How to evade the Kaspersky’s Shellcode detection ?

Hello readers !

I am Hadi , a 17 years old security enthusiast .

While I was playing with Kaspersky Lab 2017 free version, I tried various shellcodes from Metasploit Framework , unfortunalety Kaspersky Antivirus detected them all but I discovered a way to evade Kaspersky’s Shellcode detection ..

Basically let’s try with a shellcode wrapper which uses ‘Windows.h’ library and VirtualAlloc() function ( which allocate new memory and store our shellcode in it ,in this way we will not have issues with Data Execution Protection .. ) in this write-up I will use ‘windows/x64/exec’ shellcode to spawn a calc.exe :-) . I’m Using GCC for Windows Platform to compile our shellcode in an executable format .

the source code of the C file is here https://pastebin.com/PmbFhtN6

Let’s compile our shellcode and check the results with Kaspersky AV

Image for post
Image for post

Oh no ! Kaspersky detected and deleted our wonderful shellcode ( PS : sorry for the language )

Now , let’s try without the shellcode just with the VirtualAlloc() function and recompile the code like here https://pastebin.com/REzUqAjT

Image for post
Image for post

Sweet ! Our executable which contain just the shellcode wrapper without the shellcode is not detected :-)

So , We can conclude than Kaspersky is only interested by metasploit shellcodes not by shellcode wrapper .. I think Kaspersky has a sort of database to recognize Metasploit shellcodes .

To evade this detection , I remembered msfvenom’s no-operation option for shellcodes ( with -n option we can tell to msfvenom how many junk bytes to add to our shellcode like ‘\x90' and plenty other instructions and junk bytes are completly random .. ) for example if we want to add 2000 junk bytes we specify ‘-n 2000 ‘ like that :

msfvenom --payload=windows/x64/exec CMD=calc.exe -b ‘\x00’ -f c -n 2000

Let’s check results :

Image for post
Image for post

Horayyy ! Our shellcode is not detected by Kaspersky AV

Let’s try the shellcode :

Image for post
Image for post

Game 0ver !

hello world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store