Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Cover
Title page
Copyright and Credits
Recommendation
Contributors
Table of Contents
Preface
Section 1: Know the Antivirus – the Basics Behind Your Security Solution
Chapter 1: Introduction to the Security Landscape
	Understanding the security landscape
	Defining malware
		Types of malware
	Exploring protection systems
	Antivirus – the basics
	Antivirus bypass in a nutshell
	Summary
Chapter 2: Before Research Begins
	Technical requirements
	Getting started with the research
	The work environment and lead gathering
		Process
		Thread
		Registry
	Defining a lead
	Working with Process Explorer
	Working with Process Monitor
	Working with Autoruns
	Working with Regshot
	Third-party engines
	Summary
Chapter 3: Antivirus Research Approaches
	Understanding the approaches to antivirus research
	Introducing the Windows operating system
	Understanding protection rings
	Protection rings in the Windows operating system
	Windows access control list
	Permission problems in antivirus software
		Insufficient permissions on the static signature file
		Improper privileges
	Unquoted Service Path
	DLL hijacking
	Buffer overflow
		Stack-based buffer overflow
		Buffer overflow – antivirus bypass approach
	Summary
Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
Chapter 4: Bypassing the Dynamic Engine
	Technical requirements
	The preparation
		Basic tips for antivirus bypass research
	VirusTotal
	VirusTotal alternatives
	Antivirus bypass using process injection
		What is process injection?
		Windows API
		Classic DLL injection
		Process hollowing
		Process doppelgänging
		Process injection used by threat actors
	Antivirus bypass using a DLL
		PE files
		PE file format structure
		The execution
	Antivirus bypass using timing-based techniques
		Windows API calls for antivirus bypass
		Memory bombing – large memory allocation
	Summary
	Further reading
Chapter 5: Bypassing the Static Engine
	Technical requirements
	Antivirus bypass using obfuscation
		Rename obfuscation
		Control-flow obfuscation
		Introduction to YARA
		How YARA detects potential malware
		How to bypass YARA
	Antivirus bypass using encryption
		Oligomorphic code
		Polymorphic code
		Metamorphic code
	Antivirus bypass using packing
		How packers work
		The unpacking process
		Packers – false positives
	Summary
Chapter 6: Other Antivirus Bypass Techniques
	Technical requirements
	Antivirus bypass using binary patching
		Introduction to debugging / reverse engineering
		Timestomping
	Antivirus bypass using junk code
	Antivirus bypass using PowerShell
	Antivirus bypass using a single malicious functionality
	The power of combining several antivirus bypass techniques
		An example of an executable before and after peCloak
	Antivirus engines that we have bypassed in our research
	Summary
	Further reading
Section 3: Using Bypass Techniques in the Real World
Chapter 7: Antivirus Bypass Techniques in Red Team Operations
	Technical requirements
	What is a red team operation?
	Bypassing antivirus software in red team operations
	Fingerprinting antivirus software
	Summary
Chapter 8: Best Practices and Recommendations
	Technical requirements
	Avoiding antivirus bypass dedicated vulnerabilities
		How to avoid the DLL hijacking vulnerability
		How to avoid the Unquoted Service Path vulnerability
		How to avoid buffer overflow vulnerabilities
	Improving antivirus detection
		Dynamic YARA
		The detection of process injection
		Script-based malware detection with AMSI
	Secure coding recommendations
		Self-protection mechanism
		Plan your code securely
		Do not use old code
		Input validation
		PoLP (Principle of Least Privilege)
		Compiler warnings
		Automated code testing
		Wait mechanisms – preventing race conditions
		Integrity validation
	Summary
	Why subscribe?
About Packt
Other Books You May Enjoy
Index