Bypassing Antivirus software

It should be noted that this is purely for educational purposes. You need to know how malicious software like this works if you are to protect yourself from it. I'm not responsible if you use this and get nicked.

If you think your antivirus software is protecting you... you're wrong. What you have to understand about antivirus software is that it's very dumb and easily fooled. What it does is... it scans a file and compares the structure of the file against known malware within a database. It simply looks for similarities. How can we bypass a similarity check? the answer is encyption!
crypt1
On the right shows a screenshot of a small C# project containing code that grabs malware (could be spyware, keylogger, ransomware), encrypts it using the SHA algorithm and hides it inside itself. It looks like a normal program once compiled... but it's not. There are two key files here;

  • Stub.cs
  • Loader.cs
Stub.cs is the payload. This is what stores the encrypted malware. Loader.cs is the first thing that runs. When executed - Loader.cs installs itself to startup, decrypts the SHA encrypted payload and executes it within memory. This means the malware doesn't even touch the hard drive and many Antivirus software out there don't even scan memory for malicious code.

Below is the key element of Loader.cs. This code tells our Stub.cs to decrypt, compile and execute within memory. The malware is compiled with unique assembly information and structure, making it different every time. This means our malware is persistent. Even if Antivirus does manage to detect the malware... it'll just compile and run again when the computer is restarted.
crypt2

Below is the code within Stub.cs. This is the decryption and execution process. The payload is first converted into a byte array, decrypted then executed. Simple...
crypt3

And after scanning the encrypted malware, we get 0 detections, successfully bypassing Antivirus.
crypt res



LewyBlog - Blog software created by Lewis Williams