Antivirus Evasion Techniques and Countermeasures

•

3 j'aime•12,917 vues

This presentation throws light on innovative techniques for bypassing antivirus detection. This will be useful for researchers and pen testers to develop successful post exploitation techniques.

Technologie

Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

Why How Countermeasure Legal Statement  Agenda

I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

Techniques: Code injection in another process Jump and Execute Loaders HOW #3

Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

“Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

Contenu connexe

Tendances

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

securityxploded

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

securityxploded

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

securityxploded

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

securityxploded

Reversing & malware analysis training part 2 introduction to windows internals

securityxploded

Application Virtualization

securityxploded

Reversing & Malware Analysis Training Part 13 - Future Roadmap

securityxploded

Advanced Malware Analysis Training Session 8 - Introduction to Android

securityxploded

Reversing malware analysis training part6 practical reversing

Cysinfo Cyber Security Community

Anatomy of Exploit Kits

securityxploded

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

securityxploded

Advanced malware analysis training session5 reversing automation

Cysinfo Cyber Security Community

Advanced malwareanalysis training session2 botnet analysis part1

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

securityxploded

Hunting Rootkit From the Dark Corners Of Memory

securityxploded

Reversing malware analysis training part11 exploit development advanced

Cysinfo Cyber Security Community

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

securityxploded

Reverse Engineering Malware

securityxploded

Defeating public exploit protections (EMET v5.2 and more)

securityxploded

Tendances (20)

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Reversing & malware analysis training part 2 introduction to windows internals

Application Virtualization

Reversing & Malware Analysis Training Part 13 - Future Roadmap

Advanced Malware Analysis Training Session 8 - Introduction to Android

Reversing malware analysis training part6 practical reversing

Anatomy of Exploit Kits

Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques

Advanced malware analysis training session5 reversing automation

Advanced malwareanalysis training session2 botnet analysis part1

Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics

Hunting Rootkit From the Dark Corners Of Memory

Reversing malware analysis training part11 exploit development advanced

Advanced malware analysis training session 7 malware memory forensics

Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)

Reverse Engineering Malware

Defeating public exploit protections (EMET v5.2 and more)

Similaire à Antivirus Evasion Techniques and Countermeasures

#nullblr bachav manual source code review

Santosh Gulivindala

Why should we use TDD to develop in Elixir? When we are applying it correctly? What are the differences that we can find in a code developed with TDD and in code not developed with it? Is it TDD about testing? Really? In this talk, I'll show what is TDD and how can be used it in functional programming like Elixir to design the small and the big parts of your system, showing what are the difference and the similarities between an OOP and FP environment. Showing what is the values of applying a technique like TDD in Elixir and what we should obtain applying it.

Tdd is not about testing

Gianluca Padovani

Intro To AOP

elliando dias

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

pCloudy

Intro to Reverse Engineering

Null Bhubaneswar

Secure programming with php

Mohmad Feroz

Bypassing anti virus scanners

martacax

Debugging in .Net

Muhammad Amir

How secure is your code?

Mikee Franklin

Bypassing anti virus scanners

martacax

Web backdoors attacks, evasion, detection

n|u - The Open Security Community

Quick Intro to Clean Coding

Ecommerce Solution Provider SysIQ

Code Review

Tu Hoang

6-Error Handling.pptx

amiralicomsats3

Return address

Cysinfo Cyber Security Community

Code Review Looking for a vulnerable code. Vlad Savitsky.

DrupalCampDN

Medium Trust for Umbraco

Warren Buckley

Server Side Template Injection by Mandeep Jadon

Mandeep Jadon

Demystifying dot NET reverse engineering - Part1

Soufiane Tahiri

Securing Underprotected APIs - Deja vu Security

Deja vu Security

Similaire à Antivirus Evasion Techniques and Countermeasures (20)

#nullblr bachav manual source code review

Tdd is not about testing

Intro To AOP

Different Techniques Of Debugging Selenium Based Test Scripts.pdf

Intro to Reverse Engineering

Secure programming with php

Bypassing anti virus scanners

Debugging in .Net

How secure is your code?

Bypassing anti virus scanners

Web backdoors attacks, evasion, detection

Quick Intro to Clean Coding

Code Review

6-Error Handling.pptx

Return address

Code Review Looking for a vulnerable code. Vlad Savitsky.

Medium Trust for Umbraco

Server Side Template Injection by Mandeep Jadon

Demystifying dot NET reverse engineering - Part1

Securing Underprotected APIs - Deja vu Security

Plus de securityxploded

Fingerprinting healthcare institutions

securityxploded

Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics

securityxploded

Buffer Overflow Attacks

securityxploded

Malicious Client Detection Using Machine Learning

securityxploded

Understanding CryptoLocker (Ransomware) with a Case Study

securityxploded

Linux Malware Analysis using Limon Sandbox

securityxploded

Introduction to SMPC

securityxploded

Breaking into hospitals

securityxploded

Bluetooth [in]security

securityxploded

Basic malware analysis

securityxploded

Automating Malware Analysis

securityxploded

DLL Preloading Attack

securityxploded

Partial Homomorphic Encryption

securityxploded

Return Address – The Silver Bullet

securityxploded

Hunting Ghost RAT Using Memory Forensics

securityxploded

Malicious Url Detection Using Machine Learning

securityxploded

MalwareNet Project

securityxploded

Reversing and Decrypting the Communications of APT Malware (Etumbot)

securityxploded

Dissecting BetaBot

securityxploded

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

securityxploded

Plus de securityxploded (20)

Fingerprinting healthcare institutions

Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics

Buffer Overflow Attacks

Malicious Client Detection Using Machine Learning

Understanding CryptoLocker (Ransomware) with a Case Study

Linux Malware Analysis using Limon Sandbox

Introduction to SMPC

Breaking into hospitals

Bluetooth [in]security

Basic malware analysis

Automating Malware Analysis

DLL Preloading Attack

Partial Homomorphic Encryption

Return Address – The Silver Bullet

Hunting Ghost RAT Using Memory Forensics

Malicious Url Detection Using Machine Learning

MalwareNet Project

Reversing and Decrypting the Communications of APT Malware (Etumbot)

Dissecting BetaBot

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

Dernier

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

ICT role in 21st century education and its challenges

rafiqahmad00786416

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Dernier (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Why Teams call analytics are critical to your entire business

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Strategies for Landing an Oracle DBA Job as a Fresher

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

ICT role in 21st century education and its challenges

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Data Cloud, More than a CDP by Matt Robison

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Artificial Intelligence Chap.5 : Uncertainty

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Corporate and higher education May webinar.pptx

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Antivirus Evasion Techniques and Countermeasures

1. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures

2. Why How Countermeasure Legal Statement  Agenda

3. I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY

4. Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1

5. Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5  Heuristic  If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.  HOW #2

6. Techniques: Code injection in another process Jump and Execute Loaders HOW #3

7. Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1

8. HOW #4 – Technique #1 - Demo

9. Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2

10. HOW #4 – Technique #2 - Demo

11. Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3

12. HOW #4 – Technique #3 -Demo

13. What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5  HOW #5

14. Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures

15. Shellcode Detection - Demo

16. “Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement

Notes de l'éditeur

Reference: Three ways to inject code into a remote process - http://www.codeproject.com/KB/threads/winspy.aspx

Antivirus Evasion Techniques and Countermeasures

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Antivirus Evasion Techniques and Countermeasures

Similaire à Antivirus Evasion Techniques and Countermeasures (20)

Plus de securityxploded

Plus de securityxploded (20)

Dernier

Dernier (20)

Antivirus Evasion Techniques and Countermeasures

Notes de l'éditeur