AV components
File Engine
Memory Engine
Network Engine
Disassembler
Emulator/Sandbox
Browser Plugin
Machine Learning Engine
Detection Methods
signature based
heuristic based (check source code statically)
behavioral based
machine learning based
Bypassing techniques
on-disk evasion
packers (e.g zipping)
obfuscator
crypter
combine all of them
in-memory evasion
e.g. memory injection
Process memory injection
insert malicious data into the memory of the currently running process (e.g. powershell) and start a new thread executing the injected data
since we provide scripts, it is not a binary and thus harder to detect of av
still, avira detects our basic approach
we can bypass this by renaming our variables….
Automating AV evasion
shellter injects malicious shellcode into a valid executable file
the shellcode is desinged to evade AV detection
veil is a tool, which evades malicious metasploit payloads
Last changeda year ago