Skip to main content

Antivirus Evasion

Bypass Antivirus Software

Methods of Detecting Malicious Code

Bypassing Antivirus Detection

On-Disk Evasion

  1. Packers

    Generate smaller, functional equivalent and completely new binary stucture.

    New Signature.

  2. Obfuscators

    Replacing instructions with semantically equivalent ones, inserting irrelevant instructions, and dead code. Splitting and reordering functions.

  3. Crypters

    Cryptographically alter executable code, adding a decrypting stub to restore original code upon execution. Decryption happens in memory, leaving encrypted code on disk.

  4. Software Protectors

In-Memory Evasion

Doesn't write any code to disk.

Remote Process Memory Injection

Allocate memory in some valid PE that's not malicious. Copy malicious payload to newly allocated memory.

Reflective DLL Injection

Process Hollowing

Launch non-malicous process in suspended state.

Image of process removed from memory and replaced with malicous image.

Then resume process and execute malicous code.

Inline Hooking

Modifying memory to redirect code execution to point to malicous code in a modified function .

Flow will return to modified function and resume execution.

Shellter

Shell code injection tool. Most popular free tool bypassing AV software.

sudo apt install shellter
sudo shellter