Anti-Virus Evasion techniques and Countermeasures

Amit Malik (DouBle_Zer0)
SecurityXploded and Garage4hackers Bangalore Chapter Lead
E-Mail: [email protected]
 Why
 How
 Countermeasure
 Legal Statement 
 I am a Penetration Tester.
 I want to use public codes* without fear.
 I want to know the system internals.
 I want to impress my girl friend ^_^.
 I want to test effectiveness of security technologies.
 Warning: Everything that I will discuss here is not
applicable to .exe files.
 Logic – divide exe in two parts – means don’t make exe.
 Code
 Interface
 Code – it is our normal code with some additional
powers – stand alone executable code.
 Interface - interface will execute the code
 In simple words we need a shellcode type code and a
interface to execute the shellcode.
 Why we are splitting exe in two parts ?
 AV detection techniques
 Signature based
 Emulation + signature
 MD5 
 Heuristic 
 If your binary is packed then AV uses Emulation +
signature tech. for detection.
 By splitting exe in two parts we can bypass AVs.
 True fact: generating exe is simpler than writing the
stand alone executable code that performs the same
function. 
 Techniques:
 Code injection in another process
 Jump and Execute
 Loaders
 Code injection in another process
 Interface – make a interface that will read the “code”
and will inject it into another process.
 Raw Material:
 OpenProcess
 WriteProcessMemory
 CreateRemoteThread
 Jump and Execute
 Interface – make a interface that will read the file and
then jump to that location and execute the code
 Raw Material:
 ReadFile
 Loaders
 Interface – make a interface that will read the “code”
and creates a trusted process in suspended mode and
overwrite the “code” at the entry point of the
suspended process and then resume the thread.
 Raw Material:
 CreateProcess – suspended
 WriteProcessMemory
 ResumeThread
 What if AV flag Interface ?
 Yes, they can but the interface code is using legitimate
APIs with very minimal code.
 Many legitimate programs use similar APIs so fear of
false positive.
 May be they can flag on the basis of MD5 
 Simply call it shellcode detection
 The Philosophy
 Emulate or Execute Everything
 Exception – move to next byte
 Abort execution if anytime EIP >= 7xxxxxxx
 Scan – Detection
 “Shellcode Detection” Technique and source codes are
distributed under CC.
 Codes:

similar documents