Malware Development
  • Golang Malware Development
  • Malware Development In Golang - Introduction
    • Golang Programming Intro
      • 1. Preparing the Go Environment
      • 2. Hello World
      • 3. Calling MessageBox winAPI from GO
      • 4. Shellcode Runner
  • Code Injection Techniques
    • Shellcode Injection
      • 1. Classic Shellcode Injection
      • 2. Process Hollowing
      • 3. QueueUserAPC
    • DLL Injection
      • 1. Dll Injection
      • 2. Reflective DLL Injection
  • Payloads
    • Payloads
      • 1. Basic DLL using Golang
      • 2. Malicious DLL using Golang
      • 3. Malicious XLL using Golang
    • Shellcode development
      • 1. Keystone Engine
      • 2. Windows x64 Shellcode Development intro
      • 3. Transforming DLLs into Shellcode
  • Evasion
    • AV Bypass
      • 1. Introduction
      • 2. Remove the shellcode from the payload
      • 3. Delay Execution
        • 1. time.Sleep() 1/2
        • 2. time.Sleep() 2/2
        • 3. Custom Sleep function
      • 4. XOR Encryption
      • 5. AMSI Bypass
    • EDR Bypass
      • 1. Setting up a testing environment
      • 2. Userland Hooks
        • 1. What are userland hooks?
        • 2. Load a fresh copy of the dll from disk
        • 3. Programmatically detect ntdll hooks
        • 4. Direct and Indirect Syscalls (shellcode runner)
      • 3. VPN abuse for Endpoint Protection Evasion
        • 1. Global Protect Abuse 1/2
        • 2. Global Protect Abuse 2/2
Powered by GitBook
On this page

Was this helpful?

  1. Evasion
  2. AV Bypass

1. Introduction

#AVEvasion #Golang #maldev #malwaredevelopment

Last updated 1 year ago

Was this helpful?

Antivirus is a piece of software installed on a computer to block malicious executables from running.

Identifying if the software is malicious is done by "static" signatures or from the executable's behaviour(sandbox or runtime).

  • Static analysis usually looks at the hash of the executable, Import Address Table etc. when the executable hits the disk. This is also something that is done in memory.

  • Behaviour looks for certain patterns at runtime. For example in a meterpreter session when the migrate command is used MS Defender will kill the session immediately even though we were able to successfully run it. This is because Defender detected the process injection sequence.

  • Sandbox evasion: The AV might run the executable in an isolated environment to check if there is any malicious behaviour before actually letting the executable run on the host.

Defender got pretty good at detecting the '' technique. I will start modifying the code to get it to run on a fully patched windows host.

Note: This will not work on most modern EDRs. That's something I will go into more detail in the upcoming series.

classic shellcode injection