Foreword

The red team generally uses fishing to break through the boundary in HVV, and the blue team uses fishing to achieve traceability and countermeasures, but they are all inseparable from a good kill-free horse., Windows Defender and Symantec and other mainstream anti-software are no problem.

The working principle of anti-software

There are many ways to detect and kill software, such as feature recognition, which is based on virus samples collected by various manufacturers and the virus characteristics extracted from virus samples, so the ability to kill software also depends on the size of the virus database to a certain extent., this feature-based recognition is generally based on static.The working principle of heuristic can basically be defined as dynamic killing or a killing method of machine learning method.

How to avoid killing

•By modifying the signature code, the virus sample features that trigger the anti-software rules can be located according to the method of taint detection. Modifying the obvious features can avoid killing to a certain extent.

•To avoid killing the flower instructions, add garbage instructions in the program shellcode or feature code area, the added garbage instructions will not affect the file execution, and the verification will be inconsistent in dynamic killing or file hash comparison.

•Packers, such as upx packers, etc. After the general file is landed, the hash value can also be bypassed.

•Secondary compilation, generally used for secondary compilation of shellcode to bypass anti-software.

• Poweshell is free from killing, but general protection software or the system itself will generate an alarm when the powershell application is normally invoked. General security devices cannot pass through, and you need to use commands to bypass security device monitoring.

Don't kill

CS generates payload

Add listener to generate payload

Download go-strip.exe and obfuscate the binary go compilation information

download link

https://cdn.githubjs.cf/boy-hack/go-strip/releases/download/v3.0/go-strip_0.3.4_windows_amd64.zip

Run script bypass

go run main.go

The core content is the encryption method

The shellcode is encrypted at two layers.

The source code is not directly put here, because I am worried that the sample will be tagged, here are a few projects recommended, try to use go here instead of python

https://github.com/TideSec/BypassAntiVirus

https://github.com/admin360bug/bypass

https://github.com/hack2fun/BypassAV/blob/master/bypass.cna

Here I modified the generated exe.Install tinder, check and kill

CS Online

Packer

Add another shell test.Address

https://upx.en.softonic.com/

Simple Compression Shell

upx.exe -f Go_bypass.exe

The size of the exe file of the birthday after packing is 406KB

You can see that the file size before packing is 1011kb

Modify the file name after packing to upx_Go_bypass to confirm the online status

Successfully launched, continue to check the kill-free effect after packing

At this time, the velvet does not report poison to the files before and after packing

Although the virus was reported before the package, but the virus was not reported after the package.

Symantec has not reported poisoning, and other anti-virus software will not be released.But be careful not to use cloud sandbox detection.

Summary

Multiple tests will always lead to new discoveries. It is relatively easy to practice, but it is important to pay attention to the effect of avoiding kills.