Abstract
The ability to evade Antivirus analyses is a highly coveted goal in the cybersecurity field, especially in the case of Red Team operations where advanced external threats against a target infrastructure are performed. In this paper we present the design and implementation of PEzoNG, a framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment. PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms, including a novel user space unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and advanced memory allocation schemes. We evaluate the effectiveness of PEzoNG by testing various malicious payloads against up to 29 commercial Antivirus solutions, and we highlight and discuss the assets and differences of PEzoNG with respect to similar tools.
Similar content being viewed by others
References
NIST, Penetration testing. https://csrc.nist.gov/glossary/term/penetration_testing. Accessed Dec 2021
NIST, Red team. https://csrc.nist.gov/glossary/term/red_team. Accessed Dec 2021
Microsoft, Portable executable format. https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. Accessed May 2021
Phra, P.: https://github.com/phra/PEzor. Accessed May 2021
NIST, Blue team. https://csrc.nist.gov/glossary/term/blue_team. Accessed Dec 2021
TheWover, D.: https://github.com/TheWover/donut. Accessed May 2021
@spotheplanet, Module stomping for shellcode injection. https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection. Accessed Dec 2021
EgeBalci, Shikata ga nai encoder. https://github.com/EgeBalci/sgn. Accessed May 2021
JustasMasiulis, Windows inline syscalls. https://github.com/JustasMasiulis/inline_syscall. Accessed May 2021
SecRat, Api hooking. https://resources.infosecinstitute.com/topic/api-hooking/. Accessed Dec 2021
Cylance Vulnerability Research Team, Reflectivedllrefresher. https://github.com/CylanceVulnResearch/ ReflectiveDLLRefresher. Accessed May 2021
Broumels, T., Ubink, S.: Antivirus evasion by user mode unhooking on windows 10. https://rp.os3.nl/2020-2021/p68/report.pdf (2021). Accessed Dec 2021
Syswhispers2, J.T.: https://github.com/jthuraisamy/SysWhispers2. Accessed May 2021
TheWover, Module overloading. https://twitter.com/TheRealWover/status/119328 4444687392768?s=20. Accessed Jan 2021
Hasherezade, Module overloading. https://github.com/hasherezade/module_overloading. Accessed Jan 2021
Borello, J.-M., Mé, L,: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). https://doi.org/10.1007/s11416-008-0084-2
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7, 201–214 (2011)
Emc2314, Yansollvm. https://github.com/emc2314/ YANSOllvm. Accessed Jan 2021
Tamboli, T., Austin, T.H., Stamp, M.: Metamorphic code generation from llvm bytecode. J. Comput. Virol. Hacking Techn. 10(3), 177–187 (2014). https://doi.org/10.1007/s11416-013-0194-3
Ahmed, A., Garba, F., Abba, A.: Evaluating antivirus evasion tools against bitdefender antivirus 10 (2021)
Bitdefender, Bitdefender av. https://www.bitdefender.com/. Accessed June 2021
Rapid7, Meterpreter. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/. Accessed Dec 2021
Kalogranis, C.: Antivirus software evasion: an evaluation of the av evasion tools. https://dione.lib.unipi.gr/xmlui/handle/unipi/11232 (2018)
Mingw, Mingw-w64. http://mingw-w64.org/doku.php. Accessed Jan 2021
LLVM Foundation, Llvm. https://llvm.org/. Accessed Jan 2021
Sahita, R., Li, X., Lu, L., Deng, L., Shepsen, A., Xu, X., Huang, L., Liu, H., Huang, K.: Executing full logical paths for malware detection, 2016, uS Patent No. US10210331B2. [Online]. Available: https://patents.google.com/patent/US10210331B2/en
Microsoft, Peb structure. https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb. Accessed Jan 2021
R0-crew, Kaspersky hooking engine analysis. https://forum.reverse4you.org/t/kaspersky-hooking-engine-analysis/543. Accessed May 2021
Crummie5, Freshycalls. https://www.crummie5.club/freshycalls/. Accessed Jan 2021
MDSec Research, Bypassing user-mode hooks and direct invocation of system calls for red teams. https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/. Accessed June 2021
Nasi, E.: Bypass antivirus dynamic analysis. https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf. Accessed Jan 2021
AVG, Avg internet security. https://www.avg.com/en-us/internet-security#pc. Accessed June 2021
HelpSystems, Cobalt strike beacon. https://www.cobaltstrike.com/features/. Accessed Dec 2021
Mosch, F.: A tale of edr bypass methods. https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/. Accessed May 2021
Tang, J.: Universal unhooking: Blinding security software. https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software. Accessed May 2021
Bui, H.: Bypass edr’s memory protection, introduction to hooking. https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6. Accessed May 2021
Sektor7, Perun’s fart - yet another unhooking method. https://blog.sektor7.net/#!res/2021/perunsfart.md. Accessed May 2021
Microsoft, Writing preoperation and postoperation callback routines. https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/writing-preoperation-and-postoperation-callback-routines. Accessed June 2021
RedBluePurple, Detecting process injection with etw. https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection. Accessed June 2021
Slaeryan, Shellycoat. https://github.com/slaeryan/AQUARMOURY/tree/ master/Shellycoat. Accessed May 2021
Bitton, T., Yavo, U.: Captain hook: Pirating avs to bypass exploit mitigations, 2016, blackHat USA. https://www.blackhat.com/us-16/briefings/schedule/#captain-hook-pirating-avs-to-bypass-exploit-mitigations-4057
Microsoft, Detours. https://github.com/microsoft/Detours. Accessed May 2021
Microsoft, Winnt memory basic information. https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-memory_basic_information. Accessed June 2021
MalwareBytes, Malwarebytes anti-malware. https://www.malwarebytes.com/. Accessed June 2021
Orr, F.: Phantom dll hollowing. https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing. Accessed Jan 2021
Microsoft, Transactional ntfs (txf). https://docs.microsoft.com/en-us/windows/win32/fileio/transactional-ntfs-portal. Accessed Jan 2021
Cysinfo, Runtime dll name resolution: Apisetschema part i. https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html. Accessed Jan 2021
Chung, W.-J.: Hunting for amsi bypasses. https://blog.f-secure.com/hunting-for-amsi-bypasses/. Accessed May 2021
Chester, A.: Hiding your .net - etw. https://blog.xpnsec.com/hiding-your-dotnet-etw/. Accessed May 2021
Microsoft, Microsoft defender av. https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10. Accessed June 2021
Kaspersky, Kaspersky av. https://www.kaspersky.co.uk/. Accessed June 2021
ESET, Eset av. https://www.eset.com/. Accessed June 2021
Norton, Norton 360. https://us.norton.com/360. Accessed June 2021
Avast, Avast av. https://www.avast.com/. Accessed June 2021
Sophos, Sophos home. https://home.sophos.com/en-us.aspx. Accessed June 2021
McAfee, Mcafee total protection. https://www.mcafee.com/en-us/antivirus/mcafee-total-protection.html. Accessed June 2021
Webroot, Webroot internet security. https://www.webroot.com/. Accessed June 2021
Avira, Avira prime. https://www.avira.com/it/prime. Accessed June 2021
Qihoo, 360 total security business. https://www.360totalsecurity.com/it/business/. Accessed June 2021
Comodo, Comodo internet security. https://www.comodo.com/home/internet-security/antivirus.php. Accessed June 2021
Trend Micro, Trend micro antivirus. https://www.trendmicro.com. Accessed June 2021
Dr. Web, Dr. web antivirus. https://www.drweb.com/. Accessed June 2021
Antiscan.me service. https://antiscan.me/. Accessed June 2021
Gentilkiwi, Mimikatz. https://github.com/gentilkiwi/ mimikatz. Accessed June 2021
hfiref0x, Uacme. https://github.com/hfiref0x/UACME. Accessed Dec 2021
GhostPack, Rubeus. https://github.com/GhostPack/Rubeus. Accessed Dec 2021
BloodHoundAD, Sharphound. https://github.com/BloodHoundAD/SharpHound3. Accessed Dec 2021
GhostPack, Seatbelt. https://github.com/GhostPack/Seatbelt. Accessed Dec 2021
Nmap.org, Ncat. https://nmap.org/ncat/. Accessed Dec 2021
CyberReason, Cyberreason edr. https://www.cybereason.com/. Accessed Dec 2021
Microsoft, Microsoft defender endpoint. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide. Accessed Dec 2021
Lester, M.: Threat hunting with file entropy. https://practicalsecurityanalytics.com/file-entropy/. Accessed Dec 2021
Microsoft, Sigcheck. https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck. Accessed Dec 2021
Hasherezade, hollows_hunter. https://github.com/hasherezade/hollows_hunter. Accessed June 2021
monnappa22, Hollowfind. https://github.com/monnappa22/HollowFind. Accessed June 2021
Balaoura, S.: Process injection techniques and detection using the volatility framework. https://dione.lib.unipi.gr/xmlui/bitstream/ handle/unipi/11578/Balaoura_MTE1623.pdf (2018)
Cysinfo, Detecting deceptive process hollowing techniques using hollowfind volatility plugin. https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed May 2021
Microsoft, Pssetloadimagenotifyroutine function. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetloadimagenotifyroutine. Accessed Dec 2021
Funding
CNIT and SECFORCE LTD.
Author information
Authors and Affiliations
Contributions
GB and DDC are joint first two authors.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Bernardinetti, G., Di Cristofaro, D. & Bianchi, G. PEzoNG: Advanced Packer For Automated Evasion On Windows. J Comput Virol Hack Tech 18, 315–331 (2022). https://doi.org/10.1007/s11416-022-00417-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-022-00417-2