This blog post accompanies the talk we gave at Insomni’hack 2022. The source code as well as the slides can be found at: https://github.com/scrt/avdebugger Introduction What can we do when a tool that we use during pentest engagements becomes detected by antivirus software? For a long time, the answer was: use a packer. After a … Continue reading Automatically extracting static antivirus signatures

In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so … Continue reading Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin

Previous blog posts addressed the issue of static artefacts that can easily be caught by security software, such as strings and API imports: This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks. As usual, source code was published at https://github.com/scrt/avcleaner … Continue reading Engineering antivirus evasion (Part III)