Location>code7788 >text

No Kill Basic Learning Record

Popularity:888 ℃/2024-08-16 13:58:08

preamble
Refer to the SecretTeam security team's learning record
What's no-kill?
Bypass AV (Anti-Virus Evasion) refers to the successful execution of malware on a target system by circumventing the recognition and interception of antivirus software and security detection systems through various means. This technique is not only used for malware distribution, but also by information security researchers to test and enhance the capabilities of security protection systems. Depending on the presence or absence of source code, no-kill can be categorized into the following two scenarios:
● Binary Free
Directly exempting a binary program from killing, by modifying data, adding shells and flowers, locating and modifying signature codes, and other black-box methods
:: Source code free
Exemptions by modifying the source code (probable to be the mainstay of exemptions in the future)

Directly to a binary program to exempt the technical difficulty is higher, the exemption effect is not good, so the binary program is usually converted into a piece of shellcode, the use of the loader to execute the shellcode for the conversion from the source code exemption to the source code exemption, according to the stage of exemption is also divided into the following two phases:
● Static exemptions
Static exemption is mainly to resist the static scanning of antivirus software, antivirus software static scanning will generally extract a section of the file characteristics of the string to be compared with their own virus database characteristics of the code to determine whether the file is a malicious file, so we generally around the modification or cover up the file's characteristics of the code to achieve the static exemption
:: Dynamic kill-free
Dynamic exemption is mainly to resist the dynamic checking of antivirus software, such as memory scanning, behavioral analysis, etc.
Antivirus Features
360
The 360 is a bit of an all-rounder, tops in the country in basically every way
signature of poisoning (e.g. virus)
HEUR/Malware. Generally digitally signed can be passed.
HEUR/Malware. General exchange of resources
HEUR/Malware.
HEUR/Malware. kill shell (provided by lzz221089)
HEUR/Malware. changed entry point
HEUR/Malware.
HEUR/Malware.
HEUR/Malware. Add resources, change entry points.

QVM07 add resources generally add to 2M will report QVM06
Add the digital signature again and then slowly reduce the resources, this method works for most *s.
QVM06 Add Digital Signature
QVM12 Kill Shell
QVM13 Kill Shell
QVM27 Kill Input Table
QVM19 plus aspack
QVM20 then increase the size/aspack compression
Kingsoft Vermont
Kingsoft is to go to the cloud security, cloud protection, cloud identification of these cloud security routes, so, after the disconnection of the network Kingsoft is a waste!
Jiang Min
The main thing is to locate and kill the feature codes and resources
Rising Star (computer security company)
Mainly active defense checking
Kaspersky (computer security product brand)
A very sick antivirus with low false positives, high detection rate, feature code + input table sick detection + static and dynamic heuristics + powerful virtual machine decryption technology. Humans have been unable to stop Kaspersky's input table checking, in the disassembly, you no matter how to rebuild the input table, shift can not be, you need to be manually heterogeneous encryption.
Small red umbrellas, wooden umbrellas
Little Red Umbrella's feature code localization anti-jamming techniques and heuristics are better
flint (loanword)
Mainly active defense piece, static checking is also more strict, but it is very good to do free kills
Windows Defender
Stronger static detection, stronger dynamic detection, monitoring HTTP traffic
Antivirus detection methods
eigencode
What is a signature code? A signature code is a non-mass-marketed signature string of no more than 64 bytes extracted from a virus by a virus analyst. The presence or absence of this signature string determines whether or not it is a virus. Usually, to minimize false positives, a virus will take several signatures. As an example, a well known * horse has a name that can be used as a signature code.
static heuristic
Static heuristic that the entire software analysis, the antivirus will specify a series of rules, and then scan the software, when the scan matches the rules of the string and so on and so on, the antivirus will mark the software as suspicious objects, the more the rules match to the software, the higher the degree of suspicion, to a certain extent, it has become malware!
Dynamic heuristics
Dynamic heuristics, also known as virtual machine checking technology, will simulate a system similar to windows, antivirus software will be placed into this virtual machine to run, monitor its behavior, if the more suspicious operation, the more likely to be designated as viruses
HIPS
HIPS can be said to be active defense, what is active defense, a virus or * horse if through the surface of the check, then active defense is the last line of defense, HIPS is mainly a software runtime operation detection, if the software is found to have a registry operation, load the driver of these general program should not operate the operation, then he will take advantage of his R0 level, intercepted and will be the program to pause! run, that is, hang, ask the user whether to carry out the operation.
cloud research and killing (computing)
Killer software there is a set of rules, if a software violates these rules, then the killer software will be reported to the cloud server, to the cloud server, then the reported files will be identified, may be manually identified, so the effect is much better than the killer software to check the effect. Then if the analysis of this program is a virus, then the MD5 of the program will occur to the cloud center, the user in the network state of the antivirus, then check with the cloud center MD5, if the right, unconditionally recognized as a virus. Equivalent to the installation of anti-virus software for all users to provide material on the cloud, once the material in a computer is recognized as a virus, then all users who have installed the anti-virus software will check the material!
Terminology in no-kill
API
The Windows API is a set of pre-defined Windows functions that are used to control the appearance and behavior of various parts of Windows, and are used to manipulate things in the Windows system, such as moving the mouse or clicking the keyboard. API Functions
flower instruction
A meaningless piece of code to confuse an antivirus or other disassembler, e.g. in assembly: add eax, 1; sub eax, 1
This kind of code that adds code but has no effect on the whole is the flower instruction, of course I am just a simple demonstration here, the real flower instruction is not so simple as that.
Import table (import table)
The input table is equivalent to the key to communicate between EXE file and DLL file, which can be compared to the highway for communication between two cities. All the information of imported functions will be written into the input table, and after the PE file is mapped into the memory, Windows will load the corresponding DLL file into it, and the EXE file will find the imported functions in the corresponding DLL file through the "input table", thus completing the normal operation of the program. After the PE file is mapped into the memory, Windows will load the corresponding DLL file, and the EXE file will find the import function in the corresponding DLL through the "input table", thus completing the normal operation of the program, which is a dynamic connection process involving the "input table".
zones
Sections in the PE structure, .data .text, etc., hold code, data, etc.
shell
Shelling is divided into compression shells and protection shells [encryption shells]. The purpose of compression shells is to make the program smaller, but there is no role in preventing it from being decrypted. Protective shell is the opposite, the purpose of the protective shell is to prevent the program from being disassembled as much as possible, but a good protective shell will implant a lot of garbage code into the program in order to interfere with the cracker, so the program will become larger.
counter-inspiration
I.e., code that adds heuristic interference with antivirus software
Hide Input Forms
Hide the malicious API in the import table by means of a custom API
confusions
This is a technique that converts code into an incomprehensible form, making it difficult for the analyst to understand the logic of the program from the bytecode. Obfuscation can be applied to source code, compiled code or binary files
code injection
Injecting malicious code into a legitimate program causes the malicious code to be executed during the execution of the legitimate program, thus avoiding detection by antivirus software.
memory execution
Instead of leaving traces on the disk, the malicious code is executed directly in memory, which reduces the chance of being scanned by antivirus software
file encryption
Storing malicious files encrypted and decrypting them only when they are executed prevents antivirus software from detecting them by their contents.
polymorphic
Malicious code that generates multiple variants, each with different characteristics, makes it difficult for antivirus software to recognize it by a single signature code.
Behavioral obfuscation
Avoid detection based on behavioral analysis by changing the behavioral pattern of the program so that malicious behavior appears to be normal behavior
0day
Exploit a 0day vulnerability in the operating system or application to execute malicious code, undetectable by antivirus software
sign (one's name with a pen etc)
Signing malware with legitimate digital certificates to trick users and antivirus software into looking like trusted software
Sandbox Escape
A sandbox is an environment for detecting malware that simulates a safe execution environment. Sandbox escape techniques are techniques where malware is able to detect if it is running in a sandbox and change its behavior when it is detected in order to avoid detection.
Utilization of system services
Malicious behavior is executed through operating system services, which often have elevated privileges and can bypass some security measures
Leveraging cloud services
Storing malicious code or data on cloud services through which malicious behavior is distributed or executed spreads risk and makes detection more difficult
Antivirus naming rules
Antivirus software reporting basically follows a set of principles, the CARO Principles, proposed by CARO, a consortium of anti-virus experts, which follow the following format:
<Threat Type>. <Platform>. <Malware family>. <Variants>. <Additional Information*>.
Kaspersky adds prefixes to this:
[Prefix:]<Threat type/behavior>. <Platform>. <Malware family><. Variants><Additional Information>.
prefix (linguistics)
This prefix identifies the subsystem that detected the object.
Prefix HEUR: Used to indicate objects detected by the heuristic analyzer;
Prefix PDM: Used to indicate objects detected by the Active Defense Module.
The prefix is not a required part of the full name and may not exist.
gestion
Threat type/behavior represents the main threat category and describes what the main behavior of the threat is

  1. For malware: *, Worm, Virus, Ransomware, Coinminer and Backdoor are the most common types of threats we see.
  2. For grayware: Adware adware, Spyware spyware and PUA are the most common types of threats.

flat-roofed building
Usually refers to win32, x64, linux, mac os
family-run
Used to represent a set of detected objects with the same origin (author, source code), operating principle, or payload. Each family is named according to the behavior it exhibits. Common ones are: Generic, Infector, AntiAV, KillFiles, and so on.
morph
In order to recognize different malware variants within a family, the letters are used in order and called variants, starting with ".a": ".a"-".z", ".aa"-".zz", etc.

Reporting of poisoning cases

HEUR:Worm.[Platform].Generic
This classification covers objects that run searches on remote computers and attempt to copy themselves to read/write accessible directories, search accessible network directories using operating system functions, and/or perform random searches on computers.
The [Platform] field can be either "Script" or "Win32".

HEUR:Virus.[Platform].Generic
Objects covered by this classification create a copy of themselves on the local resources of the victim computer.
The [Platform] field can be either "Script" or "Win32".

HEUR:Email-Worm.[Platform].Generic
This classification covers objects that attempt to send a copy of themselves as an e-mail attachment or as a link to their own file located on a web resource.
The [Platform] field can be either "Script" or "Win32".

HEUR:Virus.[Platform].Infector
This category covers objects that search for files on a computer and write a set of information to those files. For example, such an object may write its body to an executable file or to HTML code containing links to files with .html, .php, .asp, and other extensions.
The [Platform] field can be either "Script" or "Win32".

PDM:Worm.
This category covers objects that search a remote computer network and attempt to copy themselves to a read/write accessible directory, use operating system functions to search an accessible network directory, and/or perform a random search of computers.