SecurityXploded and Garage4hackers Bangalore Chapter Lead EMail mamit30gmailcom AntiVirus Evasion techniques and Countermeasures Why How Countermeasure Legal Statement Agenda I am a Penetration Tester ID: 740674
Download Presentation The PPT/PDF document "Amit Malik (DouBle_Zer0)" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Amit Malik (DouBle_Zer0)SecurityXploded and Garage4hackers Bangalore Chapter LeadE-Mail: m.amit30@gmail.com
Anti-Virus Evasion techniques and CountermeasuresSlide2
WhyHowCountermeasureLegal Statement AgendaSlide3
I am a Penetration Tester.I want to use public codes* without fear.I want to know the system internals.I want to impress my girl friend ^_^.I want to test effectiveness of security technologies.
WHYSlide4
Warning: Everything that I will discuss here is not applicable to .exe files.Logic – divide exe in two parts – means don’t make exe.CodeInterfaceCode – it is our normal code with some additional powers – stand alone executable code.Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the
shellcode
.
HOW #1Slide5
Why we are splitting exe in two parts ?AV detection techniquesSignature basedEmulation + signatureMD5 Heuristic If your binary is packed then AV uses Emulation + signature tech. for detection.
By splitting exe in two parts we can bypass AVs.
True fact: generating exe is simpler than writing the stand alone executable code that performs the same function.
HOW #2Slide6
Techniques:Code injection in another processJump and ExecuteLoadersHOW #3Slide7
Code injection in another processInterface – make a interface that will read the “code” and will inject it into another process.Raw Material:OpenProcessWriteProcessMemoryCreateRemoteThread
HOW #4 – Technique #1Slide8
HOW #4 – Technique #1 - DemoSlide9
Jump and ExecuteInterface – make a interface that will read the file and then jump to that location and execute the codeRaw Material:ReadFileJMP
HOW #4 – Technique #2Slide10
HOW #4 – Technique #2 - DemoSlide11
LoadersInterface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread.Raw Material:CreateProcess – suspendedWriteProcessMemoryResumeThread
HOW #4 – Technique #3Slide12
HOW #4 – Technique #3 -DemoSlide13
What if AV flag Interface ?Yes, they can but the interface code is using legitimate APIs with very minimal code.Many legitimate programs use similar APIs so fear of false positive.May be they can flag on the basis of MD5
HOW #5Slide14
Simply call it shellcode detectionThe PhilosophyEmulate or Execute EverythingException – move to next byteAbort execution if anytime EIP >= 7xxxxxxx
Scan – Detection
CountermeasuresSlide15
Shellcode Detection - DemoSlide16
“Shellcode Detection” Technique and source codes are distributed under CC.http://creativecommons.org/licenses/by-nc/3.0/Codes: https://sites.google.com/site/hacking1now/tools
Legal Statement