SlideShare a Scribd company logo

Messing around avs

Shubham Mittal, profile picture
Shubham Mittal

This document discusses techniques for bypassing antivirus software to execute malicious payloads. It begins by explaining reasons for needing antivirus bypassing such as bypassing firewalls during client-side attacks. It then discusses signature-based antivirus detection and techniques for bypassing it, including crypters that encrypt malware to avoid detection, and shellcode injection directly into processes. Specific crypters and tools for shellcode injection are mentioned. The document encourages questions and further discussion on antivirus bypassing techniques.

Technology
1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
Messing Around Avs Shubham Mittal
• Who am I ? Agen • Why need AV bye passing ? • How AVs work ? • Bye pass ? HTF ? da • • W00t W00t  More research requirement.. • Shoot your questions..
Who Am I ? • Security Consultant @ Hackplanet Technologies • Penetration tester • Spoken at various National Level Conferences (Techno Tryst 2012, NSWET 2011, etc.) • Current Areas : • > SOC, Malware Analysis, MSF, Network Forensics
Why need AV bypassing ?  Firewalls can be bypassed with Client Side attacks, which require some piece of code on the remote machine but AV picks it up.  You made a virus and sent it to remote machine, but AV picks it up.  You have a payload which you want to execute. You social engineered the owner to execute your payload, but AV picks it up.
Signature Based Detection
Byepass ? HTF ?  Crypters (UPX, etc.) - Old approach  Smart Crypter ( We will do it )  Shell code Injection ( We will do it too  )
Crypters, hmm… But, AVs are not fool too. They have mind.
Smart Crypyters – PE Crypter  Hyperion : By Christian Ammann (Null Security Team)  Packs the PE file format with AES.  Key used for encryption is “SMALL”.  At runtime, the key is brute forced. Algorithm :- 1. Copy the encrypted file in memory as backup. 2. Guess the key. 3. Decrypt the DATA. 4. Verify the DATA with checksums”. 5. If key is right, cheers ! 6. If no, restore the data section from back and go to step 2. More info : http://www.nullsecurity.net , http://exploit-db.com
Shellcode Injection  Inject you shellcode into a process.  Can be used for backdooring;  Can be used for getting different shells at remote system.  Shellcodeexec (https://github.com/inquisb/shellcodeexec)  Syringe.exe (http://www.securestate.com/Documents/syringe.c)
Syringe.exe  References : 1. Paper on Exploit-db by infog33k 2. A comment on http://forums.mydigitallife.info/threads/23461-Batch-Hide-cmd-batch-window 3. Creating self extractor with 7zip. http://www.wikihow.com/Use-7Zip-to-Create-Self-Extracting-excutables
How it Works..  Calls Virtual Alloc to use its space in order to execute the shell code.  Virtual Alloc : Windows specific call that holds a region with read, write and execute permissions. (Read, write permissions are req. for alphanumeric code).  Copies shell code into memory from virtual alloc.  Executes shell code with help of a Assembly stub pointing directly to the location of shell code.
Got queries, suggestions, comments : shubham@hackplanet.in

More Related Content

PDF
Buffer Overflow Attacks
securityxploded
 
PPTX
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
PPT
Setup Your Personal Malware Lab
Digit Oktavianto
 
PPTX
Telehack: May the Command Line Live Forever
Gregory Hanis
 
PPTX
Introduction To Exploitation & Metasploit
Raghav Bisht
 
PDF
Is My App Secure ?
Herman Duarte
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
PDF
Pentesting with Metasploit
Prakashchand Suthar
 
Buffer Overflow Attacks
securityxploded
 
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
Setup Your Personal Malware Lab
Digit Oktavianto
 
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Is My App Secure ?
Herman Duarte
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Pentesting with Metasploit
Prakashchand Suthar
 

What's hot (20)

PDF
DIFFDroid_Anto_Joseph_HIP_2016
Anthony Jose
 
PPTX
Metasploit
Lalith Sai
 
PDF
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
PPT
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
PPTX
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
PPTX
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
PPTX
Metasploit framwork
Deepanshu Gajbhiye
 
PPTX
Metasploit for Web Workshop
Dennis Maldonado
 
PDF
SecOps - IR and Forensic Workflows - Python (Security Automation)
Santhosh Baswa
 
PPTX
Intro to Malware Analysis
wremes
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
PDF
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PPTX
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
PDF
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
PPT
iOS Application Penetration Testing for Beginners
RyanISI
 
PPTX
Dissecting Android APK
Cysinfo Cyber Security Community
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PDF
Metaploit
Ajinkya Pathak
 
DIFFDroid_Anto_Joseph_HIP_2016
Anthony Jose
 
Metasploit
Lalith Sai
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
Metasploit framwork
Deepanshu Gajbhiye
 
Metasploit for Web Workshop
Dennis Maldonado
 
SecOps - IR and Forensic Workflows - Python (Security Automation)
Santhosh Baswa
 
Intro to Malware Analysis
wremes
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
iOS Application Penetration Testing for Beginners
RyanISI
 
Dissecting Android APK
Cysinfo Cyber Security Community
 
How Safe is your Link ?
Peter Hlavaty
 
Metaploit
Ajinkya Pathak
 
Ad

Viewers also liked (10)

PPTX
Post Exploitation Using Meterpreter
Shubham Mittal
 
PPTX
DataSploit - Tool Demo at Null Bangalore - March Meet.
Shubham Mittal
 
DOCX
Ips and-ids
Adam Viet
 
PDF
Meterpreter in Metasploit User Guide
Khairi Aiman
 
PDF
Denial Of Service Flooding Detection In Anonymity Networks
Jens Oberender
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
PPTX
44CON 2014 - Meterpreter Internals, OJ Reeves
44CON
 
PPTX
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
PDF
The complex patient vad ransplant vad exchange or hospice
drucsamal
 
PDF
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Post Exploitation Using Meterpreter
Shubham Mittal
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
Shubham Mittal
 
Ips and-ids
Adam Viet
 
Meterpreter in Metasploit User Guide
Khairi Aiman
 
Denial Of Service Flooding Detection In Anonymity Networks
Jens Oberender
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON 2014 - Meterpreter Internals, OJ Reeves
44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
The complex patient vad ransplant vad exchange or hospice
drucsamal
 
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Ad

Similar to Messing around avs (20)

PPTX
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
PPTX
Evade and bypass AV with MSF
Abdul Adil
 
ODP
2600 av evasion_deuce
Db Cooper
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PPTX
Adventures in Asymmetric Warfare
Will Schroeder
 
PPT
Client Side Exploits using PDF
n|u - The Open Security Community
 
PPTX
Client side exploits
nickyt8
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
PDF
20111204 intro malware_livshits_lecture02
Computer Science Club
 
PPT
Client Side Exploits Using Pdf
titanlambda
 
PDF
Understand study
Antonio Costa aka Cooler_
 
PPT
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
PDF
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
PDF
Richard wartell malware is hard. let's go shopping!!
Shakacon
 
PPTX
File inflection techniques
Sandun Perera
 
PPTX
Vulnerability, exploit to metasploit
Tiago Henriques
 
PPT
Firewalls (Distributed computing)
Sri Prasanna
 
PPT
virus
Vinod siragaon
 
PDF
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
Evade and bypass AV with MSF
Abdul Adil
 
2600 av evasion_deuce
Db Cooper
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Adventures in Asymmetric Warfare
Will Schroeder
 
Client Side Exploits using PDF
n|u - The Open Security Community
 
Client side exploits
nickyt8
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
20111204 intro malware_livshits_lecture02
Computer Science Club
 
Client Side Exploits Using Pdf
titanlambda
 
Understand study
Antonio Costa aka Cooler_
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
Richard wartell malware is hard. let's go shopping!!
Shakacon
 
File inflection techniques
Sandun Perera
 
Vulnerability, exploit to metasploit
Tiago Henriques
 
Firewalls (Distributed computing)
Sri Prasanna
 
virus
Vinod siragaon
 
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 

Recently uploaded (20)

PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
This slide provides an overview Technology
mineshkharadi333
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Software Development Methodologies in 2025
KodekX
 
PPTX
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
This slide provides an overview Technology
mineshkharadi333
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Software Development Methodologies in 2025
KodekX
 
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 

Messing around avs

  • 2. Who am I ? Agen • Why need AV bye passing ? • How AVs work ? • Bye pass ? HTF ? da • • W00t W00t  More research requirement.. • Shoot your questions..
  • 3. Who Am I ? • Security Consultant @ Hackplanet Technologies • Penetration tester • Spoken at various National Level Conferences (Techno Tryst 2012, NSWET 2011, etc.) • Current Areas : • > SOC, Malware Analysis, MSF, Network Forensics
  • 4. Why need AV bypassing ?  Firewalls can be bypassed with Client Side attacks, which require some piece of code on the remote machine but AV picks it up.  You made a virus and sent it to remote machine, but AV picks it up.  You have a payload which you want to execute. You social engineered the owner to execute your payload, but AV picks it up.
  • 6. Byepass ? HTF ?  Crypters (UPX, etc.) - Old approach  Smart Crypter ( We will do it )  Shell code Injection ( We will do it too  )
  • 7. Crypters, hmm… But, AVs are not fool too. They have mind.
  • 8. Smart Crypyters – PE Crypter  Hyperion : By Christian Ammann (Null Security Team)  Packs the PE file format with AES.  Key used for encryption is “SMALL”.  At runtime, the key is brute forced. Algorithm :- 1. Copy the encrypted file in memory as backup. 2. Guess the key. 3. Decrypt the DATA. 4. Verify the DATA with checksums”. 5. If key is right, cheers ! 6. If no, restore the data section from back and go to step 2. More info : http://www.nullsecurity.net , http://exploit-db.com
  • 9. Shellcode Injection  Inject you shellcode into a process.  Can be used for backdooring;  Can be used for getting different shells at remote system.  Shellcodeexec (https://github.com/inquisb/shellcodeexec)  Syringe.exe (http://www.securestate.com/Documents/syringe.c)
  • 10. Syringe.exe  References : 1. Paper on Exploit-db by infog33k 2. A comment on http://forums.mydigitallife.info/threads/23461-Batch-Hide-cmd-batch-window 3. Creating self extractor with 7zip. http://www.wikihow.com/Use-7Zip-to-Create-Self-Extracting-excutables
  • 11. How it Works..  Calls Virtual Alloc to use its space in order to execute the shell code.  Virtual Alloc : Windows specific call that holds a region with read, write and execute permissions. (Read, write permissions are req. for alphanumeric code).  Copies shell code into memory from virtual alloc.  Executes shell code with help of a Assembly stub pointing directly to the location of shell code.