Well, lets think outside of the box for a minute ;-)
before hand.... *payload* = "Our program that we are trying to sneak past the AV"
If I were trying to do this back in the day(MSdos 5-6.22), I would encrypt the file in a .exe loader(that I would write myself), and then decrypt the *payload* in memory, and reload the decrypted *payload* overtop of some null-padded chunk of my loaders memory (maybe just overtop of the original .exe's memory), and restart it.....
So, maybe A loader could be written that:
A. uses the same Libs and Dll's(so they are already loaded)
B. decrypts it's payload, and overwrites itself(WITHOUT GETTING SWAPPED OR WRITTEN TO DISK!!!!)
C. restarts it's own execution......
Maybe this would get past the anti-virus.
I don't have the time, or I would look into the idea, but I suspect that if you search MSDN, we can probably find the format of a .EXE file, and how the libs(.dll's) are loaded...., and once you do that, you can load the needed libs, and by-pass the whole writing to disk(I AM ASSUMING THAT THAT IS WHERE AN AV PICKS IT UP AT.....), and by-pass dectection.
I use Mcafee, and I am trying to whip up a little POC program to see if McAfee will catch the decrypted *payload* in memory or not...
I'll keep ya filled in