Post on 29-Mar-2015
Amit Malik (DouBle_Zer0)SecurityXploded and Garage4hackers Bangalore Chapter Lead
E-Mail: m.amit30@gmail.com
Anti-Virus Evasion techniques and
Countermeasures
Why
How
Countermeasure
Legal Statement
Agenda
I am a Penetration Tester.
I want to use public codes* without fear.
I want to know the system internals.
I want to impress my girl friend ^_^.
I want to test effectiveness of security
technologies.
WHY
Warning: Everything that I will discuss here is not applicable to .exe files.
Logic – divide exe in two parts – means don’t make exe.
CodeInterface
Code – it is our normal code with some additional powers – stand alone executable code.
Interface - interface will execute the code In simple words we need a shellcode type
code and a interface to execute the shellcode.
HOW #1
Why we are splitting exe in two parts ?AV detection techniques
Signature basedEmulation + signatureMD5 Heuristic
If your binary is packed then AV uses Emulation + signature tech. for detection.
By splitting exe in two parts we can bypass AVs.True fact: generating exe is simpler than writing
the stand alone executable code that performs the same function.
HOW #2
Techniques:
Code injection in another process
Jump and Execute
Loaders
HOW #3
Code injection in another process
Interface – make a interface that will read the
“code” and will inject it into another process.
Raw Material:
OpenProcess
WriteProcessMemory
CreateRemoteThread
HOW #4 – Technique #1
HOW #4 – Technique #1 - Demo
Jump and Execute
Interface – make a interface that will read the
file and then jump to that location and
execute the code
Raw Material:
ReadFile
JMP
HOW #4 – Technique #2
HOW #4 – Technique #2 - Demo
LoadersInterface – make a interface that will read the
“code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread.
Raw Material:CreateProcess – suspendedWriteProcessMemoryResumeThread
HOW #4 – Technique #3
HOW #4 – Technique #3 -Demo
What if AV flag Interface ?
Yes, they can but the interface code is using
legitimate APIs with very minimal code.
Many legitimate programs use similar APIs so
fear of false positive.
May be they can flag on the basis of MD5
HOW #5
Simply call it shellcode detection
The Philosophy
Emulate or Execute Everything
Exception – move to next byte
Abort execution if anytime EIP >= 7xxxxxxx
Scan – Detection
Countermeasures
Shellcode Detection - Demo
“Shellcode Detection” Technique and source codes are distributed under CC.http://creativecommons.org/licenses/by-nc/3.0/
Codes: https://sites.google.com/site/hacking1now/tools
Legal Statement