Обход времени выполнения AV

[Ghostmela]

Hi everyone, I'm new here, so I decided to ask the forum to share with me an idea of how I can bypass the AV runtime detection .. Recently I started learning how crypters works, so I decided to try writing my own in C #. I have been able to bypass most Av! Scan time detections. The difficulty I am currently facing is a good technique for how I can decrypt encrypted malware and run it in memory without touching the disk ... I tried to use some kind of process hollowing technique but I could not figure out how it works ... I've seen other people's Runpe project on github, but I don't want to just copy and paste other people's work without fully understanding it ... I've looked everywhere for a handy beginner's guide to Runpe in C #. Please, I need someone who can help me achieve this. thanks in advance

 

[timare]

heyy, runtime detection is made possible by API hooking or by Userland hooks. There are lot of resources that cover av/edr hooks and bypasses. One solution is by implementing your own NT system call in your program to make edr/AV go blind.

 

[davinkeenan]

Hi everyone, I'm new here, so I decided to ask the forum to share with me an idea of how I can bypass the AV runtime detection .. Recently I started learning how crypters works, so I decided to try writing my own in C #. I have been able to bypass most Av! Scan time detections. The difficulty I am currently facing is a good technique for how I can decrypt encrypted malware and run it in memory without touching the disk ... I tried to use some kind of process hollowing technique but I could not figure out how it works .. . I've seen other people's Runpe project on github, but I don't want to just copy and paste other people's work without fully understanding it ... I've looked everywhere for a handy beginner's guide to Runpe in C #. Please, I need someone who can help me achieve this. thanks in advance

can you code for me Run time Crypter for Private stub

 

[Ghostmela]

can you code for me Run time Crypter for Private stub

Pm

 

[mose3c]

You can patch AmsiScanBuffer exported from Amsi.dll and use System.Reflection.assmebly to load you'r payload in powershell Almost Fud and bypass Windows Defender

 

[br0]

You can patch AmsiScanBuffer exported from Amsi.dll and use System.Reflection.assmebly to load you'r payload in powershell Almost Fud and bypass Windows Defender

а дефендер даст пропатчить AmsiScanBuffer ? он не чекает целостность этой функи ?

 

[mose3c]

а дефендер даст пропатчить AmsiScanBuffer ? он не чекает целостность этой функи ?

english pls

 

[Haunt]

Не понимаю, зачем патчить AmsiScanBuffer, находите через reflection поле amsiInitFailed, патчите его в true и все, powershell считает, что инициализация COM интерфейса зафейлилась и ничего по нему не пушит.

 

[linear]

Загрузи сборку .NET и выполни в памяти, dll reflected, есть на github-e

 

[WhiteDragon]

amsiInitFailed, патчите его в true и все

Кто не понял, то магия такая - [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Но у вас будет детект от амси, в основном она постороена на string-based и в редком случае на вызовы апи и дальше додумывайте сами

 

[mose3c]

He says: "Will Windows Defender let you patch AmsiScanBuffer? Windows Defender does not monitor the integrity of this function?"
In fact, I've been wondering that too.

Yes u can patch AmsiScanBuffer using powershell script but Yes some AV can detect this method so what i use is creating c++ dll and the dll patch the AmsiScanBuffer
the I inject the dll to powershell to work on same powershell.exe context and run dll main to patch the function .
this method better ofc

 

[DildoFagins]

so what i use is creating c++ dll and the dll patch the AmsiScanBuffer

It doesn't matter if you do it with powershell or native code if some av monitors the integrity of the function.

 

[mose3c]

It doesn't matter if you do it with powershell or native code if some av monitors the integrity of the function.

I have test this on Eset Node32 , Windows defender And Kaspersky
patching AmsiScanBuffer from Powershell work's fine on all AV except Node32 its detected so i try to use A dll to patch The AmsiScanBuffer and did not detected and work for all AV has been mentioned bellow .

 

[mose3c]

I don’t understand why patching AmsiScanBuffer, find the amsiInitFailed field through reflection, patch it to true and that’s it, powershell thinks that the initialization of the COM interface has failed and doesn’t push anything on it.

Thats work to we can name it different techniques