Antivirus Evasion Techniques and Countermeasures

•

3 likes•12,917 views

This presentation throws light on innovative techniques for bypassing antivirus detection. This will be useful for researchers and pen testers to develop successful post exploitation techniques.

Technology

Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

Why How Countermeasure Legal Statement  Agenda

I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

Techniques: Code injection in another process Jump and Execute Loaders HOW #3

Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

“Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

What's hot

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

securityxploded

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

securityxploded

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

securityxploded

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

securityxploded

Reversing & malware analysis training part 2 introduction to windows internals

securityxploded

Application Virtualization

securityxploded

Reversing & Malware Analysis Training Part 13 - Future Roadmap

securityxploded

Advanced Malware Analysis Training Session 8 - Introduction to Android

securityxploded

Reversing malware analysis training part6 practical reversing

Cysinfo Cyber Security Community

Anatomy of Exploit Kits

securityxploded

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

securityxploded

Advanced malware analysis training session5 reversing automation

Cysinfo Cyber Security Community

Advanced malwareanalysis training session2 botnet analysis part1

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

securityxploded

Hunting Rootkit From the Dark Corners Of Memory

securityxploded

Reversing malware analysis training part11 exploit development advanced

Cysinfo Cyber Security Community

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

securityxploded

Reverse Engineering Malware

securityxploded

Defeating public exploit protections (EMET v5.2 and more)

securityxploded

What's hot (20)

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Reversing & malware analysis training part 2 introduction to windows internals

Application Virtualization

Reversing & Malware Analysis Training Part 13 - Future Roadmap

Advanced Malware Analysis Training Session 8 - Introduction to Android

Reversing malware analysis training part6 practical reversing

Anatomy of Exploit Kits

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

Advanced malware analysis training session5 reversing automation

Advanced malwareanalysis training session2 botnet analysis part1

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

Hunting Rootkit From the Dark Corners Of Memory

Reversing malware analysis training part11 exploit development advanced

Advanced malware analysis training session 7 malware memory forensics

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

Reverse Engineering Malware

Defeating public exploit protections (EMET v5.2 and more)

Similar to Antivirus Evasion Techniques and Countermeasures

#nullblr bachav manual source code review

Santosh Gulivindala

Why should we use TDD to develop in Elixir? When we are applying it correctly? What are the differences that we can find in a code developed with TDD and in code not developed with it? Is it TDD about testing? Really? In this talk, I'll show what is TDD and how can be used it in functional programming like Elixir to design the small and the big parts of your system, showing what are the difference and the similarities between an OOP and FP environment. Showing what is the values of applying a technique like TDD in Elixir and what we should obtain applying it.

Tdd is not about testing

Gianluca Padovani

Intro To AOP

elliando dias

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

pCloudy

Intro to Reverse Engineering

Null Bhubaneswar

Secure programming with php

Mohmad Feroz

Bypassing anti virus scanners

martacax

Debugging in .Net

Muhammad Amir

How secure is your code?

Mikee Franklin

Bypassing anti virus scanners

martacax

Web backdoors attacks, evasion, detection

n|u - The Open Security Community

Quick Intro to Clean Coding

Ecommerce Solution Provider SysIQ

Code Review

Tu Hoang

6-Error Handling.pptx

amiralicomsats3

Return address

Cysinfo Cyber Security Community

Code Review Looking for a vulnerable code. Vlad Savitsky.

DrupalCampDN

Medium Trust for Umbraco

Warren Buckley

Server Side Template Injection by Mandeep Jadon

Mandeep Jadon

Demystifying dot NET reverse engineering - Part1

Soufiane Tahiri

Securing Underprotected APIs - Deja vu Security

Deja vu Security

Similar to Antivirus Evasion Techniques and Countermeasures (20)

#nullblr bachav manual source code review

Tdd is not about testing

Intro To AOP

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

Intro to Reverse Engineering

Secure programming with php

Bypassing anti virus scanners

Debugging in .Net

How secure is your code?

Bypassing anti virus scanners

Web backdoors attacks, evasion, detection

Quick Intro to Clean Coding

Code Review

6-Error Handling.pptx

Return address

Code Review Looking for a vulnerable code. Vlad Savitsky.

Medium Trust for Umbraco

Server Side Template Injection by Mandeep Jadon

Demystifying dot NET reverse engineering - Part1

Securing Underprotected APIs - Deja vu Security

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Evaluating the top large language models.pdf

ChristopherTHyatt

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Evaluating the top large language models.pdf

GenCyber Cyber Security Day Presentation

Axa Assurance Maroc - Insurer Innovation Award 2024

Exploring the Future Potential of AI-Enabled Smartphone Processors

presentation ICT roal in 21st century education

Powerful Google developer tools for immediate impact! (2023-24 C)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Artificial Intelligence: Facts and Myths

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

What Are The Drone Anti-jamming Systems Technology?

Presentation on how to chat with PDF using ChatGPT code interpreter

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

08448380779 Call Girls In Friends Colony Women Seeking Men

Antivirus Evasion Techniques and Countermeasures

1. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

2. Why How Countermeasure Legal Statement  Agenda

3. I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

4. Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

5. Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

6. Techniques: Code injection in another process Jump and Execute Loaders HOW #3

7. Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

8. HOW #4 – Technique #1 - Demo

9. Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

10. HOW #4 – Technique #2 - Demo

11. Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

12. HOW #4 – Technique #3 -Demo

13. What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

14. Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

15. Shellcode Detection - Demo

16. “Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

Editor's Notes

Reference: Three ways to inject code into a remote process - http://www.codeproject.com/KB/threads/winspy.aspx

Antivirus Evasion Techniques and Countermeasures

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Antivirus Evasion Techniques and Countermeasures

Similar to Antivirus Evasion Techniques and Countermeasures (20)

More from securityxploded

More from securityxploded (20)

Recently uploaded

Recently uploaded (20)

Antivirus Evasion Techniques and Countermeasures

Editor's Notes