i Malware Analysis – File Evasion ( Part 1 ) – All things in moderation

Malware Analysis – File Evasion ( Part 1 )

After my previous posts, I think I have shown you guys a general idea about how pentest a website. Today, I’m going to introduce another topic, that is Malware Analysis. Personally, I think if we only attack a system from the outside, it just one part of our job. If their victims have installed an antivirus, we find it hard to continue to compromise their system.

Because this is the first post after penetration testing series, so I will show you the way to hide your Meterpreter ( Shell ) on their system.

First of all, our Meterpreters ( Shell ) are almost Portable Executable (PE) files. I will give a picture about its structure, and more details in another post, because I want to focus how we could hide Shell on their computers.

pe evasion

There are many ways to modify this PE File to hide it from their AV without making it corrupted. But base on my experience, if you don’t understand PE file structure very clearly, you shouldn’t make any change on it, because it is not working after your changes. :D. So I’m going to write an article about it in details later.

In a PE file, we should put our eyes on some parts like this:

The name of each section

pe evasion

We can change their names to what ever you want, because some Antivirus will check if they could find a particular section name that is match up with a family of malware. But you need carefully if you find a packer section name here, you shouldn’t change it, because your file will stop working if their packer can’t find their packed sections.

The datetime

When a file is create, they will have a datetime number in their header.

pe evasion

This field can be NULL, but we often see some Antivirus uses it as a part of their detection because a malware files is often build at the same time from an author.

OS details

There are some details related to OS when the author of that virus built them.

pe evasion

We could change it to hide our malware.

Entry Point

This is the most important part. Entry Point is the point where PE Loader used to look for when your PE is load, so if you can hide or obfuscate your EP, you can trick AV a lot, even their emulator. I have found a bunch of trick here from Corkami project.
I’m going to take nullEP as our example.

First, you need to go to this page and download yasm: http://yasm.tortall.net/Download.html
You should choose the version that is for your system ( x86 or x64 ).

  • When you see nullEP.asm file, we use this command to compile it.

yasm-1.3.0-win32.exe -o nullEP_SS.exe nullEP.asm

After this command, we will have a nullEP.exe file in the same directory with file nullEP.asm
His code is pretty clear.

pe evasion

And when we check our nullEP.exe file with our editor, we could see this file have no entrypoint.

pe evasion

But it still works like a charm.

pe evasion

The question is what PE Loader ( Windows ) did with this file. Actually, this file has been executed at their ImageBase.

I think you guys need to know a basic knowledge about PE file, PE loader to understand this article, so I will write a post about it later. But for now, for anyone who have known about them, you guys should play some tricks with Corkami Project.

It takes time, but it’s worthy. And I always here for help, just put your comment below if you guys want to ask anything my post.

Leave a Reply