First of all, you guys need some basic knowledge about Antivirus softwares. They have two core parts: The Disassembler and The Emulator.
I have to say The Disassembler is the heart of Emulator. The Disassembler of Antivirus have to support a long list of instruction sets, for example: x86, FPU, SSE, SSE2, SSE3, SSE4, SSE5, 3DNow!, MMX, VMX, AVX, XOP, FMA instructions, and so on.
You could find the details of them on Wikipedia: List_of_instruction_sets
As you see, we have many instruction sets here, so The Disassembler of Antivirus will find it hard to cover all of them. They only can deal with some basic instruction sets. If you guys want to see how hard it is, you could go to diStorm on GitHub to download and test it for a while.
Personally, I think I will write an article about them later.
To bypass The Disassembler of Antivirus, you need to fingerprint them first or just test with the commercial version of the Anitivirus to find out what it is. After that, you just need to use some weird instructions like :
And more and more.
To bypass the Emulator, we could do some way like this:
- We could use some special functions like:
This kind of functions is System functions, you can try to call it in User Context. If it could call or not, you should use TRY and CATCH to know we could bypass the Emulator or not.
- OR we could call some system libraries like:
NTOSKRNL.EXE, NTKRNLMP.EXE, NTKRNLPA.EXE, NTKRPAMP.EXE
Ntoskrnl.exe (Short for Windows NT operating system kernel,) also known as kernel image, provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, thus making it a fundamental part of the system. Many emulators find it hard to lead these libraries. Because they are system components. We can handle exception to know we could bypass their emulator or not.
- We still have some other tricks like control DR0 register in Intel x86 or open special driver names like CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9,… then control our exception to check our result.
In the last part, I will show you my trick. Because I love reverse malware, so I will show you some funny things base on my terrible experiences.
I have normal file here. Its hash 607b8f519b70abafe328857c004f563616017874ce2eb27baf80755351e964f2
When you view it by IDA Disassembler, its code is so great to read for reversers.
This file has its entry point at 0x00401000. I will make some changes on this file at address 0x00401190 like this:
And then our file looks like this:
I think reverse engineers could find it hard to understand what we prepare to do when they try to reverse our code. This trick could be named as Anti IDA trick.
Like I said before, I haven’t explained why I choose the address 0x00401190 to do my Anti IDA trick for some security reasons. But you guys could leave your comment here, then I will answer in private, just for education purpose. 🙂