反检测技术之反病毒检测
http://pferrie.host22.com/papers/antidebug.pdf
https://paper.seebug.org/222/
https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/
https://paper.seebug.org/264/
https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/
https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/
Fun combining anti-debugging and anti-disassembly tricks
http://blog.sevagas.com/?Fun-combining-anti-debugging-and
AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion
https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf
BypassAVDynamics
http://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf
ps: 自己整理的代码
沙盒绕过
1. 检测cpu核心数 < 2;内存大小 < 2GB 退出
2. 检测当前时间,是否小于当前(硬编码写入) 退出;(有效对抗kaba沙盒)
3. 动态申请大量内存(少量多次申请,103*10MB);(延时在10+s,能有效绕过Norton沙盒)
4.检测NtControlChannel函数 ; (谷歌工程师在调试MSE时发现的一个函数,利用这个可以检测到MSE)
主动防御:
由于是驱动层过滤,面对针对写启动项和注入拦截严格的杀软,可以根据杀软情况,采取不释放;不注入的方法。