Skip to main content
SpringerLink
Log in

PEzoNG: Advanced Packer For Automated Evasion On Windows

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

The ability to evade Antivirus analyses is a highly coveted goal in the cybersecurity field, especially in the case of Red Team operations where advanced external threats against a target infrastructure are performed. In this paper we present the design and implementation of PEzoNG, a framework for automatically creating stealth binaries that target a very low detection rate in a Windows environment. PEzoNG features a custom loader for Windows binaries, polymorphic obfuscation, a payload decryption process and a number of anti-sandbox and anti-analysis evasion mechanisms, including a novel user space unhooking technique. In addition, the custom loader supports a large amount of Windows executable files, and features stealth and advanced memory allocation schemes. We evaluate the effectiveness of PEzoNG by testing various malicious payloads against up to 29 commercial Antivirus solutions, and we highlight and discuss the assets and differences of PEzoNG with respect to similar tools.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32
Fig. 33
Fig. 34
Fig. 35
Fig. 36
Fig. 37

Similar content being viewed by others

References

  1. NIST, Penetration testing. https://csrc.nist.gov/glossary/term/penetration_testing. Accessed Dec 2021

  2. NIST, Red team. https://csrc.nist.gov/glossary/term/red_team. Accessed Dec 2021

  3. Microsoft, Portable executable format. https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. Accessed May 2021

  4. Phra, P.: https://github.com/phra/PEzor. Accessed May 2021

  5. NIST, Blue team. https://csrc.nist.gov/glossary/term/blue_team. Accessed Dec 2021

  6. TheWover, D.: https://github.com/TheWover/donut. Accessed May 2021

  7. @spotheplanet, Module stomping for shellcode injection. https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection. Accessed Dec 2021

  8. EgeBalci, Shikata ga nai encoder. https://github.com/EgeBalci/sgn. Accessed May 2021

  9. JustasMasiulis, Windows inline syscalls. https://github.com/JustasMasiulis/inline_syscall. Accessed May 2021

  10. SecRat, Api hooking. https://resources.infosecinstitute.com/topic/api-hooking/. Accessed Dec 2021

  11. Cylance Vulnerability Research Team, Reflectivedllrefresher. https://github.com/CylanceVulnResearch/ ReflectiveDLLRefresher. Accessed May 2021

  12. Broumels, T., Ubink, S.: Antivirus evasion by user mode unhooking on windows 10. https://rp.os3.nl/2020-2021/p68/report.pdf (2021). Accessed Dec 2021

  13. Syswhispers2, J.T.: https://github.com/jthuraisamy/SysWhispers2. Accessed May 2021

  14. TheWover, Module overloading. https://twitter.com/TheRealWover/status/119328 4444687392768?s=20. Accessed Jan 2021

  15. Hasherezade, Module overloading. https://github.com/hasherezade/module_overloading. Accessed Jan 2021

  16. Borello, J.-M., Mé, L,: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). https://doi.org/10.1007/s11416-008-0084-2

  17. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7, 201–214 (2011)

    Article  Google Scholar 

  18. Emc2314, Yansollvm. https://github.com/emc2314/ YANSOllvm. Accessed Jan 2021

  19. Tamboli, T., Austin, T.H., Stamp, M.: Metamorphic code generation from llvm bytecode. J. Comput. Virol. Hacking Techn. 10(3), 177–187 (2014). https://doi.org/10.1007/s11416-013-0194-3

    Article  Google Scholar 

  20. Ahmed, A., Garba, F., Abba, A.: Evaluating antivirus evasion tools against bitdefender antivirus 10 (2021)

  21. Bitdefender, Bitdefender av. https://www.bitdefender.com/. Accessed June 2021

  22. Rapid7, Meterpreter. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/. Accessed Dec 2021

  23. Kalogranis, C.: Antivirus software evasion: an evaluation of the av evasion tools. https://dione.lib.unipi.gr/xmlui/handle/unipi/11232 (2018)

  24. Mingw, Mingw-w64. http://mingw-w64.org/doku.php. Accessed Jan 2021

  25. LLVM Foundation, Llvm. https://llvm.org/. Accessed Jan 2021

  26. Sahita, R., Li, X., Lu, L., Deng, L., Shepsen, A., Xu, X., Huang, L., Liu, H., Huang, K.: Executing full logical paths for malware detection, 2016, uS Patent No. US10210331B2. [Online]. Available: https://patents.google.com/patent/US10210331B2/en

  27. Microsoft, Peb structure. https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb. Accessed Jan 2021

  28. R0-crew, Kaspersky hooking engine analysis. https://forum.reverse4you.org/t/kaspersky-hooking-engine-analysis/543. Accessed May 2021

  29. Crummie5, Freshycalls. https://www.crummie5.club/freshycalls/. Accessed Jan 2021

  30. MDSec Research, Bypassing user-mode hooks and direct invocation of system calls for red teams. https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/. Accessed June 2021

  31. Nasi, E.: Bypass antivirus dynamic analysis. https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf. Accessed Jan 2021

  32. AVG, Avg internet security. https://www.avg.com/en-us/internet-security#pc. Accessed June 2021

  33. HelpSystems, Cobalt strike beacon. https://www.cobaltstrike.com/features/. Accessed Dec 2021

  34. Mosch, F.: A tale of edr bypass methods. https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/. Accessed May 2021

  35. Tang, J.: Universal unhooking: Blinding security software. https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software. Accessed May 2021

  36. Bui, H.: Bypass edr’s memory protection, introduction to hooking. https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6. Accessed May 2021

  37. Sektor7, Perun’s fart - yet another unhooking method. https://blog.sektor7.net/#!res/2021/perunsfart.md. Accessed May 2021

  38. Microsoft, Writing preoperation and postoperation callback routines. https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/writing-preoperation-and-postoperation-callback-routines. Accessed June 2021

  39. RedBluePurple, Detecting process injection with etw. https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection. Accessed June 2021

  40. Slaeryan, Shellycoat. https://github.com/slaeryan/AQUARMOURY/tree/ master/Shellycoat. Accessed May 2021

  41. Bitton, T., Yavo, U.: Captain hook: Pirating avs to bypass exploit mitigations, 2016, blackHat USA. https://www.blackhat.com/us-16/briefings/schedule/#captain-hook-pirating-avs-to-bypass-exploit-mitigations-4057

  42. Microsoft, Detours. https://github.com/microsoft/Detours. Accessed May 2021

  43. Microsoft, Winnt memory basic information. https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-memory_basic_information. Accessed June 2021

  44. MalwareBytes, Malwarebytes anti-malware. https://www.malwarebytes.com/. Accessed June 2021

  45. Orr, F.: Phantom dll hollowing. https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing. Accessed Jan 2021

  46. Microsoft, Transactional ntfs (txf). https://docs.microsoft.com/en-us/windows/win32/fileio/transactional-ntfs-portal. Accessed Jan 2021

  47. Cysinfo, Runtime dll name resolution: Apisetschema part i. https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html. Accessed Jan 2021

  48. Chung, W.-J.: Hunting for amsi bypasses. https://blog.f-secure.com/hunting-for-amsi-bypasses/. Accessed May 2021

  49. Chester, A.: Hiding your .net - etw. https://blog.xpnsec.com/hiding-your-dotnet-etw/. Accessed May 2021

  50. Microsoft, Microsoft defender av. https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10. Accessed June 2021

  51. Kaspersky, Kaspersky av. https://www.kaspersky.co.uk/. Accessed June 2021

  52. ESET, Eset av. https://www.eset.com/. Accessed June 2021

  53. Norton, Norton 360. https://us.norton.com/360. Accessed June 2021

  54. Avast, Avast av. https://www.avast.com/. Accessed June 2021

  55. Sophos, Sophos home. https://home.sophos.com/en-us.aspx. Accessed June 2021

  56. McAfee, Mcafee total protection. https://www.mcafee.com/en-us/antivirus/mcafee-total-protection.html. Accessed June 2021

  57. Webroot, Webroot internet security. https://www.webroot.com/. Accessed June 2021

  58. Avira, Avira prime. https://www.avira.com/it/prime. Accessed June 2021

  59. Qihoo, 360 total security business. https://www.360totalsecurity.com/it/business/. Accessed June 2021

  60. Comodo, Comodo internet security. https://www.comodo.com/home/internet-security/antivirus.php. Accessed June 2021

  61. Trend Micro, Trend micro antivirus. https://www.trendmicro.com. Accessed June 2021

  62. Dr. Web, Dr. web antivirus. https://www.drweb.com/. Accessed June 2021

  63. Antiscan.me service. https://antiscan.me/. Accessed June 2021

  64. Gentilkiwi, Mimikatz. https://github.com/gentilkiwi/ mimikatz. Accessed June 2021

  65. hfiref0x, Uacme. https://github.com/hfiref0x/UACME. Accessed Dec 2021

  66. GhostPack, Rubeus. https://github.com/GhostPack/Rubeus. Accessed Dec 2021

  67. BloodHoundAD, Sharphound. https://github.com/BloodHoundAD/SharpHound3. Accessed Dec 2021

  68. GhostPack, Seatbelt. https://github.com/GhostPack/Seatbelt. Accessed Dec 2021

  69. Nmap.org, Ncat. https://nmap.org/ncat/. Accessed Dec 2021

  70. CyberReason, Cyberreason edr. https://www.cybereason.com/. Accessed Dec 2021

  71. Microsoft, Microsoft defender endpoint. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide. Accessed Dec 2021

  72. Lester, M.: Threat hunting with file entropy. https://practicalsecurityanalytics.com/file-entropy/. Accessed Dec 2021

  73. Microsoft, Sigcheck. https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck. Accessed Dec 2021

  74. Hasherezade, hollows_hunter. https://github.com/hasherezade/hollows_hunter. Accessed June 2021

  75. monnappa22, Hollowfind. https://github.com/monnappa22/HollowFind. Accessed June 2021

  76. Balaoura, S.: Process injection techniques and detection using the volatility framework. https://dione.lib.unipi.gr/xmlui/bitstream/ handle/unipi/11578/Balaoura_MTE1623.pdf (2018)

  77. Cysinfo, Detecting deceptive process hollowing techniques using hollowfind volatility plugin. https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed May 2021

  78. Microsoft, Pssetloadimagenotifyroutine function. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetloadimagenotifyroutine. Accessed Dec 2021

Download references

Funding

CNIT and SECFORCE LTD.

Author information

Authors and Affiliations

  1. CNIT/University of Rome “Tor Vergata”, Rome, Italy

    Giorgio Bernardinetti & Giuseppe Bianchi

  2. SECFORCE LTD, London, England, UK

    Dimitri Di Cristofaro

Authors
  1. Giorgio Bernardinetti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dimitri Di Cristofaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giuseppe Bianchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

GB and DDC are joint first two authors.

Corresponding author

Correspondence to Giorgio Bernardinetti.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bernardinetti, G., Di Cristofaro, D. & Bianchi, G. PEzoNG: Advanced Packer For Automated Evasion On Windows. J Comput Virol Hack Tech 18, 315–331 (2022). https://doi.org/10.1007/s11416-022-00417-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-022-00417-2

Keywords

Search

Navigation