1 / 16

Anti-Virus Evasion techniques and Countermeasures

Anti-Virus Evasion techniques and Countermeasures. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com. Agenda. Why How Countermeasure Legal Statement . WHY. I am a Penetration Tester. I want to use public codes* without fear.

Download Presentation

Anti-Virus Evasion techniques and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anti-Virus Evasion techniques and Countermeasures Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com

  2. Agenda • Why • How • Countermeasure • Legal Statement 

  3. WHY • I am a Penetration Tester. • I want to use public codes* without fear. • I want to know the system internals. • I want to impress my girl friend ^_^. • I want to test effectiveness of security technologies.

  4. HOW #1 • Warning: Everything that I will discuss here is not applicable to .exe files. • Logic – divide exe in two parts – means don’t make exe. • Code • Interface • Code – it is our normal code with some additional powers – stand alone executable code. • Interface - interface will execute the code • In simple words we need a shellcode type code and a interface to execute the shellcode.

  5. HOW #2 • Why we are splitting exe in two parts ? • AV detection techniques • Signature based • Emulation + signature • MD5  • Heuristic  • If your binary is packed then AV uses Emulation + signature tech. for detection. • By splitting exe in two parts we can bypass AVs. • True fact: generating exe is simpler than writing the stand alone executable code that performs the same function. 

  6. HOW #3 • Techniques: • Code injection in another process • Jump and Execute • Loaders

  7. HOW #4 – Technique #1 • Code injection in another process • Interface – make a interface that will read the “code” and will inject it into another process. • Raw Material: • OpenProcess • WriteProcessMemory • CreateRemoteThread

  8. HOW #4 – Technique #1 - Demo

  9. HOW #4 – Technique #2 • Jump and Execute • Interface – make a interface that will read the file and then jump to that location and execute the code • Raw Material: • ReadFile • JMP

  10. HOW #4 – Technique #2 - Demo

  11. HOW #4 – Technique #3 • Loaders • Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. • Raw Material: • CreateProcess – suspended • WriteProcessMemory • ResumeThread

  12. HOW #4 – Technique #3 -Demo

  13. HOW #5 • What if AV flag Interface ? • Yes, they can but the interface code is using legitimate APIs with very minimal code. • Many legitimate programs use similar APIs so fear of false positive. • May be they can flag on the basis of MD5 

  14. Countermeasures • Simply call it shellcode detection • The Philosophy • Emulate or Execute Everything • Exception – move to next byte • Abort execution if anytime EIP >= 7xxxxxxx • Scan – Detection

  15. Shellcode Detection - Demo

  16. Legal Statement • “Shellcode Detection” Technique and source codes are distributed under CC. • http://creativecommons.org/licenses/by-nc/3.0/ • Codes: https://sites.google.com/site/hacking1now/tools

More Related