Antivirus Evasion

Two types:

  1. On-disk
  2. In-memory

On-disk

  • Packers
  • Obfuscators
  • Crypters - currently the best method of on-disk evasions
  • Software Protectors (e.g. The Enigma Protector) combine all of the above

In-memory (a.k.a. PE Injections)

In-memory injection using PowerShell

(Remote Process Memory Injection - attempt to inject the payload into another valid PE that is not malicious) Approach

  • Use Windows APIs
  • Use the OpenProcess function to obtain a valid HANDLE to a target process
  • Allocate memory in the context of that process, WinAPI such as VirtualAllocEx
  • Copy the malicious payload to the allocated memory, WinAPI WriteProcessMemory
  • The payload is executed in memory in a separate thread using the CreateRemoteThread API