GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → hegusung → Avsignseek

hegusung / Avsignseek

Licence: mit
Tool written in python3 to determine where the AV signature is located in a binary/payload

Programming Languages

python
139335 projects - #7 most used programming language
python3
1442 projects

Labels

antivirus-evasion

Projects that are alternatives of or similar to Avsignseek

Whitecomet-Research
Research on malware creation and protection
Stars: ✭ 62 (-78.17%)
Mutual labels:  antivirus-evasion
MsfMania
Python AV Evasion Tools
Stars: ✭ 388 (+36.62%)
Mutual labels:  antivirus-evasion
Evader
Packer (actually a crypter) for antivirus evasion implemented for windows PE files (BSc-Thesis)
Stars: ✭ 86 (-69.72%)
Mutual labels:  antivirus-evasion
DNSWho
transmit cs beacon (shellcode) over self-made dns to avoid anti-kill and AV
Stars: ✭ 47 (-83.45%)
Mutual labels:  antivirus-evasion
NativePayload CBT
NativePayload_CallBackTechniques C# Codes (Code Execution via Callback Functions Technique, without CreateThread Native API)
Stars: ✭ 109 (-61.62%)
Mutual labels:  antivirus-evasion
Lscript
The LAZY script will make your life easier, and of course faster.
Stars: ✭ 3,056 (+976.06%)
Mutual labels:  antivirus-evasion
Armor
Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners.
Stars: ✭ 228 (-19.72%)
Mutual labels:  antivirus-evasion
Rapidpayload
Framework RapidPayload - Metasploit Payload Generator | Crypter FUD AntiVirus Evasion
Stars: ✭ 174 (-38.73%)
Mutual labels:  antivirus-evasion
Antimalware Research
Research on Anti-malware and other related security solutions
Stars: ✭ 163 (-42.61%)
Mutual labels:  antivirus-evasion
Veil Evasion
Veil Evasion is no longer supported, use Veil 3.0!
Stars: ✭ 1,678 (+490.85%)
Mutual labels:  antivirus-evasion
Crypter
Crypter in Python 3 with advanced functionality, Bypass VM, Encrypt Source with AES & Base64 Encryption | Evil Code is executed by bruteforcing the decryption key, and then executing the decrypted evil code
Stars: ✭ 125 (-55.99%)
Mutual labels:  antivirus-evasion
Apkinfector
Advanced Android AV Evasion Tool Written In Python 3 that can Embed/Bind meterpreter APK to any Legitimate APK
Stars: ✭ 105 (-63.03%)
Mutual labels:  antivirus-evasion
Spookflare
Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.
Stars: ✭ 836 (+194.37%)
Mutual labels:  antivirus-evasion
Herpaderping
Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
Stars: ✭ 614 (+116.2%)
Mutual labels:  antivirus-evasion
Pezor
Open-Source PE Packer
Stars: ✭ 561 (+97.54%)
Mutual labels:  antivirus-evasion
Hacktheworld
An Python Script For Generating Payloads that Bypasses All Antivirus so far .
Stars: ✭ 527 (+85.56%)
Mutual labels:  antivirus-evasion
Chimera
Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions.
Stars: ✭ 463 (+63.03%)
Mutual labels:  antivirus-evasion
Foureye
AV Evasion Tool For Red Team Ops
Stars: ✭ 421 (+48.24%)
Mutual labels:  antivirus-evasion
Xeexe Topantivirusevasion
Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable
Stars: ✭ 387 (+36.27%)
Mutual labels:  antivirus-evasion
Nxcrypt
NXcrypt - 'python backdoor' framework
Stars: ✭ 316 (+11.27%)
Mutual labels:  antivirus-evasion

AVSignSeek

Tool written in python3 to determine where the AV signature is located in a binary/payload

Usage

Zip (with a password) your binary/payload caught by an AV so it won't be detected when placed in an environment protected by an AntiVirus. Launch the tool and specify the zip password and filename in the zip with the -p and -f options (infected/infected.bin by default)

This tool won't work for complex signatures

./avsignseek.py zipfile.zip

The tool will drop multiple files on the disk to determine on which pattern the signature is based on. It will obviously generate a lot of AV alerts, might be a good idea to run this on an host with no internet connection.

Once done, the result will be printed in stdout and a file (output.txt by default) containing the result will be generated.

If you know approximatly where your signature is located, you can specify one or more range in the payload to be analysed using the -r option. In the following example AVSignSeek will only try to find a signature in the following ranges:

  • 0-256
  • 336-416
  • 432-endofpayload

Syntax:

./avsignseek.py zipfile.zip -r :0x100,0x150:0x1a0,0x1b0:

Help

Automatically detects AV Signatures

positional arguments:
  zip_file

optional arguments:
  -h, --help          show this help message and exit
  -s SLEEP            waiting time between 2 tests (default: 20)
  -p ZIP_PASSWORD     zip password (default: infected)
  -f FILENAME         file name contained in the zip (default: infected.bin)
  -l LIMIT_SIGN       signature limit (default: 64)
  -d TEST_DIR         directory where testfiles will be placed (default: .)
  --subdiv SUBDIV     subdiv per step (default: 4)
  -o OUTPUT_FILE      output_file (default: output.txt)
  -r RANGES_STR       range (default: ":")
  -b REPLACING_VALUE  character or byte used as a replacing value (default: "0x00")
  --manual            wait for a manual input instead of a specific time (default: false)

Output example

Reflective DLL caught by Kaspersky AV, the signature based on the exported dll function name "ReflectiveLoader"

=== AVSignSeek ===
[+] Signature between bytes 88220 and 88284
[+] Bytes:
4d 61 6c 77 61 72 65 54 65 73 74 2e 64 6c 6c 00 	MalwareTest.dll.
52 65 66 6c 65 63 74 69 76 65 4c 6f 61 64 65 72 	ReflectiveLoader
00 66 75 6e 63 5f 74 65 73 74 00 00 00 00 00 00 	.func_test......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	................
[+] Strings:
> MalwareTest.dll
> ReflectiveLoader
> func_test

Troubleshooting

False Positives due to binary header

While trying to locate the AV signature, the AVSignSeek might break a header or another way used by the AV to determine the file type, and the AV won't detect the file as malicious anymore, resulting in a false positive. It can be prevented by using the start byte and end byte option (-s and -e) to remove the "header" from the analysis

Unable to locate the signature

If there is multiple signature in a single payload, AVSignSeek won't be able to locate them

Future developments

  • Multiple signature detection
  • PE-specific signature detection (it will detect in which section/exported function/... the signature is located)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].