Thread: Evading behavior analysis
View Single Post
  #1  
Old 03-16-2018, 18:32
0xall0c 0xall0c is offline
Friend
  
Join Date: Mar 2018
Posts: 70
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 28
Thanks Rcvd at 68 Times in 36 Posts
0xall0c Reputation: 4
Lightbulb Evading behavior analysis
This is my first post on exetools so hello to all,

so i generally experiment with post exploitation tools, sometime develop my own. what i have noticed working with major antivirus is that evading detection statically or in memory is easy (call apis dynamically and obfuscate strings, followe by ghostwriting or process hollowing), but the behavior analysis at the run time detects the payload.

as i was testing with kaspersky and avast, the payload executed succesfully but after few minutes it was detected by the behaviour analysis module and neutralized.

to resolve this problem i proposed if i can hook all api calls in the payload exe and choose a random time interval or apicall before the execution of the original api, maybe behaviour detection can be evaded.

i would like to discuss on this more, and want to know what you thought are on this, and if someone can propose a better solution.

please enlighten and apologies if i did something wrong.
Reply With Quote
The Following 2 Users Say Thank You to 0xall0c For This Useful Post:
Conquest (03-18-2018), niculaita (03-17-2018)