Injection Function! AV Bypass || help

[Vexer2k]

Just use direct syscalls and try to avoid process injection. In my case, I had great success with bypassing EDRs such as Sentinel1, CS, ATP etc. DLL sideloading works great too.

 

[T1Crazy]

If you obfuscate your source code it song affect output binary. Even if you call string sYsoJejaoheJuesjjs, it won't help

No friend!

Strings are obfuscated with com https://github.com/adamyaxley/Obfuscate

And the variables and functions are just with random names! To bypass signatures

but the point is not that since the code is not detected at scan time....

It's just that if you don't have anything useful to say or don't know what you're talking about, just don't say it!"

 

[T1Crazy]

Just use direct syscalls and try to avoid process injection. In my case, I had great success with bypassing EDRs such as Sentinel1, CS, ATP etc. DLL sideloading works great too.

Thanks, if you have any article/video/code

it would help me a lot

 

[Vexer2k]

Thanks, if you have any article/video/code

it would help me a lot

https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/
https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
https://trickster0.github.io/posts/Halo's-Gate-Evolves-to-Tartarus-Gate/
https://passthehashbrowns.github.io/hiding-your-syscalls

 

[Vexer2k]

Also, file entropy is another factor that can easily flag your malware even before it gets executed. You should definitely read about file entropy.

 

[Pernat1y]

And the variables and functions are just with random names! To bypass signatures

FFS. That was a thing in VB6 or so.
In C/Cpp/Asm variables and functions names are not stored in binary.