Amit Malik (DouBle_Zer0)SecurityXploded and Garage4hackers Bangalore Chapter Lead

E-Mail: m.amit30@gmail.com

Anti-Virus Evasion techniques and

Countermeasures

Why

How

Countermeasure

Legal Statement

Agenda

I am a Penetration Tester.

I want to use public codes* without fear.

I want to know the system internals.

I want to impress my girl friend ^_^.

I want to test effectiveness of security

technologies.

WHY

Warning: Everything that I will discuss here is not applicable to .exe files.

Logic – divide exe in two parts – means don’t make exe.

CodeInterface

Code – it is our normal code with some additional powers – stand alone executable code.

Interface - interface will execute the code In simple words we need a shellcode type

code and a interface to execute the shellcode.

HOW #1

Why we are splitting exe in two parts ?AV detection techniques

Signature basedEmulation + signatureMD5 Heuristic

If your binary is packed then AV uses Emulation + signature tech. for detection.

By splitting exe in two parts we can bypass AVs.True fact: generating exe is simpler than writing

the stand alone executable code that performs the same function.

HOW #2

Techniques:

Code injection in another process

Jump and Execute

Loaders

HOW #3

Code injection in another process

Interface – make a interface that will read the

“code” and will inject it into another process.

Raw Material:

OpenProcess

WriteProcessMemory

CreateRemoteThread

HOW #4 – Technique #1

HOW #4 – Technique #1 - Demo

Jump and Execute

Interface – make a interface that will read the

file and then jump to that location and

execute the code

Raw Material:

ReadFile

JMP

HOW #4 – Technique #2

HOW #4 – Technique #2 - Demo

LoadersInterface – make a interface that will read the

“code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread.

Raw Material:CreateProcess – suspendedWriteProcessMemoryResumeThread

HOW #4 – Technique #3

HOW #4 – Technique #3 -Demo

What if AV flag Interface ?

Yes, they can but the interface code is using

legitimate APIs with very minimal code.

Many legitimate programs use similar APIs so

fear of false positive.

May be they can flag on the basis of MD5

HOW #5

Simply call it shellcode detection

The Philosophy

Emulate or Execute Everything

Exception – move to next byte

Abort execution if anytime EIP >= 7xxxxxxx

Scan – Detection

Countermeasures

Shellcode Detection - Demo

“Shellcode Detection” Technique and source codes are distributed under CC.http://creativecommons.org/licenses/by-nc/3.0/

Codes: https://sites.google.com/site/hacking1now/tools

Legal Statement