This suggested that Windows Defender was logging activity from the Kernel and would trigger a scan of process memory when specific APIs were called.
#F secure scanner code
Debugging and stepping through the code also didn’t reveal any userland hooks, but once the syscall is executed on the 5th line, Windows Defender would find and kill the Meterpreter session. Inspecting the arguments of CreateProcess and the code around it, nothing suspicious could be found. If (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, (STARTUPINFOA*)&si, &pi)) To try and understand this behaviour we examined the Metasploit source code and found that Meterpreter used the CreateProcess API to launch new processes. Given that our Meterpreter session was only killed when shell/execute was used it seemed likely this activity was triggering a scan. But why? Analysing Runtime AnalysisĪs mentioned earlier in this post memory scanning can be periodic or “triggered” by specific activity. However, despite execution succeeding we found that Windows Defender would still kill the Meterpreter session when commands such as shell/execute were used. Parameters for these techniques were passed in the stub options.Īll of the above techniques were able to bypass Windows Defender’s static file scan when using a standard Metasploit Meterpreter payload. The proof of concept we created included support for a number of different injection techniques that are useful to test against AVs including local/remote shellcode injection, process hollowing and reflective loading. Passing these through our crypter would combine them together into our final payload which we can execute on our target. The crypter would take a “stub“ to decrypt, load and execute our payload and the malicious payload itself. There are multiple open source projects which demonstrate this (Veil, Hyperion, PE-Crypter etc.) however we also wanted to test memory injection techniques so wrote a custom crypter to incorporate them in the same payload. This works by creating a unique payload every time rendering static file signatures ineffective. One of the most well-documented and easiest ways to bypass static analysis is to encrypt your payload and decrypt it upon execution. Bypassing Static Analysis With a Custom Crypter In the next few sections we’ll discuss potential bypass techniques in more detail. Suspicious Behaviour – AV will often monitor for suspicious behaviour (usually API calls) and use this to trigger a scan, again this could be of local files or process memory. This concept also applies to scanning the memory of running processes. Periodic – AV will periodically scan systems, daily or weekly scans are common and this can involve all or just a subset of the files on the system. It’s also worth mentioning how scans can be triggered:įile Read/Write – Whenever a new file is created or modified this can potentially trigger the AV and cause it to initiate a scan of the file. This can be more challenging for attackers as it can be harder to obfuscate code in memory as its executing and off the shelf payloads are easily detected. Process Memory/Runtime Analysis – Similar to the static analysis except running process memory is analysed instead of files on disk. A newer variation of this technique is machine learning based file classification which essentially compares static features against known good and bad profiles to detect anomalous files. While this is effective against known malware, static signatures are often easy to bypass meaning new malware is missed. Static Analysis – Involves scanning the contents of a file on disk and will primarily rely on a set of known bad signatures. Antivirus 101īefore diving into Windows Defender we wanted to quickly introduce the main analysis methods used by most modern AV engines:
In this post we’ll analyse some of those techniques and examine potential ways they can be bypassed. While Defender has significantly improved in recent years it still relies on age-old AV techniques that are often trivial to bypass. Windows Defender is enabled by default in all modern versions of Windows making it an important mitigation for defenders and a potential target for attackers.