Bypassing Antivirus 2023
This article is about Bypassing Antivirus.
Introduction to Bypassing Antivirus
Antivirus is a software program whose main task is to protect, identify and remove any malicious software or virus. However, if we take a close look at how antivirus actually works to identify and remove viruses, we’ll realize that it’s not too difficult to bypass them.
There are many ways to bypass antivirus, most of them involve the use of automatic tools. There is also a good framework known as “Veil Framework” that creates malicious binaries that are very good at bypassing antivirus.
While automating things is good and saves time, it’s also important to understand how the antivirus evasion process actually works. Modern antivirus will also flag binaries created from automated tools. Therefore, it is important to know manual techniques to avoid antivirus.
In this article, I will modify the Netcat listener binary to bypass the most popular and commonly used antivirus.
The goal is to ensure that the Netcat listener is not detected by anti-virus software and at the same time should work without problems.
In order to follow the steps in this article, it is important to have a basic understanding of the symbolic instruction language and a general understanding of the Debugger (in this case we will be using Immunity) and its usage.
Antivirus scanners mostly rely on a signature pattern from a local database to identify malicious files and viruses. They also scan the file when it is on disk and not in memory.
If we can change the contents of our Netcat binary while it is on disk, an antivirus that scans the file will not be able to identify the signature because the binary contents of the file have been changed. Now that the file is open, we restore the contents of the in-memory Netcat binary to ensure that the file runs successfully.
Although a modern antivirus scans files in memory and tries to replicate its behavior in a sandbox environment, there are other ways to get around this limitation, but now we will focus on the scenario where an antivirus that does not scan a file in memory.
1) First, we set up a Netcat listener and scan it for viruses overall website. This will give us an idea of how many antivirus scanners detect the Netcat binary as a malicious file in its original state. The Netcat binary can be downloaded from this website: https://joncraton.org/blog/46/netcat-for-windows/
Below are the results after scanning the Netcat binary for virus
As you can see, a large number of antivirus scanners identify this Netcat binary as malicious. Now we will try to reduce the detection ratio of this Netcat file (31/57) by changing the binary content of the file.
2) What we will try to do is hijack the entry point of our malicious Netcat listener, redirect it to STUB (which in this case will be a custom XOR encoder) which will encode the contents of the file. This snippet will be a small shellcode that can be placed in the dead space available in the Netcat binary.
After running the stubs on the Netcat binary, you will notice that the contents of the Netcat file have changed completely. Now we can scan this file on the total virus web page and see if the Netcat detection rate of this file goes down.
Related artile:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
In a real world scenario, we save this encrypted file on the victim’s computer, but because its content has changed, it bypasses the antivirus, now when we run the file, the XOR encoder runs again on the file while it is in memory and changes the file back to its original content and the file will run successfully. This is because when the XOR function is run on code that is already XOR’ed, it returns the original code.
3) Let’s start by loading the Netcat file into the Immunity Debugger and looking for some dead space code where we can put our snippet.
As we can see, there is some dead space in the Netcat binary that can be used to place our snippet. In my case, the dead space starts at: 0040A972.
4) Hijack the entry point of the Netcat binary and redirect it to a dead space address (ie 0040A972). During entry point hijacking, we also note the initial instructions that are overwritten because they would have to be reintroduced.
The program’s initial instructions are:
00404AC3 6A 18 PRESS 18
00404AC5 68 98C04000 PUSH nc.0040C098
00404ACA E8 69030000 CALL No. 00404E38
We hijack the entry point by overwriting the first instruction by redirecting to our code address in the dead space. When rewriting the code, we will notice that the first two instructions are overwritten, which will have to be re-inserted into the code later.
5) Now we will save the changes made to this binary by right clicking and selecting Copy to Executable and save the file as nc1.exe.
Before we open this file and jump to our code address in the dead space, it’s important to mark all parts of this file as writable because our snippet (our own XOR encoder) will need to encode the contents of the file. In the Netcat binary we encode the text part of the file so we mark the text part as writable.
To do this, open the nc1.exe file using a PE editor such as Lord PE. Select the text part of the file and right-click to edit the section header and select the write option to save the changes.
6) Now we open the nc1.exe file in the immune debugger and jump (by pressing F7) to the address of the dead space code.
From this address, we next encode the entire text part of the file using our own XOR encoder. Before we start encoding, we note the start and end address of the text part. This address is located in the debugger itself from the third instruction (after redirecting to the dead space code) to the end of the file. The start and end address of the text section can also be found by clicking on the “M” (Memory Map) tab in the immunity debugger.
In my case, the start and end addresses of the text parts of the file are:-
Starting address: 00404ACA
End address: 0040A96D
7) Now we write our own XOR encoder snippet. The custom stub will contain the following instructions:-
0040A972 B8 CA4A4000 MOV EAX,nc2.00404ACA
0040A977 8030 0F XOR BYTE PTR DS:[EAX],0F
0040A97A 40 INC EAX
0040A97B 3D 6DA94000 CMP EAX,nc2.0040A96D
0040A985 7E F0 JLE SHORT nc2.0040A977
0040A987 6A 18 PRESS 18
0040A989 68 98C04000 PUSH nc2.0040C098
0040A98E E9 37A1FFFF JMP nc2.00404ACA
The first instruction moves the value of the start address of the text section (00404ACA) in the EAX register. Then we XOR the value of the EAX register with the 0F key. Now we increase the value of EAX. Then compare the EAX value with the end address of the text section (0040A96D). If the end address is not reached, simply go back to the second instruction (0040A977) and continue the process. Once the address is reached, simply reload the program’s initial instruction and continue normal execution.
8) After writing this snippet, we copy the changes to the executable and save the file as nc2.exe.
Now we will open this file and allow the snippet to run and encode the entire text part of the file. After encoding the text section, we go to the starting address of the text section, i.e. 00404ACA (by right-clicking and choosing Go To>Expression in the immunity debugger) and select all the encoded data directly to the end of the text section and copy the changes to the executable. Now we save the file and rename it to nc3.exe.
We have now completely changed the content of the text part of this file. If we scan this nc3.exe file for virus
overall website, we can see that the detection rate has decreased significantly. (20/57)
In a real world scenario, what happens is that a modified Netcat binary is saved to disk because the binary is changed, the signature is also changed and the antivirus is bypassed, and when we open that file again, the custom XOR encoder runs on the file again, and as we know, if we run the XOR function again on code that is already XOR’ed, we get the original content back.
Therefore, when the file is opened, XOR Encoder returns the edited binary back to its original state in memory, bypassing Antivirus.
9) Now the XOR encoder stub is not the only way to write custom encoders; there are many different ways to write these encoders. For example, we can use a snippet that adds 15 bytes to the code, then XORs it with the key 0A, and then adds another 35 bytes to the code. When used in nc.exe the above code will look like this:-
ADD BYTE PTR DS:[EAX], 15
XOR BYTE PTR DS:[EAX],0A
ADD BYTE PTR DS:[EAX], 35
JLE SHORT nc2.0040A977
We can now encode the text part by running the snippet above on the Netcat binary and saving the changes to create a modified binary. Now we change our custom encoder to ensure that the binary code can be decoded back in memory. We simply modify the instructions as follows so that the program can decode itself.
ADD BYTE PTR DS:[EAX], -35
XOR BYTE PTR DS:[EAX],0A
ADD BYTE PTR DS:[EAX], -15
JLE SHORT nc2.0040A977
Similarly, we can write our own encoders to modify the binary content of the file and bypass the antivirus.
10) Now, besides writing encoders, there is also another way to bypass the antivirus, which is to rename parts of the binary file. What we will do is open the Netcat binary in the immunity debugger and rename the .text part of the file to .bop.
We can do this simply by right-clicking on the text part, selecting edit header and renaming it from .text to .bop. Then we save the changes to the file and exit the program.
11) After saving this file, if we scan it for virus
overall website, we can see that the antivirus detection ratio has further decreased (15/57) and this time even popular antiviruses like Kaspersky and McAfee have been bypassed.
We see that bypassing antivirus is not the hardest job, we just have to keep trying different techniques to be successful. There are several ways to bypass antivirus and I have only highlighted a few simple ways. Therefore, it is not ideal to rely on antivirus alone to protect critical assets.