SecurityXploded.com
SecurityTrainings
Mailing List Join us on Google+ Twitter facebook RSS Feeds
Bypassing Anti-virus using Code Injection Technique | www.SecurityXploded.com
 
 
Bypassing Anti-virus using Code Injection Technique
Author: Amit Malik aka DouBle_Zer0 
 
 
 
See Also
 
 
Contents
 
 
Introduction
This article throws light on how 'Code Injection' or 'DLL Injection' technique can be used as prominent weapon along with other techniques to bypass Anti-virus softwares. It also explains top level technical details revolving around EXE internals, protectors/packers, encoded shellcodes, inner working of Antivirus etc
 
 
Accompanying this article, you will find video demonstration of 'Injector (POC Tool)' which shows code injection technique to successfully bypass Antivirus software on the system.
 
 
 
Antivirus
Antivirus (or anti-virus) Software is used to prevent, detect, and remove, malware, including computer viruses, worms, and Trojan horse. Such programs may also prevent and remove adware, spyware, and other forms of malware. Ė Wikipedia

Antivirus play a major role for the security of a system. But for hackers/ pentesters , it creates some big problems. During the post exploitation phase we have some sort of excess on the victim machine and generally we want to upload some tools on the victim machine for better control but here antivirus play with our tools and detect them as a malicious file and delete them. Now it may be possible if you are using your own tool then antivirus may fail to detect it but this is rare situation during a pentesting. In case, if we use publicly exposed tools then there is higher probability of getting caught by antivirus.

A simple example: Suppose we have a reverse shell now we know that this is a single connection to our machine from our victim and we donít want to loose it at any condition. So we upload some tools on the victim machine like netcat or other executable (may be generated from metasploit) to get a backup connection etc.. may be to upgrade our shell to merepreter shell. But our victim is using a anti virus and anti virus delete the uploaded files. Now we need something else means either bypass AV or write our own code. But the question here is how antivirus is able to detect our executables (.exe).
 
 
 
Executables (.EXE)
Basically exe files not only contain your code but also contain some important data that is only meaningful for a Operating system loader.

AAnd technical name for that data is PE (portable executable) file header/ PE file format. I am not explaining pe file format here. Here is the snapshot,
 
Injector 1
 
 
 
PEview - PE File Viewer Tool
 
Injecto peview
 
So when we execute exe, windows loader first read the PE header and on the basis of header information loader loads the file into memory.br>
Executable Detection (top level view):
 
Injector Flow
 
So when we copy the file on system then antivirus scan the file (check for known signatures) and if the file is malicious then delete the file.
 
 
 
Encrypter/packer/protector
 
The above technologies (Encrypter/packer/protector) are not only to evade anti viruses. People also use them for ethical work. Basically encryptor/packers encrypt/pack the file and add the decryption/unpacking routine into the file. So when we execute the file windows loader loads the file on the basis of PE header (encryptor/packer does not pack the PE header of a file they only change the necessary values in PE header. Eg. Address of entry point, sections etc..). so the unpacking work something like this:
 
Injector - Encryptor
 
SSo unpacking/decryption routine unpack the code and then jump on the Original Entry Point (on our real code freshly recovered from unpacking routines).

So if we pack the exe with any packer then Antivirus should not be able to detect the exe?. Ok now its time to do some practical.
Pack any malicious file with UPX (a freeware packer) and then test again with Antivirus. You should see that your AV is again popping up the alert and telling that hey don't try to fool me it is malicious.. But our file was packed how AV still know that it is a malicious file and the answer is AV has also signature for UPX, so what AV is doing it loads the file detect the packer then decrypt/unpack(AV also know how to unpack UPX packed files ?) the file and then test the file, And this is the reason that AV still know that file is malicious. But hey where is proof that AV is doing all this shit to test file.

Ok to prove just open the same packed file in a hex editor and just overwrite the starting bytes with some garbage values and then again test it with your AV. Now you should see that AV is saying that file is clean (Reason: Because file is corrupted and AV have no option to unpack/decrypt it) fantastic that's all we want.
 
 
 
Concept of Code Injection - Ingeneric way to bypass AV
 
BBecause exe files are going to detected by AVs( at least if you pack them with the publicly exposed packers/encryptors). So we have to think in a another way.

And the another way is: split the exe into two parts (not physically)
  1. The core code (the actual code that performs a specific task for eg. Bind shell)
  2. The interface - a mechanism that will inject the code into memory and execute that code.
So the functioning is something like this:
 
Injector
 
Note that from the above explanation we know that shellcode/code into a file is not going to be detected by AV because AV donít know how to decode shellcode. (Donít talk about Heuristic, I know AV vendors are joking ?)

Important Note: you may be thinking that why I am saying encoded shellcode because if you use metasploit shellcodes there signatures may be in AVs. If you encode the shellcode with any available encoder in metasploit then AVs not able to decode it in a file and not able to detect it (if you don't understand it read the whole stuff again ?). Although in some cases (Eg. Avast may be with others also) AV not alert if you use shellcodes that are not encoded because AV think that txt file are lame files. But if you force fully scan the file than AV alert.

Second part of the concept is the interface that will inject the code into a process. Code injection is not a new concept (dll injection is one of the most popular example).

Note: All the things are generic and are not specific to any tool or shellcodes. Metasploit and shellcodes are used only to demonstrate the concept. You can also inject your codes "that are detectable to AV in exe mode" with this method and can bypass AV.

Things that you can do with this method:
  1. Can backdoor a process
  2. Can provide many backup shells (every type)
 
We can use publically available tool (malicious) without fear and too many other things limited to your wild imaginations.
 
Injector
 
 
 
Video Demonstration
 
Here is the video demonstration showing Injection in action
 
 
 
 
Download Injector
You can click on below link to download the source code and executable for the Injector - Proof of Concept code.
 
 
 
 
References
  1. Metasploit - Popular Penetration Testing Framework
  2. UPX - Ultimate Packer for Executables
  3. PEview - PE File Viewer Tool
  4. An In-depth Look into the Win32 Portable Executable File Format
  5. Three Ways to Inject Your Code into Another Process
  6. Fsecure Malware Analysis Course (free)
 
 
See Also