Basic Anti-Virus Evasion

go back / p4p1

Created on Thu. 11 Apr 2024

God I love windows. Since I completed all of these Hack The Box Pro labs I've been working towards the OSEP and using Havoc as much as I could to progress on C2 frameworks and more advanced red team topics.

Obviously by doing all these courses and using all of these tools I got confronted to Anti-Viruses a lot more than before and I started to learn pretty quick how those things work. I already in the past had to work with AV directly at work through bypassing defender with powershell in memory and things like that but evil-winrm was always doing the heavy lifting for me :)

Overview

Now inside a lot of basic malware dev courses they will cover techniques such as XOR encoding and decoding with Loaders and things like that! I used to use a lot of tools for my loaders but those after a few weeks would be flagged by defender since they are open source and I would then be stuck back to where I was at before. So I wanted to basically make my own loader. I first messed around by creating a stager for Havoc but I was quite unsuccessful I then did the OSEP course and looked at some c# development. Most loaders follow the same technique. You have a big variable then some kind of loading technique like process injecting, calling different win32 apis to load the shellcode into memory and then resuming or running the process. During the OSEP course I obviously started working on building my own little loader nothing to crazy just something that I could start with and then work onto adding more functionality.

Now all of this is new to me I have never worked in C sharp and I am still very much confused. Plus my dev environment for this kind of work is absolute chaos since I am using a windows VM for compiling the C sharp code and I refuse to use Visual Studio so I have a terminal next to my VM in a shared folder with vim running to edit the code! Now to bypass Anti-Virus there are a few things to know the most basic check possible is signature based checks and this is what I will be focused on beating today.

Basics

Since in this post I'll mainly focus on signature detection we will be using a few tools to work on with this. A great one I found is gocheck from gatariee. This tool helps in automating the splitting of your virus and checking the different signatures to see which one is detected by defender or not. Here is a quick example of using this against a havoc demon executable:

Since Havoc is open source it's code will be for sure flagged and this is manly just a check to showcase the tool. But it's pretty cool it divides the .exe file into multiple sub-files and checks with MpCmdRun.exe which one of the files has signatures known to defender and then returns the area that triggers the alert. You could then potentially modify that single byte and if it does not break the Assembly you could have a binary that does not get triggered by the AV.

Encryptions

Now recreating a whole binary for havoc from scratch with new signatures would be a quite a struggle so an easy way to have an exe that wouldn't get recognized by defender would be to encrypt the binary data so that defender cannot match it with an existing hash and then dynamically decrypt it and load it into memory. To do this encryption / decryption there are a few things that we could look at but to start with something basic we could use a cesar cypher!

When I was a kid I always wanted to be a spy like a lot of kids. I grew up watching all of the james bond movies and such and I used to read books about encryption algorithm and such, maybe that's where my love for infosec comes from. But a cesar cypher is actually quite simple its just an increment on every character in the case of binary data since everything is a number you could just do a + x which would give you a "obfuscated" code that you can then do - x on and get the original data back. 

          
            encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
            decoded[i] = (byte)(((uint)encoded[i] - 2) & 0xFF);

You could also use a XOR cypher since a XOR or eXclusive OR is a binary operation that takes bytes and flips them depending on if the bytes are the same or not:

Since these algorithms are really simple if someone reversed engineered our malware it would be trivial for them to get the original content back but it would potentially defeat signature checks. Which is why I wanted to automate these algorithms and process inside of my c sharp code.

Havoc Venom

Inside of the metasploit framework there is the msfvenom tool that is great to generate payloads to attack machines with and inside of msfvenom you can use different cyphers to encrypt your payload. Havoc does not come with a tool like that so if you want to encrypt your demon you will have to use your own which is where I made havoc_parse.py a little python script that provides you with this ability ^^.

The idea is that you would use this script with your development of loaders you could encrypt and file not just havoc this code works also with msfvenom raw formatted data and probably more. The script will output the encrypted data into a file so that you can easily copy paste the code and also provides you with a snippet to decrypt the code. Currently it works the best with c sharp but I am also adding support for powershell, visual basic for MS office and at some point I'll also do C.

Showcase

Now this bit is actually cool so let's look back at our basic loader in C# we have directly the havoc.bin file in hexadecimal. Here is a quick bash script to get the same result as I have: 

          
            echo "byte[] buf = new byte[$(wc -c ./demon.x64.bin | cut -d' ' -f 1)] {$(xxd -p -c 1 ./demon.x64.bin | awk '{ printf "0x%s, ", $0 }' | sed 's/, $//')};"

If we check then this binary with gocheck this is what we see... Now here I was going to put a screenshot that looks like the following:

But for some reason the custom loader with the unencrypted havoc binary does not get triggered by defender so hey here is a free loader that bypasses windows defender for some unknown reason. Now just for the sake of going further with this project I will now showcase using havoc_parse but as you can see by taking havoc and wrapping it inside of a dummy loader we already are one step closer at bypassing the AV.

Now here is the havoc_parse.py command again where we generate the encrypted shell code and then we also get a cool decryption snippet that we can just paste into our code right after:

Now if we check this binary something funny happens this gets picked up compared to the other loader that was a lot more bare bones this one gets triggered and detected It's probably because the decryption code for the cesar cypher and the xor is inside of the defender hash cash and you might want to change the algorithms around in a way that does not brake the decryption.

So from that information I then move the code so that the two xor and cesar cypher are not directly next to one and other like so:

And now we successfully bypass defender!

Thank you for reading! Funny how some algorithms where already combined and that could lead to you getting detected by defender! I hope that this blog post was interesting to you check out the gocheck tool on github it is honestly brilliant on how good it is. Also check out havoc_parse you might find it useful :)

Categories
Links
p3ng0s
arch linux iso

A linux distribution with my entire config pre-installed. Great for learning linux and pentesting with a steep learning curve.

wiki | repo
Questions / Feedback
For any questions or feedback you can contact me on LinkedIn
Donate
sponsor me image

If you like the content of my website you can help me out by donating through my github sponsors page.

Copyright © Leo Smith 2020