In the previous post, I think you guys have the basic idea about how to bypass the static heuristic of an antivirus. Take Comodo Internet Security Antivirus as one example, but many other antivirus have the similar algorithms like Bayesian, expert systems, etc…
Heuristic algorithms build on many expert system that try to emulate the decision-making mechanism of a malware analyst. Dynamic heuristic engines use hooking API calls or executing the program under an emulation framework to detect the behavior of the malicious files or programs. That kind of hooks could implement in user mode or kernel mode.
In user mode, Antivirus often use hooking API calls to monitor or block an object. They can implement some hooking libraries like that: Mircrosoft’s Detours, madCodeHook , EasyHooks, or MiniHook of TsudaKageyu. They are all best hooking libraries at this time.
To bypass user mode hooks could be an easy by some ways. For instance, we could read the first original bytes of the hooked functions from the disk, execute them, then continue by executing the part of the function past the first bytes (which are not hooked). Another way to do that is to unload the hooking library, which, will remove the hooks after it unloads by us.
In this part, I’m going to write some code to check if our system has been hooked by Antivirus. For instance, we will check the function LdrUnloadDLL of NTDLL.DLL. Why we take it as our example? Because Antivirus often hook it , then noone could unload their DLL in user mode.
- I have some my C++ code here:
- As you see, I will take the first 1024 bytes of the LdrUnloadDLL in memory ( in av_fix_byte variable at address 0x0034F1FD ).
- Then I take the first 1024 bytes of the LdrUnloadDLL in disk ( at offset 0x00022650 )
- They are totally different, right ? So if we could overwrite the bytes has written by Avira Antivirus, by their real code, we could bypass Avira Antivirus in User Mode. But if I stop here, some other guys are going to think me as an idiot. I know it, Sir. They also have “some things” in Kernel. 😀
The first thing I want to say in Kernel mode, everything is hard to understand and make it done. Because only one of your mistake is going to make your system dump and create the BSOD ( Blue Screen Of Death ). If you want to do anything in this space, you need a basic knownledge about Kernel Mode, actually, programing here. I’m going to write an article about it later.
For the most past, I would say Antivirus try to monitor the creation of processes and access to the system registry by some kernel function. For example:
- Microsoft provides the kernel routine PsSetCreateProcessNotifyRoutine to allow security software to monitor process creation and termination events in the Windows kernel
- Or some other api like: PsSetCreateThreadNotifyRoutine to get the notify when a new thread is created or deleted. PsSetLoadImageNotifyRoutine that is notified when an image is loaded or mapped into the memory.
In Kernel Mode, malware can do many things in a level lower than PASSIVE_LEVEL, like in APC_LEVEL or DISPATCH_LEVEL , and even at other lower levels.
At this time, we could bypass Antivirus by malicious code running in the kernel. So we need to implemented our malware both in user mode and kernel mode.
As shown above, I think you guys have a basic idea how to bypass the dynamic heuristic of an Antivirus, what we need to deal and to do after that. To be honest, I’m writing a malware just to test with some antivirus like Kaspersky or Bitdefender, then I will upload it in this post. If anyone who interested in this part, you could leave your comment here, we could discuss base on education purposes. 😀