Video Bypassing AntiVirus with Metasploit

[arcsighter at gmail.com (ArcSighter Elite)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thierry Zoller wrote:
> Dear ArcSighter Elite,
>
> ==
> Exception to these are KAV and BitDefender who implement different
> proactive methods that detect this memory stuff.
> ==
>
> They are easy to bypass too, I remember (just an example) that KAV
> was bypassable by setting the date back to a date the license was
> invalid (kept me lauging for a few minutes).

Pardon me, but that was the first trick against KAV and is silly; the
best that could be achieved from that technique is setting the date
back, then finding the KAV's notification window and closing it, and
then loading the backdoor, then restoring date, and closing another
window. Summarizing, silly.

Secondly, let me tell you I'm off the topic as I said, but if my memory
doesn't fail to me, the proactive's kav defense was triggered by its
hook into ReadProcessMemory and CreateProcess. BitDefender went a little
bit more consious and implemented some sort of REAL memory scan.

Those were the first-generation crypters as far as we go today.
I didn't say they couldn't be bypassed, because I did, I just said they
were a little bit trickier.

As I said, and for the record if I have no time to finish it:
*ALL* AVs should be bypassed by creating a process that reflectively
loads a PE (backdoor) encrypted from its resource or data sections. Of
course, the backdoor behavior could trigger the AV in some cases, such
as registry access, that's why I preferred coding my own.

Sincerely.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklvrusACgkQH+KgkfcIQ8dM2gCgzVvRa6APyWCKtkkQPIwG7kde
zfgAoOADsDBH4JyLIDS2suquEN+jrm4g
=o6oU
-----END PGP SIGNATURE-----