Antivirus Evasion Techniques and Countermeasures
•
3 recomendaciones•12,917 vistas
This presentation throws light on innovative techniques for bypassing antivirus detection. This will be useful for researchers and pen testers to develop successful post exploitation techniques.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Antivirus Evasion Techniques and Countermeasures
Similar a Antivirus Evasion Techniques and Countermeasures (20)
Más de securityxploded
Más de securityxploded (20)
Último
Último (20)
Antivirus Evasion Techniques and Countermeasures
- 1. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures
- 2. Why How Countermeasure Legal Statement Agenda
- 3. I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY
- 4. Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1
- 5. Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5 Heuristic If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function. HOW #2
- 6. Techniques: Code injection in another process Jump and Execute Loaders HOW #3
- 7. Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1
- 8. HOW #4 – Technique #1 - Demo
- 9. Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2
- 10. HOW #4 – Technique #2 - Demo
- 11. Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3
- 12. HOW #4 – Technique #3 -Demo
- 13. What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5 HOW #5
- 14. Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures
- 15. Shellcode Detection - Demo
- 16. “Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement
Notas del editor
- Reference: Three ways to inject code into a remote process - http://www.codeproject.com/KB/threads/winspy.aspx