i can bypass windows defender with a simple reverse shell written in C, now if i want to apply the same thing to a exe generated by any rat or stealer or a C2 , how can i apply same to those exe , like just decompiling will release enough for me or is there any other method
-
XSS.stack #1 – первый литературный журнал от юзеров форума
a basic question regarding av evasion
- Автор темы Bimarck
- Дата начала
Yeah bro, I have had the same problem! Bypass Win Defender more specific in WIn11!
All my codes and bypass methods works good on Win10, but Win11 improved the Defender.
I'm studying DLL generating with Golang and the traditional DLL side-loading is not working anymore.
I'm trying to inspect mpclient.dll calls and understand how to unhook my .exe from inspection, or any other method.
I think that BlackBasta ransomware (or Black Lotus I dont remember now) was using this approach, exploring MPclient.dll to bypass WIn Defender, but i dont have more details.
All my codes and bypass methods works good on Win10, but Win11 improved the Defender.
I'm studying DLL generating with Golang and the traditional DLL side-loading is not working anymore.
I'm trying to inspect mpclient.dll calls and understand how to unhook my .exe from inspection, or any other method.
I think that BlackBasta ransomware (or Black Lotus I dont remember now) was using this approach, exploring MPclient.dll to bypass WIn Defender, but i dont have more details.
You would need to write some type of memory injector, that injects your payload.
Win11 is wayy harder compared to Win10 Defender, but if you try hard enough its possible to bypass it. You just need to focus on cleaning the signatures enough, don't leave any dangling strings, and debug messages from the compiler. Also look into syscall hashing.
Win11 is wayy harder compared to Win10 Defender, but if you try hard enough its possible to bypass it. You just need to focus on cleaning the signatures enough, don't leave any dangling strings, and debug messages from the compiler. Also look into syscall hashing.
You are looking for what is called a 'crypter' which is basically the payload that will 'protect' your payload from AV/analysis.
For example, you could have your final custom payload already with low detection or completely undetectable but if you are generating something directly from a known stealer or pentest tool, it will have signatures, so you need a independent undetectable software to do this job.
There are a lot of such projects open source and free, you will need to modify the code to make it 'clean'.
How sophisticated the techniques are also will depend on what you targeting, you mentioned Windows Defender which is weak. For example, corporate EDR is harder to bypass compared to home user AV.
Some basic techniques are string obfuscation/encryption to hide known keywords from static analysis, anti-debugging/analysis techniques to make reverse engineering harder, VM checks to avoid running in sandbox and a lot more,etc.. Take a look at malware entropy also.
For example, you could have your final custom payload already with low detection or completely undetectable but if you are generating something directly from a known stealer or pentest tool, it will have signatures, so you need a independent undetectable software to do this job.
There are a lot of such projects open source and free, you will need to modify the code to make it 'clean'.
How sophisticated the techniques are also will depend on what you targeting, you mentioned Windows Defender which is weak. For example, corporate EDR is harder to bypass compared to home user AV.
Some basic techniques are string obfuscation/encryption to hide known keywords from static analysis, anti-debugging/analysis techniques to make reverse engineering harder, VM checks to avoid running in sandbox and a lot more,etc.. Take a look at malware entropy also.
Hello, regarding AV evasion i recommend you take a look at the vx-underground papers.