Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-2018, 18:32
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Lightbulb Evading behavior analysis

This is my first post on exetools so hello to all,

so i generally experiment with post exploitation tools, sometime develop my own. what i have noticed working with major antivirus is that evading detection statically or in memory is easy (call apis dynamically and obfuscate strings, followe by ghostwriting or process hollowing), but the behavior analysis at the run time detects the payload.

as i was testing with kaspersky and avast, the payload executed succesfully but after few minutes it was detected by the behaviour analysis module and neutralized.

to resolve this problem i proposed if i can hook all api calls in the payload exe and choose a random time interval or apicall before the execution of the original api, maybe behaviour detection can be evaded.

i would like to discuss on this more, and want to know what you thought are on this, and if someone can propose a better solution.

please enlighten and apologies if i did something wrong.
Reply With Quote
The Following 2 Users Say Thank You to 0xall0c For This Useful Post:
Conquest (03-18-2018), niculaita (03-17-2018)
  #2  
Old 03-26-2018, 06:16
tecnmarl tecnmarl is offline
Friend
 
Join Date: Mar 2018
Location: Italy
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 6 Times in 4 Posts
tecnmarl Reputation: 0
The key is not the timing. Usually, the timing doesn't play a major role in the following analyses. A good hint might be understanding when the payload gets detected.
Try to make some borderline programs: some that you think will trigger the red flag and some, doing similar things, that won't trigger it. After this, you should start to see a pattern.

If you were an antivirus programmer, what would you check for?
Reply With Quote
The Following 2 Users Say Thank You to tecnmarl For This Useful Post:
0xall0c (03-27-2018), niculaita (03-27-2018)
  #3  
Old 03-27-2018, 18:06
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
yes timing does not play a major role but the execution of heuristic api chain surely does, what i am suggesting is to call random garbage apis in between these chains.

Also kaspersky would just flag warning on the use openprocess api as "program trying to inject in the process", is there anything that can be done to avoid that, i think no.

talking about a pre compiled binary to be evaded, do u think stuffing garbage api call in between chains would evade it?
Reply With Quote
  #4  
Old 05-14-2018, 23:44
Top10 Top10 is offline
Friend
 
Join Date: Feb 2017
Posts: 23
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 66
Thanks Rcvd at 58 Times in 17 Posts
Top10 Reputation: 3
Its depends on payload's behavior too,if makes many suspicious tasks like add startup key,out connection,copy itself among others,then should be more difficult to hide it to avs.

Depends too of your defense,i mean like anti dumps(try to protect in some way some memory parts), anti emulation and anti debug to avoid av's code emulation and its sandbox.

In personal experience api hook are not needed,you can use other ways like syscalls or change apis flow of your loader or simply both.Here there are some tips about runtime detection:

Quote:
https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
armadillo strange behavior drequinox General Discussion 0 02-11-2006 08:52
weird search behavior abitofboth General Discussion 0 01-30-2005 20:48


All times are GMT +8. The time now is 21:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )