In the previous post, I think you guys have the basic idea about how to bypass the static heuristic of an antivirus. Take Comodo Internet Security Antivirus as one example, but many other antivirus have the similar algorithms like Bayesian, expert systems, etc…
Heuristic algorithms build on many expert system that try to emulate the decision-making mechanism of a malware analyst. Dynamic heuristic engines use hooking API calls or executing the program under an emulation framework to detect the behavior of the malicious files or programs. That kind of hooks could implement in user mode or kernel mode.
User mode
In user mode, Antivirus often use hooking API calls to monitor or block an object. They can implement some hooking libraries like that: Mircrosoft’s Detours, madCodeHook , EasyHooks, or MiniHook of TsudaKageyu. They are all best hooking libraries at this time.
To bypass user mode hooks could be an easy by some ways. For instance, we could read the first original bytes of the hooked functions from the disk, execute them, then continue by executing the part of the function past the first bytes (which are not hooked). Another way to do that is to unload the hooking library, which, will remove the hooks after it unloads by us.
In this part, I’m going to write some code to check if our system has been hooked by Antivirus. For instance, we will check the function LdrUnloadDLL of NTDLL.DLL. Why we take it as our example? Because Antivirus often hook it , then noone could unload their DLL in user mode.
- I have some my C++ code here:
- As you see, I will take the first 1024 bytes of the LdrUnloadDLL in memory ( in av_fix_byte variable at address 0x0034F1FD ).
- Then I take the first 1024 bytes of the LdrUnloadDLL in disk ( at offset 0x00022650 )
- They are totally different, right ? So if we could overwrite the bytes has written by Avira Antivirus, by their real code, we could bypass Avira Antivirus in User Mode. But if I stop here, some other guys are going to think me as an idiot. I know it, Sir. They also have “some things” in Kernel. 😀
Kernel Mode
The first thing I want to say in Kernel mode, everything is hard to understand and make it done. Because only one of your mistake is going to make your system dump and create the BSOD ( Blue Screen Of Death ). If you want to do anything in this space, you need a basic knownledge about Kernel Mode, actually, programing here. I’m going to write an article about it later.
For the most past, I would say Antivirus try to monitor the creation of processes and access to the system registry by some kernel function. For example:
- Microsoft provides the kernel routine PsSetCreateProcessNotifyRoutine to allow security software to monitor process creation and termination events in the Windows kernel
- Or some other api like: PsSetCreateThreadNotifyRoutine to get the notify when a new thread is created or deleted. PsSetLoadImageNotifyRoutine that is notified when an image is loaded or mapped into the memory.
In Kernel Mode, malware can do many things in a level lower than PASSIVE_LEVEL, like in APC_LEVEL or DISPATCH_LEVEL , and even at other lower levels.
At this time, we could bypass Antivirus by malicious code running in the kernel. So we need to implemented our malware both in user mode and kernel mode.
As shown above, I think you guys have a basic idea how to bypass the dynamic heuristic of an Antivirus, what we need to deal and to do after that. To be honest, I’m writing a malware just to test with some antivirus like Kaspersky or Bitdefender, then I will upload it in this post. If anyone who interested in this part, you could leave your comment here, we could discuss base on education purposes. 😀
Nice tutorial, but I have some questions about this tutorial: In User Mode, why do you take the first 1024 bytes of the LdrUnloadDLL in memory? Could any number be fine?. And the function “CheckDllFunction” will only bypass Avira or it will bypass some other AVs like KIS, Bitdefender or ESET ?
Thank in advanced!
– For your first question, I took the first 1024 bytes of the LdrUnloadDLL just in this case. And of course Yes, you have to choose the number. Because it depends what you want to do next, and the structure of LdrUnloadDLL ( I mean its code ).
– With your second question, I have tested it with Avira. Personally, I think it works on other AVs. You need to test it by yourself to control some following events.
Thank for your questions.
Thanks for your reply. I got it. But I think it’s very hard to overwrite the bytes written by Avira or other Anti-viruses. May be we need to do it in Kernel Mode, right?. And one more question: Is the meaning of Dynamic Analysis-based Detection the same with Behaviour-based Detection? As far as I know, Dynamic Analysis-based Detection Method relies on the AV Emulator (Sandbox) and Behaviour-based Detection may not rely on Emulator. Is this right? And I’m wondering how to bypass Behaviour-based analysis when the AVs have kernel right to monitor malware processes and threads. Is Anti-memory scanning good technique to do this task ?
Hi John.
– For your first question, it’s not too hard to overwrite the bytes written by Avira or other Anti-viruses. The most easiest way you can try that is you need to check what protect the bytes and then make them hang or something like that. After that you could do whatever you want in User Mode. 😀
– With the second question, Behaviour-based Detection is not really base on Emulator. That included many things. One thing that we could know for sure that is expert system.
– The third question, actually, I have a chance to meet Mr Bruce Dang ( https://www.linkedin.com/in/brucedang ). He is master of this area, I mean Kernel Mode. So I know “something” that happens in Kernel Mode by Antivrus. Anti-memory scanning is a good approach, but you have a lot of things to do, my friend.