Anti-Virus Evasion techniques and Countermeasures
Download
Report
Transcript Anti-Virus Evasion techniques and Countermeasures
Amit Malik (DouBle_Zer0)
SecurityXploded and Garage4hackers Bangalore Chapter Lead
E-Mail: [email protected]
Why
How
Countermeasure
Legal Statement
I am a Penetration Tester.
I want to use public codes* without fear.
I want to know the system internals.
I want to impress my girl friend ^_^.
I want to test effectiveness of security technologies.
Warning: Everything that I will discuss here is not
applicable to .exe files.
Logic – divide exe in two parts – means don’t make exe.
Code
Interface
Code – it is our normal code with some additional
powers – stand alone executable code.
Interface - interface will execute the code
In simple words we need a shellcode type code and a
interface to execute the shellcode.
Why we are splitting exe in two parts ?
AV detection techniques
Signature based
Emulation + signature
MD5
Heuristic
If your binary is packed then AV uses Emulation +
signature tech. for detection.
By splitting exe in two parts we can bypass AVs.
True fact: generating exe is simpler than writing the
stand alone executable code that performs the same
function.
Techniques:
Code injection in another process
Jump and Execute
Loaders
Code injection in another process
Interface – make a interface that will read the “code”
and will inject it into another process.
Raw Material:
OpenProcess
WriteProcessMemory
CreateRemoteThread
Jump and Execute
Interface – make a interface that will read the file and
then jump to that location and execute the code
Raw Material:
ReadFile
JMP
Loaders
Interface – make a interface that will read the “code”
and creates a trusted process in suspended mode and
overwrite the “code” at the entry point of the
suspended process and then resume the thread.
Raw Material:
CreateProcess – suspended
WriteProcessMemory
ResumeThread
What if AV flag Interface ?
Yes, they can but the interface code is using legitimate
APIs with very minimal code.
Many legitimate programs use similar APIs so fear of
false positive.
May be they can flag on the basis of MD5
Simply call it shellcode detection
The Philosophy
Emulate or Execute Everything
Exception – move to next byte
Abort execution if anytime EIP >= 7xxxxxxx
Scan – Detection
“Shellcode Detection” Technique and source codes are
distributed under CC.
http://creativecommons.org/licenses/by-nc/3.0/
Codes:
https://sites.google.com/site/hacking1now/tools