Bypassing The Anti-Viruses
Concept of Code Injection - Ingeneric way to bypass AV(ANTI-VIRUS)
As we know that the exe files are being detected by AVs. So we have to think in a another way:-
i.e to : split the exe into two parts (not physically ofcourse)
1. The core code (the actual code that performs a specific task for eg. Bind shell
2. The interface - a mechanism that will inject the code into memory and execute that code.
Functioning is something like this:
You may be thinking that why I am saying encoded shellcode because if I use metasploit shellcodes there signatures may be in AVs. If I encode the shellcode with any available encoder in metasploit then AV's not able to decode it in a file and not able to detect it.
Although in some cases (Eg. Avast may be with others also) AV will not alert if you use shellcodes that are not encoded because AV think that .txt file are lame files. But if you force fully scan the file than AV give you alert.
Now if look at the next phase of the concept which is the interface that will inject the code into a process. Code injection is not a new concept (dll injection is one of the most popular example).
Note: All the things are generic and are not specific to any tool or shellcodes. Metasploit and shellcodes are used only to demonstrate the concept. You can also inject your codes that are Fully Undetectable to AV in exe mode with this method and can bypass AV.
Things that you can do with this method:
1. Can backdoor a process
2. Can provide many backup shells
Post a Comment