#1
|
|||
|
|||
Evading behavior analysis
This is my first post on exetools so hello to all,
so i generally experiment with post exploitation tools, sometime develop my own. what i have noticed working with major antivirus is that evading detection statically or in memory is easy (call apis dynamically and obfuscate strings, followe by ghostwriting or process hollowing), but the behavior analysis at the run time detects the payload. as i was testing with kaspersky and avast, the payload executed succesfully but after few minutes it was detected by the behaviour analysis module and neutralized. to resolve this problem i proposed if i can hook all api calls in the payload exe and choose a random time interval or apicall before the execution of the original api, maybe behaviour detection can be evaded. i would like to discuss on this more, and want to know what you thought are on this, and if someone can propose a better solution. please enlighten and apologies if i did something wrong. |
#2
|
|||
|
|||
The key is not the timing. Usually, the timing doesn't play a major role in the following analyses. A good hint might be understanding when the payload gets detected.
Try to make some borderline programs: some that you think will trigger the red flag and some, doing similar things, that won't trigger it. After this, you should start to see a pattern. If you were an antivirus programmer, what would you check for? |
#3
|
|||
|
|||
yes timing does not play a major role but the execution of heuristic api chain surely does, what i am suggesting is to call random garbage apis in between these chains.
Also kaspersky would just flag warning on the use openprocess api as "program trying to inject in the process", is there anything that can be done to avoid that, i think no. talking about a pre compiled binary to be evaded, do u think stuffing garbage api call in between chains would evade it? |
#4
|
|||
|
|||
Its depends on payload's behavior too,if makes many suspicious tasks like add startup key,out connection,copy itself among others,then should be more difficult to hide it to avs.
Depends too of your defense,i mean like anti dumps(try to protect in some way some memory parts), anti emulation and anti debug to avoid av's code emulation and its sandbox. In personal experience api hook are not needed,you can use other ways like syscalls or change apis flow of your loader or simply both.Here there are some tips about runtime detection: Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
armadillo strange behavior | drequinox | General Discussion | 0 | 02-11-2006 08:52 |
weird search behavior | abitofboth | General Discussion | 0 | 01-30-2005 20:48 |