UnKn0wnBooof Posted January 23, 2014 Share Posted January 23, 2014 I've been browsing the web trying to find ways of bypassing AV (Antivirus), the first page I visited was: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram and then I decided to do a bit of Googling and found this: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/ All of them require Metasploit to be ran. Anyone got any ideas of bypassing AV without the need of a secondary computer? Of course, there's the method if killing the AV UI and Service, but I'm sure AV software has ways to prevent that, and I'd also need as much information as possible about different AV software such as service name, installation path etc. You lot have any ideas? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 23, 2014 Share Posted January 23, 2014 It depends on what you're trying to get past the AV. Antivirus works in lots of ways, for instance a 'file shield' works by detecting known signatures within files that are being transferred to the hard disk. Many AV also have firewalls, web page scanners, email client scanners, and some even have P2P network shields. It would help to know what it is your trying achieve, is it just executing a binary on a remote host? Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 23, 2014 Share Posted January 23, 2014 Some people use a technique called program obfuscation to change what their executable looks like, and sometimes how it functions. There are many ways of accomplishing this, but fewer programs that actually do it. Any program that is any good at masking an executable usually costs money. It is possible however to obfuscate executables if you have access to the source code, and you have a compiler that does not necessarily optimize. One way of obfuscating is adding dead code, which can be done by adding statements that do not do anything after a break or return. If the compiler optimizes however then the executable will look the same regardless, because it will strip out the code. I am not even sure how hackers do it, metasploit is involved I think. I once did a paper on the obfuscation that software developers use to make it harder to reverse engineer their programs, so there are a few differences. I think the main difference between the way hackers do it and the way software developers do is that they do it at different levels of the development process. Quote Link to comment Share on other sites More sharing options...
xSploit Posted January 24, 2014 Share Posted January 24, 2014 (edited) Some people use a technique called program obfuscation to change what their executable looks like, and sometimes how it functions. There are many ways of accomplishing this, but fewer programs that actually do it. Any program that is any good at masking an executable usually costs money. It is possible however to obfuscate executables if you have access to the source code, and you have a compiler that does not necessarily optimize. One way of obfuscating is adding dead code, which can be done by adding statements that do not do anything after a break or return. If the compiler optimizes however then the executable will look the same regardless, because it will strip out the code. I am not even sure how hackers do it, metasploit is involved I think. I once did a paper on the obfuscation that software developers use to make it harder to reverse engineer their programs, so there are a few differences. I think the main difference between the way hackers do it and the way software developers do is that they do it at different levels of the development process. Obfuscation does not prevent malware alerts what so ever. There are many methods of bypassing AVs and programs which do so are called crypters. I'm not familiar with the rubber ducky as I'm only just purchasing it as we speak, but common methods used in crypters are basically adding junk code to the file, breaking the file before runtime and then putting it back together when the file is being ran. I don't know a lot about the subject but I am a software developer and I do own private crypters. I think overwraith is confusing crypters with obsfucators as he seems to be somewhat getting at the same angle as me. Edited January 24, 2014 by xSploit Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 24, 2014 Share Posted January 24, 2014 (edited) I may be confused, but obfuscators do in fact change the way the the executable functions and how it does look at a machine code level. If I have to double check myself, then so do you. From my point of view they do literally the same thing, which is change what the machine code looks like. The machine code is what the antivirus uses to determine whether your code has malicious intent. The antivirus has signatures which are basically pictures of what the machine code looks like. These are what it compares to when determining whether the code is a virus. Crypters probably do have more advanced methods of obfuscating the machine code, like encryption and polymorphic engines. Edited January 24, 2014 by overwraith Quote Link to comment Share on other sites More sharing options...
MB60893 Posted January 25, 2014 Share Posted January 25, 2014 Hi again Lavanoid, Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive). Cheers, MB60893 Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted January 25, 2014 Share Posted January 25, 2014 Even then, some crypters actually INCREASE the likelihood of detection due to the fact that the engine has to be in the stub somewhere so that the code can be decrypted at runtime. That's why there are lots of EXE encryption engines, but only a few are actually used by the majority. Quote Link to comment Share on other sites More sharing options...
AgentGod Posted January 25, 2014 Share Posted January 25, 2014 Obfuscation does not prevent malware alerts what so ever. There are many methods of bypassing AVs and programs which do so are called crypters. I'm not familiar with the rubber ducky as I'm only just purchasing it as we speak, but common methods used in crypters are basically adding junk code to the file, breaking the file before runtime and then putting it back together when the file is being ran. I don't know a lot about the subject but I am a software developer and I do own private crypters. I think overwraith is confusing crypters with obsfucators as he seems to be somewhat getting at the same angle as me. This is not true. Obfuscation works in way that it ads bullshit code to the malware (If it's a malware you have) and can makes it Scantime FUD (Means if the AV scans it, it wont get detected), while if you run the same file that you just Obfuscated, it will not run if your "malware" is actually Runtime Detected. What a crypter does is to add deal code as you said just like the Obfuscator. Obfuscator changes variable names and such, while a crypter has 2 parts: the builder and the stub. The builder encrypts your server and binds it with the stub. When ran, the stub decrypts your server and injects your server into another process to be run. Obfuscators should not be used to hide malware, they are really for people to make their .exe's less 'decompileable.' So the source code of the program will not be found/leaked. I my self use Obfuscators for PDF and Doc Exploit, something which you can't crypt, but using an obfuscator you can easily bypass a few AVs. Quote Link to comment Share on other sites More sharing options...
overwraith Posted January 25, 2014 Share Posted January 25, 2014 I reviewed the paper I wrote, and apparently there are two forms of virus inspired code obfuscation techniques, polymorphism, and metamorphism. Polymorphism is code that mutates while keeping the original algorithm intact. Metamorphic code is code that can reprogram its self. (I hope I got these definitions right) So where would we go look to learn more about crypters? Quote Link to comment Share on other sites More sharing options...
MB60893 Posted January 25, 2014 Share Posted January 25, 2014 You are never going to be perfect with your antivirus detection and disabling techniques in any case. Your best bet is just to find a way of not triggering an AV. Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted January 26, 2014 Author Share Posted January 26, 2014 Hi again Lavanoid, Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive). Cheers, MB60893 Looking into it now... Thanks everyone. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.