Bypassing AV Softwares Using Debug Builds In Windows

on

 



Introduction:

There are so many ways to bypass AV softwares by tricking them, change the real behaviour and etc. The method we use here is simply putting extra useless debug information into our executable file.

The Detection Methods:

There are common methods that AV softwares uses to detect if something is going wrong with a process or file in Windows.

Things like:

  •  WinAPI functions that give you access to other processes (OpenProcess,

CreateProcess, etc).

  •  Calling a well-known function call routine that may use for DLL/Process Injection(WriteProcessMemory, VirtualAlloc)
  • Behavioral Analysis
  • Memory Scanning

Down The Rabbit Hole:

As the above mentioned, you are NOT allowed to do those things. Thus, Here is the magic happens. AV Softwares sometimes(Almost) only look for chain of function calls in Behavioural Analysis and Pattern Scanning, so what if we use them in nasty way?

For example a routine of CreatePorcess is totally broken and will detect as an malware if you pass CREATE_SUSPENDED flag to it, Approximetly 10~15 NT Functions (and syscalls) will call in kernel after you use this function. To bypass this method of detection we should put Debug Information and a set of debug configuration in our release file. It’s seems like you cover the hole process as an DEBUGGING tests.

A set of debug settings in a .exe file will push extra polish and cover over the actual function calls. AV Softwares looks and hooks on a WinAPI function with specified flags, in our case we are not giving them what EXACTLY we are calling.

How todo:

You will need to install Visual Studio for this configurations and methods. You must change important settings in release builds in Project Property Page:

  1. Set Whole Program Optimization to No Whole Program Optimization
  2. Set SDL Checks to No (/sdl-)
  3. Set Optimization to  Maximum Optimization (Favor Speed) (/O2)
  4. Set Favor Size or Speed to Favor fast code (/Ot)
  5. Set Generate Debug Info to  Generate Debug Information (/DEBUG)

NOTE: These settings will increase the size of file.

Final Words:

This article was a brief how to bypass and how this idea works. You have to test and change it more based on your code. I tried it in wild and worked fine on most common AV Softwares.


-Good Luck ✌


Comments

Post a Comment