Problems with heuristics (injection and autorun)

Als Gast hast du nur eingeschränkten Zugriff!

Anmelden

Benutzerkonto erstellen

Du bist nicht angemeldet und hast somit nur einen sehr eingeschränkten Zugriff auf die Features unserer Community.
Um vollen Zugriff zu erlangen musst du dir einen Account erstellen. Der Vorgang sollte nicht länger als 1 Minute dauern.

Antworte auf Themen oder erstelle deine eigenen.
Schalte dir alle Downloads mit Highspeed & ohne Wartezeit frei.
Erhalte Zugriff auf alle Bereiche und entdecke interessante Inhalte.
Tausche dich mich anderen Usern in der Shoutbox oder via PN aus.

#1
LVArturs

Geschrieben 10 May 2018 - 23:34 Uhr

Noob

Members

Likes

3 Beiträge
0 Bedankt

I have two questions.

First, is process hollowing still viable? I can get past ESET and Kaspersky, but Avast! Behaviour Shield always catches it, no matter what I do. Should I try RtlCreateUserProcess instead of CreateProcess? Maybe changing order, where viable, or using interchangeable Nt (or Zw) functions instead of some of the ones in this list:

    CreateProcess
    NtUnmapViewOfSection
    VirtualAllocEx
    WriteProcessMemory
    GetThreadContext
    SetThreadContext
    ResumeThread

Or is this a dead end, and I should venture in finding another method?

Second, autorun usually increases heuristic scores a lot (if I add autorun methods on top of process hollowing, then only ESET lets it through). Dropping an icon in the Startup folder seems somewhat less detectable than adding registry entries, but still not good enough. Are there alternative methods or should I look at other parts of code to decrease the score?

Thanks.

Bearbeitet von LVArturs, 10 May 2018 - 23:52 Uhr.

Nach oben
Melden

#2
gr33d

Geschrieben 13 May 2018 - 16:42 Uhr

Pentester

Premium Member

Likes

169

130 Beiträge
472 Bedankt

Jabber
Android [root]
Windows, Linux

I think the AVs hook the NtDll so it doesn't matter which API you use. You could try to selfinject and resolve all the imports, patch the imagebase and jmp to AddressOfEntryPoint.

That way you only need VirtualAlloc, LoadLibrary and GetProcAddress.

Nach oben
Melden

Thanked by 1 Member:

LVArturs

#3
LVArturs

Geschrieben 15 May 2018 - 01:11 Uhr

Noob

Members

Likes

3 Beiträge
0 Bedankt

Yeah, I guess I could, but, embarassingly, I'm doing the hollowing from a managed process through pInvoke and stuff, so I don't know if self-injecting a native process from a managed one would work.

Okay, I'm hijacking my own thread and changing the topic slightly - say I'm launching a managed process from a managed one - that's easy and AV usually have no issue with this + autorun. But whenever it gets to actually running the payload, say a RAT, it is usually detected. How? My guess would be by how the RAT communicates back home. Could that be it? Because, before I start modifying sources or maybe even decompiling .NET RATs and their libraries and then editing, it would be nice to know what to look at. Or is there no general way detection is done, and I'm back to trial & error?

Nach oben
Melden

Thema	Forum	Themenstarter	Statistik	Letzter Beitrag
Are You looking for easy way to make money and you want to b	Abgelehnt / Rejected	Johnniewalker	0 Antworten 1132 Aufrufe	20 December 2024 - 12:24 Uhr Von: Johnniewalker
Are You looking for easy way to make money and you want to b	Abgelehnt / Rejected	Johnnie_walker	0 Antworten 1062 Aufrufe	20 December 2024 - 09:13 Uhr Von: Johnnie_walker
Are You looking for easy way to make money and you want to b	Abgelehnt / Rejected	Johnnie_walker	0 Antworten 93 Aufrufe	20 December 2024 - 09:12 Uhr Von: Johnnie_walker