zip.
  11. 11. How it Works.. Calls Virtual Alloc to use its space in order to execute the shell code. Virtual Alloc : Windows specific call that holds a region with read, write and execute permissions. (Read, write permissions are req. for alphanumeric code). Copies shell code into memory from virtual alloc. Executes shell code with help of a Assembly stub pointing directly to the location of shell code.
  12. 12. Got queries, suggestions, comments :