From 62756e0aadf466ea928cf2954cc788e78415e0e8 Mon Sep 17 00:00:00 2001 From: whx Date: Wed, 31 Aug 2022 23:55:40 +0200 Subject: [PATCH] sig evasion --- .../docs/windows/Signature-Evasion.md | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 post exploitation/docs/windows/Signature-Evasion.md diff --git a/post exploitation/docs/windows/Signature-Evasion.md b/post exploitation/docs/windows/Signature-Evasion.md new file mode 100644 index 0000000..2f43b87 --- /dev/null +++ b/post exploitation/docs/windows/Signature-Evasion.md @@ -0,0 +1,100 @@ +# Antimalware Signature Evasion + +## Check Binary Against AV + +* Split the binary to create signature +```sh +head --bytes > sig.exe +``` +* To test running antivirus, split it in half multiple times and check if it would be detected by the AV. Check for bad bytes + + +### Automation + +* [Powersploit's Find-AVSignature](https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1) finds it automatically +* [rasta-mouse's Threat Check](https://github.com/rasta-mouse/ThreatCheck) + + +## Static Code + +* Obfuscation of classes + * __Class Hierarchy Flattening__, create proxies via interfaces + * __Class Splitting & Coalescing__, shift variables to other classes + * __Dropping Modifiers__, drop private use public only + +* Obfuscation of methods + * __Method Proxy__, proxy method or object replacement + * __Method Scattering & Aggregation__, coalesce or split methods + * __Method Clone__, replication of methods + + +## Property Based + +* Properties may be hash checksum or entropy of a binary + +* While having the source code at hand, simple white spaces can change the checksum or adding strings to the text section may lower the entropy + +### Bit Flipping + +* When only the binary is accessible add some `NOP`s or do bit flipping via +```python +import sys + +with open (sys.argc[1], "rb") as _f: + orig = list(_f.read) + +for i,c in enumerate(orig): + current=list(orig) + current[i] = chr(ord(c) ^ 0xde) + path = f"{i}.exe" + + with open (path, "wb") as _f: + _f.write(''.join(str(x) for x in current) + +print("[+] Success") +return 0 +``` + +* Verify if the portable executables generated from the script above are still well formed +```sh +FOR /L %%A IN (1,1,10000) DO ( + signtool verify /v /a flipped\\%%A.exe +) +``` + +## Behavior Based + +* __Import Adress Table (IAT)__ is the PLT of windows. It contains addresses of the (standard) lib functions provided by DLLs. +* IAT can be found in a PE's header under `IMAGE_OPTIONAL_HEADER`. The references are provided by an API call or the __Thunk Table__ +* __Dynamic Loading__ can be used to call the address of a library function instead of IAT + +### Dynamic Loading + +* The structure of a call has to be defined, an example is [GetComputerNameA](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcomputernamea) + +* Get the handle of the module where the address that will be called resides in +* Get the process address of the loaded function address + +```c +#include +#include +#include + +// Compilation via i686-w64-mingw32-g++ -fPIC nosig.c -o nosig.exe + +typedef BOOL (WINAPI* myNotGetComputerNameA)( + LPSTR lpBuffer, + LPDWORD nSize +); + +int main ( void ) { + HMODULE hkernel32 = LoadLibraryA("kernel32.dll"); + myNotGetComputerNameA notGetComputerNameA = (myNotGetComputerNameA) GetProcAddress(hkernel32, "GetComputerNameA"); + printf("GetComputerNameA: 0x%p\\n", notGetComputerNameA); + CHAR hostName[260]; + DWORD hostNameLength = 260; + if (notGetComputerNameA(hostName, &hostNameLength)) { + printf("hostname: %s\\n", hostName); + } +} +```