Hi guys,

I’ve been working on a c++ malware, but I can not evade AV, even with multiple obfuscation/process hollowing/ not toucking disk… I tried at least 30 solutions, but my final file is an exe, and I think the problem is here.

Because exe are the most common form, I understand that AV will look at it very closely to unsigned exes… I could just change the form to dll and run it with rundll32 and a batch, but it seems to be caught too. Online AV gets less AV caught in dll form, but still…

I could use hta files, or macro, but I’m not sure of the best form, and how to run complexes functions (like persistence, running other processes)

Any ideas to share on this?

  • pinknoise
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    I do not endorse malware in any way, shape or form and the following Information is for research purposes only. I think the whole idea of AV software is dumb and I like to help people realize that.

    I could just change the form to dll

    It’s still a PE file and AV will of course scan those (also scr, com and whatever)

    and run it with rundll32

    Thats pretty likely in every detection heuristic ever

    I could use hta files

    Thats also suspicious, but if you only use it for c&c logic and install stuff you might get away with it. You could be creative and use onboard or standard software to do the dirty work.

    or macro

    Seems to work shockingly well according to the steady stream of ransomware news… I got an emotet email some time ago. I analyzed it and they used macros to execute a powershell script which tried to download a PE loader from multiple sources.

    Any ideas to share on this?

    If your files are flagged before running they either share a signatur with some known malware or they just use suspicious windows api-calls or you used a packer. If the first is true, did you plagiarize parts of it? If yes then lol and you can play around with some compiler flags to maybe change the output enough. Also you could try changing parts of the executable (just replace bytes block by block) to identify what part of it is problematic. For the second possibility you can dynamically load and call the libs at runtime but this won’t help against runtime heuristics. Also you could add some dead code (make sure it doesn’t get optimized out) that uses other functions to enhance the suspicious/non-suspicious call ratio.

    @TheOPtimal’s method won’t work because once you decoded the file to disk AV will flag it. You’d need to decode the file in memory and then execute it, which is what most malware did back when I still was interested in this topic. If you have a simple decrypter&loader you can easily modify it each time AV company adds a signature. For each intel instruction you can find (basically unlimited) sets of other instructions that do the same thing but have a different signature. But I’d guess most AV software will have heuristics for self-modifying code.